Trust & Security

Built for trust.
Designed for compliance.

Confiri protects your hiring process without storing biometric data. Here's exactly how we do it.

Our principle

Process and discard. Always.

Confiri verifies candidates are who they say they are — then throws away the evidence. We never store facial images, voice recordings, or biometric templates. Our liveness detection processes data in real time and discards it immediately. The only things we keep are the result (pass or flag) and a confidence score.

This isn't just a policy. It's how the system is built. There is no database table, no storage bucket, no backup that contains your candidates' biometric data. It doesn't exist because it was never saved.

Liveness detection is powered by AWS Rekognition. See our Data Processing Agreement for details.

Infrastructure

Enterprise-grade infrastructure.

ComponentProviderCertifications
Application hostingVercel
SOC 2 Type IIISO 27001
DatabaseSupabase (hosted on AWS)
SOC 2 Type II
Liveness detectionAWS Rekognition
SOC 2ISO 27001GDPR compliant
Email deliveryResend
SOC 2 Type II

Data residency

All processing currently runs in AWS EU-West-1 (Ireland). Need a different region? Talk to us.

Encryption

All data is encrypted in transit (TLS 1.3) and at rest (AES-256). API keys are stored as SHA-256 hashes — we never store your key in plain text.

Data handling

What we collect — and what we don't.

What we collect

Candidate name and email (provided by your ATS or recruiter)
Job title and interview schedule
Device fingerprint (browser and OS — no tracking cookies)
IP geolocation (country and region only, not street address)
Liveness confidence score (a number, not an image)
Verification result: green, amber, or red

What we never collect

Facial images or photographs
Voice recordings
Biometric templates or embeddings
Government ID or passport scans
Social media passwords or private data

Retention

Session metadata (name, email, result, timestamps) is retained for your audit trail. You can request deletion at any time under GDPR Article 17. Biometric processing data is never retained — it is discarded in real time during the verification session.

Access control

Tenant isolation by design.

Every company's data is isolated at the database level using Row Level Security (RLS). This means:

Your team can only see your company's sessions, candidates, and settings
There is no admin backdoor, no shared database view, no cross-tenant access
API keys are company-scoped — a key from Company A cannot access Company B's data
Candidate gateway links are single-use and session-scoped — they expire after 24 hours

Admin access requires email authentication. There are no shared credentials or master passwords.

API security

Secure by default.

Confiri's API is designed for ATS integration. Security is built into every layer:

HTTPS onlyall API traffic is encrypted with TLS 1.2+
Bearer token authenticationAPI keys are hashed with SHA-256 and validated on every request
No plaintext storagewe store only the hash of your API key, never the key itself
Webhook signaturesall callback payloads are signed with HMAC-SHA256 so you can verify authenticity
Company-scopedevery API request is scoped to the authenticated company. Cross-tenant requests are impossible
Compliance

Regulatory compliance.

GDPR

Confiri operates as a data processor under GDPR. We process candidate data on your behalf, under your instructions.

Right to access (Article 15)
Right to erasure (Article 17)
Data portability (Article 20)
DPA available on request

EU AI Act

Confiri's verification system is designed to comply with the EU AI Act:

No emotion recognition or sentiment analysis
No inference of protected characteristics
No automated rejection
Full transparency before verification

UK Data Protection Act 2018

Compliant as a data processor operating in the UK. All data processing occurs within the EU (AWS Ireland region). UK adequacy decision ensures equivalent protection.

Candidate ethics

Verification that respects candidates.

Confiri is built on a principle: flag, never reject. No candidate is ever automatically denied an interview based on our verification. Your hiring team always makes the final decision.

Candidates see

Their interview details (role, company, time)
A simple camera check that takes under 10 seconds
A seamless redirect to the video call

We show a clear privacy notice before any data is collected. There are no hidden checks, no background scans, no data collected without consent.

Incident response

If something goes wrong.

In the event of a security incident:

We will notify affected customers within 72 hours, in line with GDPR requirements
We will provide a detailed incident report including scope, impact, and remediation steps
We maintain an internal incident response procedure with defined roles and escalation paths

To report a security concern: security@confiri.com

FAQ

Quick reference.

Ready to secure
your hiring process?

Start your 14-day free trial — no card required.

Start free trialContact sales

For security questionnaires, DPAs, or detailed technical discussions: security@confiri.com