Information Security Policy

Last updated: April 2, 2026 — Comprehensive data security standards, access controls, and compliance frameworks

Overview

Drafted Labs, Inc. is committed to protecting all data entrusted to us by candidates, contributors, employers, and enterprise clients. This Information Security Policy establishes the standards, controls, and commitments we maintain across all production systems and services.

Version: 1.0 | Effective: April 2, 2026 | Scope: All applications, infrastructure, and personnel

1. Data Classification

We classify all data into four sensitivity tiers, each with defined handling requirements:

Tier 1 — Strictly Confidential

Service credentials, API keys, Firebase service accounts, subscriber task outputs

Tier 2 — Sensitive Personal Data

Candidate profiles, video recordings, resumes, assessment results, contact information

Tier 3 — Internal/Business Confidential

Employer data, job postings, analytics, matching algorithms

Tier 4 — Public or Low Sensitivity

Published job listings, platform documentation, public Firebase config

2. Infrastructure & Cloud Security

All production infrastructure is hosted on enterprise-grade, audited cloud providers:

  • Netlify (SOC 2 Type II): Web hosting, CDN, serverless functions, environment variables
  • Google Cloud/Firebase (ISO 27001, SOC 1/2/3): Firestore database, authentication, storage
  • AWS Bedrock (FedRAMP High): AI inference, model invocation

3. Encryption Standards

In Transit: TLS 1.2+ enforced on all endpoints (Netlify CDN edge)

At Rest: AES-256 encryption managed by Google Cloud KMS for all Firestore and Storage data

4. Access Control & Authentication

  • Firebase Authentication with email-verified sessions
  • Role-Based Access Control (RBAC) enforced at Firestore Security Rules layer
  • Principle of least privilege for all service accounts
  • Multi-factor authentication for sensitive operations
  • Automatic session invalidation upon logout or token expiry

5. Secret & Credential Management

All API keys and service credentials are stored exclusively in Netlify's encrypted environment variable store, never in source code. Credentials are rotated upon personnel changes or suspected exposure.

6. Incident Response

Critical

Immediate (within 1 hour)

Unauthorized database access, credential compromise

High

Within 4 hours

Suspected unauthorized access, API key exposure

Medium

Within 24 hours

Failed security controls, anomalous patterns

Breach Notification: Affected individuals and clients notified within 72 hours of confirmed data breach.

7. Vendor & Third-Party Security

All vendors undergo security assessment before engagement, including:

  • Background and reputation checks
  • Compliance certification verification (SOC 2, ISO 27001, or equivalent)
  • Reference checks with existing clients
  • Written security requirements in Data Processing Agreements (DPAs)
  • Annual compliance attestations and right-to-audit

8. Employee & Contractor Obligations

  • All personnel sign confidentiality agreements before accessing systems
  • Security training provided upon hire and annually
  • Background checks conducted for roles with sensitive data access
  • Access provisioned on need-to-know basis and revoked upon departure
  • Violations subject to documented disciplinary action

9. FERPA & University Student Data

Student data from partner universities (USC, University of Chicago, Georgetown, University of Miami) receives special protections:

  • Data Processing Agreements with each university
  • FERPA compliance for all educational records
  • Students retain right to access, correct, or delete their data
  • Data never used for purposes outside talent sourcing
  • University oversight of all data handling practices

10. Contact & Escalation

Security Incidents: security@joindrafted.com

Privacy Requests: privacy@joindrafted.com

Legal & Compliance: legal@joindrafted.com

Full policy documentation available upon request.
Contact us for detailed security documentation.