Security & Compliance

At Qiralyx, security is fundamental to everything we do. We understand that you trust us with sensitive recruitment data, candidate information, and business-critical content. We are committed to protecting this data with industry-leading security measures and best practices.

Our security program is built on multiple layers of protection, including encryption, access controls, network security, and continuous monitoring. We regularly assess and improve our security posture to stay ahead of emerging threats.

Encryption in Transit

All data transmitted between your devices and our servers is encrypted using Transport Layer Security (TLS) 1.3, the industry standard for secure communications. This ensures that your data cannot be intercepted or read by unauthorized parties during transmission.

• TLS 1.3 with strong cipher suites
• Perfect Forward Secrecy (PFS) to protect past communications
• Certificate pinning for mobile applications
• HSTS (HTTP Strict Transport Security) enforcement

Encryption at Rest

All data stored in our databases and file systems is encrypted at rest using Advanced Encryption Standard (AES-256), one of the strongest encryption algorithms available. Encryption keys are managed separately from the data and are rotated regularly.

• AES-256 encryption for all stored data
• Separate encryption keys for each customer (where applicable)
• Key management through secure, dedicated systems
• Regular key rotation and secure key storage

Database Security

Our databases are protected with multiple layers of security:

• Encrypted database connections
• Encrypted database backups
• Database access logging and monitoring
• Regular security patches and updates

User Authentication

We implement strong authentication mechanisms to ensure only authorized users can access your account:

• Strong password requirements with complexity rules
• Multi-factor authentication (MFA) support
• Single Sign-On (SSO) integration capabilities
• Session management with automatic timeout
• Account lockout after failed login attempts
• Password hashing using bcrypt with salt

Role-Based Access Control (RBAC)

Our platform supports granular role-based access control, allowing you to:

• Define custom roles and permissions
• Assign users to specific roles
• Control access to sensitive features and data
• Audit user access and permissions

Employee Access

Our employees follow strict access control policies:

• Principle of least privilege - employees only have access to data necessary for their role
• Multi-factor authentication required for all employee accounts
• Regular access reviews and audits
• Background checks for all employees with data access
• Confidentiality agreements and security training
• All access is logged and monitored

Cloud Infrastructure

Our infrastructure is hosted on leading cloud providers with industry-leading security certifications. We leverage their security features and add additional layers of protection:

• ISO 27001 certified data centers
• Physical security controls (24/7 monitoring, biometric access)
• Redundant systems and automated backups
• Geographic redundancy for disaster recovery
• Regular infrastructure security assessments

Network Security

Our network is protected by multiple security layers:

• Firewalls and intrusion detection systems (IDS)
• DDoS protection and mitigation
• Network segmentation and isolation
• Regular vulnerability scanning
• Web Application Firewall (WAF) protection
• Rate limiting and abuse prevention

Application Security

We follow secure development practices:

• Secure coding practices and code reviews
• Automated security testing in CI/CD pipeline
• Regular dependency updates and vulnerability patching
• OWASP Top 10 security awareness
• Input validation and output encoding
• Security headers (CSP, X-Frame-Options, etc.)

Backup & Disaster Recovery

We maintain comprehensive backup and disaster recovery procedures:

• Automated daily backups with encrypted storage
• Point-in-time recovery capabilities
• Regular backup restoration testing
• Disaster recovery plan with defined RTO and RPO
• Geographic redundancy for critical systems

GDPR Compliance

We are fully committed to compliance with the General Data Protection Regulation (GDPR). Our compliance measures include:

• Data Processing Agreements (DPAs) for all customers
• Data Protection Impact Assessments (DPIAs) for high-risk processing
• Records of processing activities as required by Article 30
• Support for all data subject rights (access, rectification, erasure, etc.)
• Data breach notification procedures
• Privacy by design and by default principles

Data Processing Agreements

We offer standard Data Processing Agreements (DPAs) that comply with GDPR requirements. These agreements define our role as a data processor and your rights as a data controller.

Security Standards

We align our security practices with industry standards and frameworks:

• ISO 27001 security management principles
• OWASP security best practices
• NIST Cybersecurity Framework alignment
• Cloud Security Alliance (CSA) guidelines

Third-Party Security

We carefully vet all third-party service providers and vendors:

• Security assessments of vendors
• Data Processing Agreements with all processors
• Regular vendor security reviews
• Incident notification requirements

24/7 Security Monitoring

We continuously monitor our systems for security threats and anomalies:

• Real-time security event monitoring
• Automated threat detection and alerting
• Security Information and Event Management (SIEM)
• Log aggregation and analysis
• Anomaly detection using machine learning

Incident Response

We maintain a comprehensive incident response plan:

• Dedicated security incident response team
• Documented incident response procedures
• Regular incident response drills and training
• GDPR-compliant data breach notification procedures
• Post-incident analysis and improvement

Vulnerability Management

We proactively identify and remediate security vulnerabilities:

• Regular vulnerability scanning and assessments
• Penetration testing by third-party security firms
• Bug bounty program (where applicable)
• Rapid patching of identified vulnerabilities
• Security patch management process

While we implement strong security measures, you also play an important role in keeping your account secure:

Account Security

• Use a strong, unique password for your account
• Enable multi-factor authentication (MFA) when available
• Never share your account credentials with others
• Log out from shared or public computers
• Regularly review your account activity and access logs

Data Protection

• Only upload data that is necessary for your use case
• Regularly review and delete data that is no longer needed
• Be cautious when sharing sensitive data through the platform
• Use appropriate access controls and permissions
• Keep your local devices and software updated

Phishing & Social Engineering

• Be cautious of emails or messages requesting your credentials
• Verify the authenticity of communications from Qiralyx
• Never click on suspicious links or download unknown attachments
• Report suspicious activity to our security team immediately

We regularly conduct security audits and assessments to ensure our security measures remain effective:

• Annual third-party security audits
• Regular penetration testing
• Code security reviews
• Infrastructure security assessments
• Compliance audits and certifications

Customers with enterprise plans may request security documentation, including:

• Security audit reports (subject to confidentiality agreements)
• Data Processing Agreements
• Security questionnaires and compliance documentation

For security-related inquiries, questions, or to report a security issue, please contact us: