Security Policy

Our commitment to protecting your data and maintaining platform integrity.

1. Introduction

SwiftCruit.ai takes security seriously. This Security Policy outlines our security practices, compliance measures, and the steps we take to protect your information from unauthorized access, disclosure, alteration, and destruction.

2. Data Encryption

2.1 Encryption in Transit

  • All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher.
  • HTTPS is enforced on all pages of the Platform.
  • API communications use industry-standard REST with OAuth 2.0 authentication.

2.2 Encryption at Rest

  • All databases are encrypted using AES-256 encryption.
  • Sensitive data (passwords, API keys, payment information) are hashed using bcrypt or SHA-256.
  • Backup data is encrypted and stored securely.

3. Authentication and Access Control

3.1 Password Security

  • Passwords are hashed using bcrypt with a minimum of 12 salt rounds.
  • Password policies enforce minimum length, complexity requirements, and expiration policies.
  • Users are encouraged to enable two-factor authentication (2FA).

3.2 Multi-Factor Authentication

  • Supports TOTP (Time-based One-Time Password) using Google Authenticator or similar apps.
  • SMS-based 2FA is available as an alternative.
  • Administrators can enforce mandatory 2FA for all users.

3.3 Access Control

  • Role-based access control (RBAC) limits user permissions based on roles.
  • Admin access is restricted to authorized personnel only.
  • Access logs are maintained for all administrative actions.
  • Sessions automatically expire after a period of inactivity.

4. Proctoring Security

Our proctoring system includes multiple layers of security to ensure assessment integrity:

  • AI-Powered Monitoring: Real-time detection of suspicious behaviors, including unusual eye movements, multiple people in frame, or external materials.
  • Video Analysis: Algorithms analyze video streams to detect cheating attempts, phone usage, or other violations.
  • Audio Monitoring: Detection of background conversations or external assistance.
  • System Integrity Checks: Verification that the assessment environment has not been tampered with.
  • Recording Encryption: All proctoring recordings are encrypted and stored securely with limited access.

5. Code Security

5.1 Code Sandboxing

  • User code is executed in isolated, containerized environments using Docker.
  • Each execution is isolated from other users' code and system resources.
  • Execution time and memory limits prevent resource exhaustion attacks.

5.2 Code Analysis

  • Plagiarism detection using algorithms like MOSS (Measure of Software Similarity).
  • Malware scanning for suspicious code patterns.
  • Static code analysis to identify security vulnerabilities.

6. Infrastructure Security

6.1 Cloud Hosting

  • Hosted on secure cloud infrastructure with automatic backups and disaster recovery.
  • Compliance with AWS, Azure, or GCP security standards and certifications.

6.2 Network Security

  • Firewall rules restrict access to authorized ports and IP addresses.
  • DDoS protection via cloud-based security services.
  • Web Application Firewall (WAF) protects against common web attacks (SQL injection, XSS, CSRF).

6.3 Server Hardening

  • Regular security updates and patches applied automatically.
  • Unnecessary services and ports disabled.
  • Strong SSH key authentication and no password-based SSH access.

7. Vulnerability Management

  • Penetration Testing: Annual security audits and penetration testing by third-party firms.
  • Vulnerability Scanning: Automated scans using tools like Nessus, OpenVAS, and Burp Suite.
  • Bug Bounty Program: We encourage responsible disclosure of security vulnerabilities.
  • Incident Response: Documented procedures for responding to security incidents within 24 hours.

8. Compliance Certifications

SwiftCruit is committed to meeting industry standards and regulations:

  • GDPR (General Data Protection Regulation): Compliant with EU data protection regulations.
  • CCPA (California Consumer Privacy Act): Compliant with California privacy laws.
  • ISO 27001: Information security management system certification.
  • SOC 2 Type II: Security, availability, processing integrity, confidentiality, and privacy compliance.
  • HIPAA Ready: Supports healthcare data compliance requirements (when applicable).

9. Employee Security

  • Background checks for all employees with system access.
  • Security awareness training and annual compliance certification.
  • Non-disclosure agreements (NDAs) for all personnel.
  • Principle of least privilege: employees have access only to data necessary for their role.
  • Access revocation upon termination.

10. Data Retention and Deletion

  • Assessment Data: Retained for 5 years for compliance and historical records.
  • Proctoring Recordings: Retained for 3 years; automatically deleted after expiration.
  • User Accounts: Data is deleted within 30 days of account closure request, with exceptions for legal holds.
  • Logs: Access and system logs are retained for 90 days for security monitoring.

11. Third-Party Security

  • All third-party vendors must meet our security standards and sign Data Processing Agreements (DPAs).
  • Regular audits of vendor security practices.
  • Contracts include data protection clauses and liability limitations.

12. Incident Response

In the event of a security breach or incident:

  • Immediate investigation and containment procedures.
  • Notification of affected users within 24-72 hours (as required by law).
  • Cooperation with law enforcement and regulatory authorities.
  • Post-incident analysis to prevent recurrence.

13. User Responsibilities

While we implement robust security measures, users also have a responsibility to:

  • Use strong, unique passwords and enable two-factor authentication.
  • Keep login credentials confidential and not share account access.
  • Report suspicious activity or security concerns immediately.
  • Use secure networks and devices when accessing the Platform.

14. Security Reporting

If you discover a security vulnerability, please report it responsibly to:

  • Email: security@swiftcruit.ai
  • Do not publicly disclose vulnerabilities before we have time to address them.
  • We will acknowledge receipt within 24 hours and provide updates on remediation.

15. Updates and Amendments

This Security Policy may be updated periodically as we enhance our security practices and comply with new regulations. The most current version will always be available on our website.

16. Contact

For questions about our security practices or to report a concern:

  • Support: hello@swiftcruit.ai

Last updated: January 2026