Security Policy

We understand that you place trust in us by using the Hireflow app, and it’s our promise to you that we take this trust seriously. We have invested in our security so that your information resides safely with us.

Responsible Disclosure Program

Hireflow is committed to ensuring the safety and security of our customers. We hope to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers. We operate a responsible disclosure program to facilitate security vulnerability reporting:

  • If you believe you’ve discovered a potential vulnerability, please let us know by emailing us at We will acknowledge your email within one week.
  • Provide us with a reasonable amount of time to resolve the issue before disclosing it to the public or a third party. We aim to resolve critical issues within ten business days of disclosure.
  • Make a good faith effort to avoid violating privacy, destroying data, or interrupting or degrading the Hireflow service. Please only interact with domains you own or for which you have explicit permission from the account holder.

While researching, we’d like you to refrain from:

  • Distributed Denial of Service (DDoS)
  • Spamming
  • Social engineering or phishing of Hireflow employees or contractors
  • Any attacks against Hireflow's physical property or data centers

Our Security Infrastructure

Our infrastructure runs on a combination of Amazon Web Services (AWS), Google Cloud Platform (GCP) and Microsoft Azure. Access to these services is protected by secure access tokens in addition to two factor authorization.

Security of user data

User data is stored in an encrypted RDS database hosted on AWS. All user data is encrypted in transit to and from our database, backend and clients. We use TLS encryption between all of our internal endpoints as well as for data served to the client.

G-Suite / Gmail Integration

Our application integrates with G-Suite so that we can send email messages on your behalf. Our system limits how much data it requests from G-Suite so that only email bodies generated by our system or any replies are ingested into our system for processing.

Internal Security Policies

All employees follow a strict internal security policy. No production data is available to employees of the company with the exception of the devops team when dealing with production level bugs or specific customer issues.