Security

Last updated: 23 April 2026

Interva processes sensitive hiring data — job requirements, candidate CVs, interview recordings, AI‑generated scores. This page describes the technical and organizational measures we take to keep it safe.

1. Infrastructure

Interva runs on dedicated servers at Hetzner Online GmbH in Germany, an ISO 27001‑certified provider with SOC 1 Type II attestation. All application servers are hardened Linux with automatic security patching and firewalled so only HTTPS (port 443) and SSH (port 22, key‑only) are reachable from the internet.

2. Data in transit

All public traffic is served over HTTPS using TLS 1.2 or higher, with HSTS preload. Certificates are issued by Let's Encrypt and auto‑renew. Internal traffic between application, database, and cache stays on a private network and never traverses the public internet.

3. Data at rest

• PostgreSQL volumes are encrypted at the storage layer.
• Encrypted off‑server backups with 30‑day retention.
• Passwords are stored as bcrypt hashes with per‑user salt (cost factor 12); we never see or store plaintext passwords.
• CV files and interview recordings are stored on Bunny.net, encrypted at rest, and accessed via short‑lived signed URLs.

4. Authentication and session security

• JWT access tokens with short lifetimes; HttpOnly / Secure / SameSite cookies.
• Strict tenant isolation — queries are scoped to the calling workspace, enforced at the ORM layer.
• Throttling on public endpoints (signup, login, forgot‑password, public APIs) to prevent brute‑force.
• Two‑factor authentication is on our near‑term roadmap.

5. Access control

• Role‑based access in the app: Admin, Recruiter, Hiring Manager, Auditor.
• Production access by a small named team on least‑privilege principles.
• SSH is key‑only; every session is logged and periodically audited.
• No third party has direct database access; every integration uses a scoped API key.

6. Application security

• Input validation on every API route (class‑validator + Zod schemas).
• CSRF protection via same‑site session cookies and NextAuth.
• CORS locked to our own domains and wildcard tenant subdomains.
• Regular dependency vulnerability scanning (npm audit).
• Content Security Policy on public pages.

7. AI and voice subprocessors

OpenAI processes text on an enterprise‑grade plan; data is not used to train publicly available models and is retained only for abuse monitoring per OpenAI's enterprise policy.

Vapi handles voice‑call infrastructure, live transcription, and recording. We use a dedicated Vapi assistant and keep the recording URL in our database under our account.

8. Secure development

• All code changes go through peer review.
• Secrets live only in environment variables — never in source control.
• Staging environment for pre‑production testing.
• An audit log captures sensitive admin actions (member invites, role changes, retention changes, data exports).

9. Incident response

We maintain an incident response playbook. In the event of a confirmed data breach we will:

• Investigate scope and root cause within 24 hours.
• Notify affected customers within 72 hours, as required by GDPR Art. 33.
• Cooperate with supervisory authorities (KVKK, EU DPAs) as required.
• Publish a post‑incident summary.

Report a vulnerability: security@interva.io. We acknowledge reports within 48 hours and do not pursue legal action against researchers who follow responsible disclosure.

10. Business continuity

• Encrypted nightly backups with point‑in‑time recovery (PITR) on the primary database.
• Infrastructure monitoring and alerting on error rates, latency, and abnormal traffic patterns.
• Documented disaster‑recovery runbook.

11. Compliance

Interva is designed to comply with:

• GDPR (EU General Data Protection Regulation) and UK GDPR
• KVKK (Turkish Personal Data Protection Law — Kişisel Verilerin Korunması Kanunu)
• CCPA (California Consumer Privacy Act)

SOC 2 Type II audit is on our roadmap. Customers who need a signed Data Processing Addendum can request one at dpa@interva.io.

12. Your security responsibilities

• Use a strong, unique password for your workspace.
• Do not share credentials between users; each person gets their own account.
• Set an appropriate candidate‑data retention for your workspace.
• Review audit logs for anything unusual.
• Notify us immediately of suspicious activity: security@interva.io.

13. Contact

Security · security@interva.io
Responsible disclosure · security@interva.io
DPA requests · dpa@interva.io