Security Questionnaire
We've prepared straightforward answers to common security assessment questions. No marketing language — just an honest picture of where we are today and where we're headed.
01 — Company Overview
pace● is an AI-powered interview copilot that helps organisations conduct structured, evidence-based interviews. It provides real-time guidance to interviewers, generates competency-based scoring, and aggregates panel evaluations to support better hiring decisions. The AI assists — it never makes hiring decisions.
pace● is an early-stage product. We are transparent about our maturity level — we are building our security, compliance, and operational practices as we grow. We prioritise honesty about our current state over aspirational claims.
As an early-stage company, our engineering team is small. Production access is limited to essential personnel. We do not currently have formal access review processes, but plan to implement them as we scale.
We do not currently carry cyber liability insurance. This is on our roadmap as we scale enterprise operations.
02 — Data Handling
We process: candidate names and identifiers provided by the employer, interview transcripts (generated via speech-to-text), competency scores and interviewer observations, panel evaluation aggregations, and user account information (name, email, hashed password). We follow data minimisation principles — we do not collect data beyond what is needed to deliver the service.
Application data is stored in a PostgreSQL database hosted on our cloud platform (Replit). File uploads and documents are stored in Google Cloud Storage. All infrastructure is located in the United States.
Data is currently retained until the customer deletes it or requests deletion. We are developing configurable retention policies and automated deletion workflows, but these are not yet operational. Customers can request data deletion through our support process.
Data export is currently handled through our support process on request. Self-service data export functionality is on our product roadmap.
No. We use Anthropic's API for AI processing. Customer interview data is sent to Anthropic for real-time analysis and is subject to Anthropic's data use policies. We do not use customer data to train our own models. We recommend reviewing Anthropic's commercial API data use policy for details on their data handling.
03 — Encryption
All client-to-server communication is encrypted via TLS, managed and terminated by our hosting platform (Replit). We do not self-manage TLS certificates or configure cipher suites — this is handled at the platform level.
Sensitive fields such as TOTP secrets and two-factor authentication tokens are encrypted using AES-256-GCM with authenticated encryption. Passwords are hashed using bcrypt with appropriate salt rounds. General database contents rely on the hosting platform's storage-level encryption. We do not operate a dedicated key management service (KMS) or implement automated key rotation — encryption keys are stored as environment variables.
No. Encryption keys are currently managed as environment variables on our hosting platform. We do not use a dedicated KMS (e.g., AWS KMS, HashiCorp Vault) or have automated key rotation. Implementing a dedicated key management solution is on our security roadmap.
04 — Authentication & Access Control
Users authenticate with email and password. Passwords are hashed using bcrypt. Sessions are managed using cryptographically random session IDs (32 bytes) stored in the database with configurable expiry (7 days default, 30 days with "remember me"). Session cookies are set with httpOnly, secure, and sameSite=lax flags.
Yes. We support TOTP-based two-factor authentication (compatible with apps like Google Authenticator and Authy). TOTP secrets are encrypted with AES-256-GCM before storage. We also generate backup recovery codes, which are individually hashed with bcrypt. MFA is available but not mandatory for all users.
We implement role-based access control (RBAC) with two roles: manager and interviewer. Every authenticated request is scoped to a specific company through middleware that verifies the user's company membership before processing. Managers have additional permissions (team management, settings). Interviewers can only access interview-related functionality within their assigned company.
Tenant isolation is enforced at the application middleware layer. Every request that accesses company data passes through middleware that verifies the authenticated user's membership in the requested company. All database queries are scoped by company ID. This is middleware-enforced isolation using a shared database — not architectural separation (e.g., separate databases per tenant).
We implement rate limiting on sensitive operations such as two-factor authentication verification (5 attempts per 15-minute window). General API rate limiting is handled at the platform level.
05 — Infrastructure
pace● is hosted on Replit, a managed cloud platform. Infrastructure provisioning, OS-level patching, and networking are handled by the platform. We do not manage our own servers, VPCs, load balancers, or availability zones.
We do not configure our own Web Application Firewall or DDoS mitigation. Any network-level protections are provided by the hosting platform. We do not have visibility into or control over these platform-level protections.
No. We have not yet engaged a third-party firm for penetration testing or vulnerability assessment. This is planned as we mature our security programme.
No. We do not currently have automated security scanning (SAST, DAST, SCA) integrated into our deployment pipeline. We monitor dependencies for known vulnerabilities using standard tooling, but deployments are not blocked by automated security gates. This is an area we plan to strengthen.
Database backups are managed by the hosting platform. We do not currently have documented disaster recovery procedures or tested recovery time objectives (RTOs). Developing formal backup and DR procedures is on our roadmap.
06 — Incident Response
We are developing formal incident response procedures. We do not currently have a documented, tested incident response plan with defined roles, escalation paths, and communication templates. This is an active area of development.
No. We do not currently have automated monitoring, SIEM, or a 24/7 on-call rotation. Incidents are detected and responded to by the engineering team during business hours. Implementing automated monitoring and alerting is on our roadmap.
In the event of a confirmed data breach affecting customer data, we are committed to notifying affected customers within 72 hours, in line with GDPR Article 33 requirements. Notification would include the scope and nature of the breach, data categories affected, and steps taken to mitigate impact. Our notification processes are being formalised.
07 — Compliance Status
No. SOC 2 Type II certification is planned but we have not begun a formal audit engagement. We are building foundational controls (access management, session handling, audit logging) that will support a future SOC 2 effort.
We are partially aligned with GDPR requirements. Our data processing follows data minimisation principles, we document lawful bases for processing, and we are committed to honouring data subject rights. However, self-service GDPR rights workflows (data export, automated erasure), automated data retention policies, and deletion certificates are still under development. Current GDPR requests are handled manually.
We proactively self-classify as a high-risk AI system under Annex III of the EU AI Act. Our product is designed with human-in-the-loop principles, score isolation to prevent bias, and explainable AI outputs. However, formal conformity assessment, EU database registration, and comprehensive Article 11 technical documentation are planned future milestones, not yet completed.
No. ISO 27001 certification is on our long-term roadmap as we scale enterprise operations.
We do not currently conduct regular formal security audits, penetration tests, or third-party assessments. These are planned as part of our security maturation roadmap.
08 — Sub-Processors
AI-powered interview analysis and competency evaluation via API
Data types: Interview transcripts, competency frameworks
Transactional email delivery
Data types: Email addresses, notification content
File and document storage
Data types: Uploaded files and documents
Application hosting, database, and infrastructure
Data types: All application data
If your security assessment requires additional information beyond what's covered here, we're happy to discuss. We believe in being straightforward about our current capabilities and roadmap.
Satisfied?
Start your free trial of pace● today, or reach out to our security team for a deeper conversation about your requirements.