Zero-Trust by Default
HumanLift employs defense-in-depth security strategies to protect your organization's most sensitive HR data. Our comprehensive security program combines cutting-edge technology, rigorous processes, and continuous improvement to maintain the highest levels of protection.
Defense-in-Depth Architecture
HumanLift runs on an isolated, containerized micro-service stack deployed in AWS with strict network segmentation. Front-end, API, data-processing, and AI-analysis services each live in separate VPCs linked only through encrypted service meshes with least-privilege IAM roles. Immutable infrastructure and infrastructure-as-code pipelines ensure every environment—from test to prod—is rebuilt from the same hardened baseline, eliminating “snowflake” servers and configuration drift.
Encryption Everywhere
All data in transit is secured with TLS 1.3; data at rest is protected with AES-256-GCM using customer-dedicated KMS keys. For fields classified as “Highly Sensitive” (individual comments, 1-on-1 notes), we add field-level encryption, ensuring that even if an attacker reached the database layer, they’d encounter meaningless ciphertext. Private keys are stored in FIPS 140-2 Level 3 HSMs, rotated automatically, and never exposed to the application layer.
Identity & Access Management
We integrate with your single-sign-on and MFA policies out-of-the-box, honor just-in-time SCIM provisioning, and support granular role definitions that map to your org chart. Admin-level actions require step-up authentication and are logged to an immutable ledger. Zero standing privileges: production consoles are locked behind temporary, audited break-glass workflows, sharply reducing the attack surface.
Secure AI Processing
Before any textual feedback reaches our AI services, a tokenizer replaces names and identifiers with non-reversible placeholders. We use a dedicated, private LLM gateway that keeps prompts and completions within our VPC; no customer data is used to train third-party models. Full request/response payloads are hashed and logged for traceability without exposing sensitive content.
Continuous Monitoring & Incident Response
A 24 × 7 SOC watches over real-time SIEM dashboards fed by AWS GuardDuty, CloudTrail, and container telemetry. Anomaly-detection rules tuned for HR data trigger a sub-15-minute response SLA. Runbooks are rehearsed quarterly in red-team exercises, and customers receive a detailed incident report within 24 hours of a confirmed event—no waiting for a press release.
Vulnerability & Pen Testing
We run weekly SAST and DAST scans in CI, maintain an internal bug bounty, and commission an external CREST-certified penetration test every year. Findings are prioritized by CVSS score, patched within a maximum of 14 days (critical in 72 hours), and shared via a summary report on request—so security teams see proof, not promises.
Backups & Disaster Recovery
Point-in-time recovery on encrypted RDS instances, plus immutable cross-region S3 backups, deliver an RTO of <1 hour and an RPO of <15 minutes. Quarterly fail-over drills validate that plan, including DNS cut-overs and full-stack verification, ensuring business continuity under the worst-case scenario.
Secure Development Lifecycle
Every engineer completes OWASP Top 10 and secure-coding training. Code commits must be signed, scanned for secrets, and pass peer review. Automated dependency checks block known-vulnerable libraries, while feature flags allow instantaneous rollback without redeploying code. Security is not a gate at the end—it’s a guardrail at every step.
See Our Defenses in Action
Request a live security walkthrough, review the latest external pen-test summary, or schedule a red-team readout with our CISO. When you’re ready, the Trust Center is standing by with the proof your security leaders need.