Security at GoodFit

Hiring data is some of the most sensitive information a company handles. We treat it accordingly.

Certifications

• SOC 2 Type II - independently audited controls on security, availability, and confidentiality

Encryption

• In transit: TLS 1.2+ for all API and dashboard connections
• At rest: AES-256 for database, object storage, and backups
• Key management: managed KMS with automatic rotation

Access control

• SSO (SAML, OIDC) for enterprise customers
• Role-based access within an organization
• Automated directory sync (user provisioning) available on enterprise plans
• MFA enforced for all internal staff

Data residency

Data is primarily stored in Mumbai (AWS ap-south-1). Enterprise customers can request EU or US residency.

Model training

We do not train AI models on identifiable candidate data. Aggregate telemetry may inform product improvements.

Incident response

We notify affected customers within 72 hours of confirmed security incidents. Status updates are posted at status.goodfit.so.

Reporting vulnerabilities

Report suspected vulnerabilities to security@goodfit.so. We acknowledge within 24 hours.