TalentMaps
Start free

Legal

Security

Last updated: February 2026

Security is foundational to TalentMaps. Recruitment agencies trust us with sensitive candidate data, and we take that responsibility seriously.

1. Our Commitment

We design TalentMaps with security as a primary requirement, not an afterthought. From database-level access controls to encrypted backups, every layer of the platform is built to protect the data our customers entrust to us. We continuously review our practices and invest in security improvements.

2. Infrastructure

TalentMaps is hosted on Supabase (PostgreSQL), which maintains SOC 2 Type II certification. Supabase infrastructure runs on AWS, with EU customers’ data stored in the eu-west-1 (Ireland) region to ensure GDPR-compliant data residency.

No data is stored on-premises. All infrastructure is managed cloud, with automatic failover and point-in-time recovery available for the database.

Our application layer runs on Vercel’s global edge network, which provides DDoS protection and automatic SSL certificate management.

3. Data Encryption

In transit. All communication between your browser and TalentMaps is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and use HSTS to prevent downgrade attacks.

At rest. All data stored in our database is encrypted using AES-256. This applies to all tables, including profile caches, user accounts, and generated report metadata.

Backups. Automated database backups are encrypted using the same AES-256 standard and stored in geographically separate storage.

4. Access Control

Row-level security (RLS) is enforced at the PostgreSQL database layer. Every query is scoped to your organisation’s data — it is architecturally impossible for one organisation to read another’s projects, reports, or account data.

Access to production systems is granted on a least-privilege basis and is limited to a small number of authorised engineers. All access is authenticated via multi-factor authentication.

All internal access to production data is logged and auditable. We retain access logs for a minimum of 90 days.

5. Authentication

User passwords are hashed using bcrypt via Supabase Auth. We never store plaintext passwords.

Sessions are managed using short-lived JSON Web Tokens (JWTs) stored in secure, httpOnly cookies. Tokens are automatically rotated and expire after a short period of inactivity.

We strongly recommend enabling two-factor authentication (2FA), which is available in your account settings. For teams, administrators can enforce 2FA across all members of their organisation.

6. LinkedIn Profile Data

Profile data retrieved from public LinkedIn URLs is cached for a maximum of 30 days and then automatically purged from our systems. This data is never shared with third parties, never sold, and never used for purposes beyond operating the platform.

You control which profiles are added to your projects. Profile data cached from a URL you submitted is not accessible to other organisations, even though the underlying cache is shared infrastructure.

7. Vulnerability Disclosure

If you discover a security vulnerability in TalentMaps, we ask that you disclose it responsibly by emailing security@talentmaps.io. Please include a clear description of the vulnerability and steps to reproduce it.

We aim to acknowledge all reports within 48 hours and to resolve critical vulnerabilities within 7 days. We will keep you informed throughout the process.

We do not pursue legal action against good-faith security researchers who follow responsible disclosure principles. We appreciate the security community’s efforts to help keep our platform secure.

8. Compliance

GDPR. TalentMaps acts as a data processor for EU personal data processed on behalf of our customers (the data controllers). We maintain Data Processing Agreements (DPAs) with customers who require them. Contact privacy@talentmaps.io to request a DPA.

CCPA. California residents may submit data requests to privacy@talentmaps.io. We do not sell personal data.

We conduct annual security reviews of our infrastructure and third-party service dependencies to identify and remediate potential risks.

9. Contact

For security enquiries, vulnerability reports, or questions about our security practices, contact security@talentmaps.io.