Trust & Security
Your students' data, protected by design
This page outlines how we handle data, our hosting and encryption standards, access controls, FERPA-aligned education practices, and answers to common questions.
Data handling & privacy
RecruitIQ is designed for programs and schools. We treat the institution as the data owner and act as a processor / "school official" with a legitimate educational interest under FERPA when contracted by the institution.
Data we process (examples)
Student profile fields (name, grad year, sport), recruiting tasks, outreach content, school lists, coach contacts.
Uses
Provide core features (timeline, coach lookup, messaging templates, comparisons), support services, and security/audit.
- Ownership: Institutions own their data. We do not sell student data. We only use it to deliver the contracted service.
- Data residency: Default hosting in the United States.
- Retention & backups: We retain rolling operational backups for standard backup days to support continuity and recovery. Admins may request export or deletion at any time.
- Access to content: Restricted to authorized personnel for support and security, following least-privilege principles.
Hosting, security & encryption
We run on modern cloud infrastructure with layered security controls to protect confidentiality, integrity, and availability.
Cloud & network
Hosted on AWS (US regions) with VPC isolation, WAF, DDoS protections, and environment segregation.
Encryption
Data in transit via TLS 1.2+; data at rest encrypted (e.g., AES-256). Secrets managed with KMS / vaulting.
- Application security: AuthZ checks at the API layer, parameterized queries, and secure coding practices.
- Backups & DR: Point-in-time backups and disaster recovery procedures (RTO/RPO defined in your agreement).
- Monitoring: Centralized logs, alerting, and automated anomaly detection.
- Vulnerability management: Routine dependency scanning and patching cadence.
Access controls
Authentication
Email+password (hashed), optional MFA. SSO (SAML 2.0/OIDC) available on request.
Authorization
Role-based access (e.g., AD/Coach/Counselor/Student). Program-scoped data by default.
- Least privilege & auditing: Internal access is limited and logged. Admin activity logs available to institutions.
- Data segregation: Tenant boundaries at the data layer with ID-based scoping and permission checks.
- Session security: Short-lived tokens with secure, HTTP-only cookies; automatic timeouts.
FERPA & education compliance
RecruitIQ supports institutional compliance with applicable education privacy laws. Institutions remain the controllers of student records and determine lawful bases for processing.
- FERPA: We act as a "school official" with a legitimate educational interest when engaged by your institution. We sign Data Privacy Agreements (DPAs) and follow district/state addenda as required.
- PPRA/COPPA (K-12): Where applicable, parental notice/consent flows are administered by the institution. We do not sell or use data for targeted advertising.
- Data subject rights: Access, correction, deletion, and export are supported through institutional admins or by request to our security team.
- Records requests: We coordinate with the institution to fulfill lawful requests; we do not disclose student data to third parties except as directed or required by law.
Subprocessors
We use vetted providers to deliver the service. We maintain DPAs and security reviews for each provider. Below is a representative list—your contract will include the current roster.
| Provider | Purpose | Region | Data handled |
|---|---|---|---|
| AWS | Compute, storage, networking | US (primary) | All data at rest (encrypted) |
| [Email service] | Transactional emails | US/EU (service-dependent) | Email address, message metadata |
| [Analytics/Monitoring] | Operational telemetry | US/EU | App logs & performance metrics (pseudonymized where possible) |
| [File storage/CDN] | Media storage & delivery | Global CDN with US origin | Uploaded media, generated assets |
Tip: Swipe horizontally to view all columns on mobile.
Security & privacy FAQ
Do you sign DPAs and vendor security questionnaires?
Yes. We provide a standard DPA and complete vendor security questionnaires. District/state addenda can be accommodated.
Where is data stored?
On AWS in US regions by default. Alternative regions can be discussed for enterprise deployments.
How do you encrypt data?
TLS 1.2+ for data in transit and strong encryption at rest (e.g., AES-256). Keys are managed using a dedicated key management service.
Can we export or delete our data?
Yes. Admins can request exports, and we support secure deletion workflows. Operational backups are maintained for standard backup days and then purged on a rolling basis.
Do you use student data to train models?
No, not without a written agreement. Any AI features are configured to respect institutional boundaries; we do not sell or share student data for advertising.
What about incident response?
We maintain an incident response plan with 24/7 monitoring, severity classification, customer notification procedures, and post-incident review.
Contacts
Security contact
Email: security@myrecruitiq.ai
Data requests
Email: privacy@myrecruitiq.ai