Security

We take security seriously.

Vetahire handles sensitive identity documents on behalf of companies and individuals. Here's exactly how we protect that data.

Encryption
256-bit AES at rest, TLS 1.3 in transit — every byte is protected end-to-end.
Infrastructure
Hosted on SOC 2 Type II certified infrastructure with 99.9% uptime SLA.
Access Controls
Strict role-based access controls and time-limited signed URLs for documents.
Incident Response
24-hour incident response commitment with mandatory breach notification.

Data Encryption

All data processed by Vetahire is protected using industry-leading encryption standards at every layer:

  • Data at rest: All stored data — including identity documents, applicant records, and database contents — is encrypted using 256-bit AES (Advanced Encryption Standard)
  • Data in transit: All communications between your browser and our servers, and between our servers and third-party services, are encrypted using TLS 1.3 (Transport Layer Security)
  • Document access: Uploaded identity documents are stored in a private storage bucket. Access is granted only via time-limited, cryptographically signed URLs that expire automatically — they cannot be shared or reused after expiration

Payment Card Data Security (PCI DSS)

Vetahire does not store, process, or transmit raw payment card data. All payment processing is handled directly by Square, Inc., a PCI DSS Level 1 certified payment processor — the highest level of compliance available in the payment industry.

  • Cardholder data never touches Vetahire servers
  • Square handles all card tokenization, authorization, and settlement
  • All payment pages are served over HTTPS from Square's secure infrastructure
  • Vetahire stores only non-sensitive transaction metadata (e.g., job ID reference) for recordkeeping

For more information on Square's security posture, visit: squareup.com/legal/privacy

Infrastructure Security

Hosting & Availability

Our infrastructure is hosted on enterprise-grade cloud providers operating SOC 2 Type II certified data centers with physical security controls, redundant power, and climate control systems.

  • Database: Neon (serverless PostgreSQL) — SOC 2 Type II certified, with automated backups and point-in-time recovery
  • File storage: Uploadcare — encrypted object storage with CDN-backed delivery and signed URL enforcement
  • Application: Deployed on serverless infrastructure with automatic scaling and DDoS mitigation
  • Email delivery: Resend — SOC 2 compliant transactional email delivery

Network Security

  • All services communicate over private, encrypted channels
  • Public-facing endpoints are protected by web application firewall (WAF) rules
  • HTTP Strict Transport Security (HSTS) enforced — HTTPS-only, no plaintext connections accepted
  • All API routes validate and sanitize inputs to prevent injection attacks

Access Controls

We enforce strict internal access controls to minimize exposure of sensitive data:

  • Principle of least privilege: employees and systems are granted only the minimum access required to perform their function
  • Identity documents are accessible only through time-limited signed URLs — no one has persistent direct access to raw files
  • Database access is restricted by IP allowlist and requires strong authentication
  • All administrative actions are logged and auditable
  • Multi-factor authentication (MFA) is required for all internal system access

Application Security

  • All user-supplied input is parameterized and sanitized to prevent SQL injection and cross-site scripting (XSS)
  • Cross-Site Request Forgery (CSRF) protections are enforced on all state-changing operations
  • Security headers including Content-Security-Policy (CSP), X-Frame-Options, and X-Content-Type-Options are set on all responses
  • Dependencies are regularly audited and updated to address known vulnerabilities
  • Unique, cryptographically random UUIDs are used for all verification links — they cannot be guessed or enumerated

Data Minimization & Retention

We collect only the data that is strictly necessary to provide the Service:

  • We do not collect or store payment card numbers, CVV codes, or full card data
  • We do not perform background checks, credit checks, or any form of automated decision-making on identity documents
  • Identity documents are retained for a minimum of 5 years to satisfy legal recordkeeping requirements, then securely deleted
  • You may request deletion of your data by contacting support@vetahire.com, subject to our legal retention obligations

Incident Response

In the event of a security incident affecting personal data:

  • Our incident response team will investigate and contain the incident within 24 hours of detection
  • Affected individuals and relevant authorities will be notified within 72 hours where required by applicable law (including GDPR)
  • A post-incident review will be conducted and corrective measures implemented
  • We maintain a security incident log for all detected and investigated events

To report a security vulnerability or suspected incident, please contact us immediately at support@vetahire.com. We take all reports seriously and will respond promptly.

Compliance

PCI DSS
Payment card data handled exclusively by Square (Level 1 certified)
SOC 2 Type II
Infrastructure providers maintain SOC 2 Type II certification
GDPR
Data handling compliant with EU General Data Protection Regulation
CCPA
California Consumer Privacy Act rights honored for all California residents

Responsible Disclosure

We support responsible security research. If you discover a vulnerability in our platform, please report it to us privately before disclosing it publicly. We commit to:

  • Acknowledging your report within 48 hours
  • Investigating and resolving confirmed vulnerabilities promptly
  • Not pursuing legal action against researchers acting in good faith

Please send vulnerability reports to: support@vetahire.com

Contact

For any security-related questions, concerns, or to report a suspected vulnerability:

Vetahire Security Team

Email: support@vetahire.com

Response time: within 48 hours