Data encryption
All data is encrypted in transit (TLS 1.2+) between the browser, Netlify edge, and Airtable API. Airtable encrypts data at rest using AES-256. Stripe handles all payment data under PCI DSS Level 1.
Security
How we protect your data
Provyn is built for trust. Here's how we protect candidate data, assessment integrity, and recruiter privacy.
Assessment integrity
Assessments run in a timed, anti-fraud environment. We capture tab-blur events, paste/copy counts, per-question timing, keystroke cadence, environment fingerprints (screen, CPU, timezone), and optional webcam proctoring. Questions are randomized per candidate. Two-tab locks prevent dual-session cheating.
Answer redaction
Correct answers never leave the server. The runner client receives only the question prompts, options, and metadata. No correctIndex, no acceptedAnswers, no rubrics. The redactForRunner() function strips all answer data before the payload hits the browser.
Authentication
Sign-in uses NextAuth with JWT sessions. Email magic-links are hashed and stored in Upstash Redis with 10-minute expiry. Session tokens for in-progress assessments are cryptographically random (24 bytes / 48 hex chars) and validated on every autosave + submit.
Credential verification
Each credential URL includes an HMAC-SHA256 signature so anyone can verify it's authentic without trusting our server rendering. Tampering with the URL parameters invalidates the signature.
Access control
Recruiter access requires admin approval. Admin routes are gated by the ADMIN_EMAILS allowlist. Candidate profile edits are scoped to the session email. The client cannot forge a candidate ID. Shortlist entries enforce ownership checks on DELETE/PATCH.
Infrastructure
Hosted on Netlify (SOC 2 Type II certified). Database on Airtable (SOC 2 Type II certified). Email via Resend (SOC 2 Type II certified). Payments via Stripe (PCI DSS Level 1). No self-managed servers, no raw database access.
Data minimization
We collect only what's needed: name, email, role, assessment answers, and fraud telemetry. We don't track browsing history, clipboard contents, or keystroke content; only timing patterns. Webcam snapshots are low-res, capped at 10 per attempt, and visible only to admin reviewers.
SOC 2 roadmap
Provyn is pursuing SOC 2 Type II certification. Our infrastructure providers (Netlify, Airtable, Stripe, Resend) are all SOC 2 certified. We expect to complete our own audit by Q4 2026.
Questions about our security posture? Email provyn.app@outlook.com