✓ DPDPA Compliant

✓ AES-256 Encrypted

✓ SOC-2 Roadmap

Enterprise-Grade Security for Your Hiring Data

Name: CVPRO
Author: Talpro India Pvt Ltd

CVPRO protects sensitive candidate and client information with industry-leading security practices. Your trust is our responsibility.

Company: Talpro India Pvt Ltd

Product: CVPRO AI-Powered Hiring Intelligence

Security Foundation

Data Encryption

AES-256 at rest
TLS 1.3 in transit
Encrypted DB connections

Infrastructure

India-hosted servers
PM2 cluster mode
Nginx reverse proxy

Access Control

6-role RBAC system
JWT with NextAuth
Session management

Compliance

DPDPA compliant
SOC-2 roadmap
Data sovereignty

Data Encryption

Military-grade encryption protecting your data at every layer

Data at Rest

All stored data is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), the same encryption standard used by financial institutions and government agencies worldwide.

•Database encryption at the field level for sensitive data
•Secure key management with regular key rotation
•Encryption keys are stored separately from data

Data in Transit

All communication between clients and CVPRO servers is protected using TLS 1.3 (Transport Layer Security), the latest and most secure version.

•End-to-end encryption for all API communications
•Certificate pinning for additional protection
•Perfect Forward Secrecy (PFS) enabled

Database Connections

Direct database connections are established over encrypted channels with SSL/TLS verification.

•Encrypted PostgreSQL connections with certificate validation
•Connection pooling with automatic cleanup

DPDPA Compliance

India's Digital Personal Data Protection Act 2023 compliance

Compliance Framework

CVPRO is fully aligned with the Digital Personal Data Protection Act (DPDPA) 2023, India's comprehensive data protection legislation. We implement strict controls to protect personal data across recruitment workflows.

Key Controls

Lawful basis for data processing
Explicit user consent mechanisms
Data minimization practices
Purpose limitation controls

User Rights

Right to access personal data
Right to correction and erasure
Right to data portability
Grievance redressal mechanism

Infrastructure Security

Secure hosting and database architecture

Server Hosting

CVPRO infrastructure is hosted entirely within India on secure, dedicated servers meeting enterprise standards.

•India-based data centers ensuring data sovereignty
•24/7 physical security and access controls
•Automated backups with redundancy
•Disaster recovery protocols in place

Database Security

PostgreSQL database with advanced security features and multi-tenant architecture.

•Row-Level Security (RLS) for data isolation per organization
•Multi-tenant isolation via Organization ID (orgId)
•Automated integrity checks and monitoring
•Point-in-time recovery capability

Application Layer

Robust application server configuration with load balancing and security hardening.

•PM2 Cluster Mode for high availability and zero-downtime deployments
•Nginx reverse proxy with security headers
•Content Security Policy (CSP) enabled
•HSTS (HTTP Strict Transport Security) enforced
•X-Frame-Options to prevent clickjacking
•X-Content-Type-Options header protection

AI Data Policy

How your data interacts with AI services

Claude API Integration

CVPRO uses Anthropic's Claude API for resume evaluation and candidate assessment capabilities. We maintain strict data protection practices when using this service.

No Model Training on Your Data

Your customer data, candidate information, and confidential hiring data are NEVER used to train or improve the Claude model. Anthropic does not retain your data for model improvement.

Real-Time Processing

Data is processed in real-time by the API and not stored by Anthropic after the request completes. Only the minimum necessary information is sent for evaluation purposes.

PII Redaction

Personally Identifiable Information (PII) can be redacted from evaluation requests, ensuring additional protection of sensitive candidate information while maintaining evaluation accuracy.

Data Minimization

Only data relevant to the specific evaluation task is transmitted to the API. Unnecessary information is filtered before transmission.

Access Control

Role-based access and authentication

6-Role RBAC System

CVPRO implements granular role-based access control with six distinct roles, each with specific permissions and capabilities.

Super Admin

Full system access, user management, system configuration

Org Admin

Organization management, user invitations, team settings

Recruiter

View and evaluate candidates, create job postings, manage evaluations

Candidate

Submit resume, view application status, update profile

Client

View candidate pool, provide feedback, request specific evaluations

Vendor

Limited view access for integrated systems, read-only operations

Authentication & Sessions

JWT (JSON Web Tokens) with NextAuth for secure session management
Automatic session expiration after 24 hours of inactivity
Secure password hashing with bcrypt
Multi-factor authentication (MFA) available
Session invalidation on logout

Application Security

Rate limiting, validation, and attack prevention

Rate Limiting

Comprehensive rate limiting protects against brute force attacks, API abuse, and DDoS attempts.

Authentication endpoints5 requests / 15 minutes

File uploads10 requests / minute

General API endpoints200 requests / minute

Input Validation & Sanitization

Strict input validation on all API endpoints
SQL injection prevention via parameterized queries
XSS (Cross-Site Scripting) protection
CSRF (Cross-Site Request Forgery) tokens on all forms
File type validation and scanning

CORS & Secrets Management

CORS whitelist prevents unauthorized cross-origin requests
No secrets committed to Git repositories
Environment variables for sensitive configuration
Secrets rotation policy enforced

SOC-2 Roadmap

Towards independent security verification

We are actively implementing SOC-2 Type I controls to provide independent verification of our security practices and controls effectiveness.

Current Phase

Implementing SOC-2 Type I controls

Target Timeline

SOC-2 Type I Certification: Q4 2026

Future Plan

SOC-2 Type II certification planned for 2027 (demonstrating sustained control effectiveness)

SOC-2 certification by a qualified independent auditor will provide customers with documented assurance that our security, availability, processing integrity, confidentiality, and privacy controls meet industry standards.

Responsible Disclosure

Report security vulnerabilities responsibly

We take security seriously and appreciate responsible vulnerability disclosures. If you discover a security vulnerability in CVPRO, please report it to our security team.

Security Contact

security@talpro.in

Email your detailed security concern with steps to reproduce. Do not publicly disclose the vulnerability until we have had time to address it.

Security Policy

For more details on our vulnerability disclosure policy, response times, and recognition program, visit:

/.well-known/security.txt

We are committed to responding to security reports within 48 hours and working with researchers to resolve issues responsibly.

Questions About Security?

security@cvpro.in

This security information is current as of March 2026. CVPRO continuously updates its security practices to address emerging threats and maintain the highest standards of data protection.