Security & data privacy
Workforce data is some of the most sensitive information a business holds, salaries, performance records, health-related leave, personal identifiers. We take that seriously.
Careersome is SOC 2 Type I certified. Our infrastructure runs on Vercel and Heroku: both SOC 2 Type 2 and ISO 27001 certified, with AES-256 encryption at rest, TLS 1.3 in transit, 24/7 monitoring, and DDoS protection. We comply with NDPR, Kenya Data Protection Act, POPIA, Ghana Data Protection Act, and GDPR.
Our infrastructure
Careersome is built on trusted, certified cloud infrastructure:
Frontend, Vercel
SOC 2 Type 2, ISO 27001, AWS-backed global edge and hosting.
Backend & data, Heroku (Salesforce)
SOC 2 Type 2, ISO 27001, ISO 27017, ISO 27018, PCI DSS Level 1. Heroku is a Salesforce company.
Independent assurance
Both providers undergo regular independent third-party audits. Security documentation is available on request.
How we protect your data
Data Encryption
All data in transit and at rest is encrypted using industry standard AES-256 encryption. TLS 1.3 for all connections.
Access Control
Role-based access control ensures only authorized personnel can access sensitive data. Multi-factor authentication available for enhanced security.
Secure Infrastructure
Careersome's frontend runs on Vercel and the backend on Heroku, both SOC 2 Type 2 certified and ISO 27001 certified infrastructure providers. Both platforms provide AES-256 encryption at rest, TLS 1.3 in transit, DDoS protection, 24/7 monitoring, and automatic failover across AWS global infrastructure.
Regular Audits
Regular security audits, penetration testing, and vulnerability assessments identify and address potential security risks proactively.
Data Backup & Recovery
Automated daily backups with redundant copies in geographically distributed locations and point-in-time recovery capabilities.
Privacy by Design
Privacy considerations built into every aspect of our platform: minimise data collection, clear retention policies, and tools for data deletion.
Compliance & Certifications
Careersome is committed to compliance with data protection regulations across Africa and internationally. We work continuously to meet and exceed regulatory requirements.
Nigerian Data Protection Regulation (NDPR)
Full compliance with Nigeria's data protection regulation, ensuring proper handling of personal data for Nigerian organizations and citizens.
Kenya Data Protection Act
Compliance with Kenya's Data Protection Act, including requirements for data processing, storage, and cross border transfers.
South Africa POPIA
Adherence to South Africa's Protection of Personal Information Act (POPIA) requirements for data protection and privacy.
Ghana Data Protection Act
Compliance with Ghana's Data Protection Act, ensuring proper data handling and privacy protection for Ghanaian users.
GDPR Compliance
Alignment with General Data Protection Regulation (GDPR) principles for international data protection standards, applicable for European operations.
ISO 27001, infrastructure certified
Both Vercel (frontend) and Heroku (backend) hold ISO 27001 certification, providing independent third-party validation of the information security controls that protect Careersome's infrastructure. Careersome itself is pursuing entity-level ISO 27001 certification as a separate milestone.
Data Residency & Sovereignty
We understand the importance of data sovereignty for African organizations. Careersome offers flexible options to meet your compliance and regulatory requirements: contact us to discuss your jurisdiction and any data processing agreements you need.
Infrastructure regions
Careersome's infrastructure runs on AWS-backed cloud providers (Vercel and Heroku) with global edge nodes. Data is currently processed in US and EU regions. For organisations with strict African data residency requirements, contact us to discuss data processing agreements and available configurations.
Data localization & DPAs
For organizations with strict localization or cross-border requirements, we can discuss data processing agreements (DPAs), Standard Contractual Clauses (SCCs), and configurations aligned to your jurisdiction.
Enterprise data agreements
Enterprise customers can request a Data Processing Addendum (DPA) aligned to their specific compliance and governance requirements. Contact us to discuss your organisation's data handling needs.
Cross Border Transfers
When data transfers are necessary, we ensure they comply with applicable regulations and use appropriate safeguards such as Standard Contractual Clauses (SCCs).
Security Features
Careersome includes built in security features to help you protect your organization's data and maintain compliance.
Role Based Access Control
Granular permissions ensure users only access data and features relevant to their role. Admins can customize roles and permissions.
Multi Factor Authentication
Optional MFA adds an extra layer of security to user accounts. Protects against unauthorized access even if passwords are compromised.
Audit Logs
Comprehensive audit logs track all user activities, data access, and system changes for security monitoring and compliance reporting.
Data Export & Deletion
Users can export their data at any time, and organizations can request complete data deletion to meet data protection regulations and user data rights.
Secure Communication
All communications within the platform are encrypted. Email notifications can be configured to use secure channels.
Regular Security Updates
Regular platform updates with security patches and improvements address emerging threats and vulnerabilities.
Incident Response
We maintain a comprehensive incident response plan to quickly identify, contain, and remediate security incidents.
24/7 security monitoring and threat detection
Rapid incident response team activation
Immediate containment of security threats
Thorough investigation and root cause analysis
Transparent communication with affected organizations
Post-incident review and security improvements
Security questions before you sign?
If you need to review our security posture for procurement, compliance, or infosec sign-off, we're happy to share documentation, answer specific questions, or connect you with the right person on our team.