Trust & Security

1. Our Commitment

We take the security of your data seriously. We implement industry-standard protections and continuously improve our security posture. No system is perfectly secure — we're honest about that — but we work hard to protect your data and are transparent about how we do it.

This page describes the security practices, data protection measures, and compliance commitments that NexxaScreen (operated by Sentient AI Inc.) maintains to safeguard the information entrusted to us by recruiters, candidates, and educational institutions.

2. Infrastructure Security

NexxaScreen's infrastructure is designed with security as a foundational requirement:

• Cloud hosting: Our platform runs on AWS cloud infrastructure (SOC 2 Type II certified provider) and Hetzner EU hosting (ISO 27001 certified data centers).
• Encryption in transit: All data transmitted between your browser and our servers is protected using TLS 1.2 or higher. We enforce HTTPS on all connections.
• Encryption at rest: All stored data is encrypted using AES-256 encryption, including databases, backups, and file storage.
• Network segmentation: Our infrastructure uses network segmentation and firewall rules to isolate services and limit the blast radius of any potential breach.
• DDoS protection: We employ DDoS mitigation services to maintain platform availability during volumetric attacks.
• Vulnerability scanning: Automated vulnerability scanning runs on a continuous basis to identify and remediate security weaknesses in our infrastructure.

3. Application Security

We build security into our application development lifecycle:

• Role-Based Access Control (RBAC): Access to platform features and data follows the principle of least privilege. Users only have access to the resources necessary for their role.
• Multi-Factor Authentication (MFA): MFA is available for all accounts. We strongly recommend enabling it, especially for administrator and recruiter accounts.
• Session management: Sessions are managed with automatic expiry after periods of inactivity. Session tokens are securely generated and stored.
• CSRF protection: All forms are protected against Cross-Site Request Forgery attacks using per-session tokens.
• Input validation and output encoding: All user inputs are validated server-side, and outputs are encoded to prevent injection attacks.
• SQL injection and XSS prevention: We use parameterized queries and context-aware output encoding throughout the application to prevent SQL injection and Cross-Site Scripting (XSS) attacks.
• Dependency management: We regularly update dependencies and apply security patches. Automated tools monitor our dependency tree for known vulnerabilities.
• Secure password hashing: All passwords are hashed using bcrypt with appropriate cost factors. We never store passwords in plaintext.

4. AI Security

NexxaScreen uses AI to power interview assessments and candidate evaluations. We take specific measures to secure our AI systems:

• Interview data storage: Interview recordings (video, audio) and transcripts are securely stored on our infrastructure for post-interview evaluation and reporting. AI providers do not retain candidate data after processing is complete — data is sent for inference and discarded by the provider.
• AI training data sourcing: AI model training uses only de-identified data from candidate-initiated sessions (mock interviews, demos, guest "try it" sessions, and practice). Data from employer-initiated hiring interviews is never used for model training. All interview data, regardless of type, may be used in de-identified form for bias audits, quality assurance, and compliance reporting.
• Prompt injection protections: We implement guardrails to detect and prevent prompt injection attacks against our AI systems.
• Human oversight: AI outputs are advisory in nature. Human decision-makers retain final authority over all hiring decisions. AI-generated scores and assessments are tools to inform, not replace, human judgment.
• Restricted model access: AI model access is restricted to authorized platform services only, with authentication and authorization controls at every layer.
• No third-party training: No candidate data is shared with AI providers for their own model training purposes. Our agreements with AI providers explicitly prohibit this.
• AI avatar transparency: In interview modes that use AI-generated video avatars, candidates are clearly informed before the interview that they are interacting with an AI, not a real person. Avatar video is generated in real-time and is not stored by the avatar provider.

5. Data Protection

We implement comprehensive data protection measures:

• Automated backups: Daily automated backups are stored in geographically separated locations to ensure data durability and disaster recovery capability.
• Data retention policies: We maintain comprehensive data retention policies. For full details, see our Privacy Policy.
• Right to deletion: Deletion requests are honored within 30 days of a verified request. We process these requests systematically to ensure complete removal across all systems.
• Biometric-adjacent data: Voice characteristics and similar biometric-adjacent data collected during interviews are retained for a maximum of 1 year, after which they are automatically purged.
• Data export: Data export is available in standard formats (CSV, JSON) upon request, enabling data portability.
• Field-level encryption: Sensitive data fields in our database are encrypted at the application level, providing an additional layer of protection beyond disk encryption.

6. Compliance Readiness

We are committed to meeting regulatory requirements across the jurisdictions we operate in. We believe in being honest about where we stand:

• GDPR: Compliant. We process data in accordance with the General Data Protection Regulation. A Data Processing Agreement (DPA) is available for enterprise customers upon request.
• EU AI Act: NexxaScreen is classified as a high-risk AI system under Annex III(4)(a) of the EU AI Act (AI systems intended to be used for recruitment or selection of natural persons). We are implementing provider obligations under Articles 16-25, with full compliance targeted by August 2, 2026.
• CCPA/CPRA: Compliant. We honor all California consumer privacy rights. We do not sell or share personal information as defined under the CCPA/CPRA.
• India DPDP Act: We are implementing compliance with the Digital Personal Data Protection Act per the timeline set by the DPDP Rules, with full obligations met by May 2027.
• SOC 2 Type II: On our roadmap. We are building towards SOC 2 Type II certification and currently implement controls aligned with SOC 2 Trust Service Criteria (security, availability, processing integrity, confidentiality, and privacy).
• ISO 27001: On our roadmap. Our hosting providers (AWS, Hetzner) maintain ISO 27001 certification. We are working toward our own certification as the organization scales.
• Annual Bias Audits: We conduct annual bias audits of our AI models to assess for disparate impact across protected categories. We publish our audit methodology and summary findings.
• Illinois BIPA: We obtain explicit, informed consent before processing voice characteristics during interviews. Biometric data is deleted within 1 year of collection, in compliance with the Illinois Biometric Information Privacy Act.

7. Incident Response

We maintain a documented incident response plan:

• Designated response team: A cross-functional incident response team is responsible for detecting, containing, and remediating security incidents.
• Breach notification (GDPR): Affected data controllers will be notified within 72 hours of a confirmed personal data breach, as required by the GDPR.
• Breach notification (US): For US-based incidents, affected parties will be notified without unreasonable delay, in accordance with applicable state breach notification laws.
• Post-incident review: Every security incident undergoes a thorough post-incident review, including root cause analysis and remediation planning.
• Transparency: Root cause analyses are published when appropriate and when doing so does not compromise security.
• Regular testing: We conduct annual incident response testing and tabletop exercises to ensure our team is prepared to respond effectively.

8. Responsible Disclosure

We value the security research community and welcome responsible disclosure of vulnerabilities:

• Reporting: Security researchers can report vulnerabilities to [email protected].
• Safe harbor: We will not take legal action against good-faith security researchers who follow responsible disclosure practices.
• Disclosure timeline: We ask for 90 days before public disclosure to allow us time to investigate and fix reported issues.
• Acknowledgment: We will acknowledge receipt of your report within 48 hours.
• Status updates: We will provide status updates as we work on fixes for verified vulnerabilities.
• Recognition: Verified reports are recognized in our security hall of fame (with the researcher's consent).

9. Sub-Processors & Third Parties

We use a limited set of sub-processors to deliver our services. Each is bound by data processing agreements.

For the complete list with legal entities, jurisdictions, and DPA links, see our Sub-Processors page.

10. Transparency

While we implement strong security measures, no internet-based service can guarantee absolute security. Human errors, sophisticated attacks, and zero-day vulnerabilities are realities of the digital world. What we can promise:

• We take every reasonable measure to protect your data.
• We are transparent when incidents occur.
• We continuously improve our security practices.
• We invest in security as a core part of our platform, not an afterthought.

We regularly review and update this page as our security practices evolve. Material changes will be noted with an updated effective date.

If you have security concerns or questions, contact us at [email protected]. For privacy-specific inquiries, reach out to [email protected].

Sentient AI Inc. (dba NexxaScreen) 8 The Green STE R, Dover, DE 19901