Data Processing & Security

Under most data-protection frameworks, you are the controller of your candidate and operational data; TALNT processes it on your instructions as a processor. A formal Data Processing Addendum is available on request via legal@gettalnt.com.

• Account data (names, work emails, login activity)
• Candidate profile data (name, contact details, employment history, certifications, address)
• Communications data (outreach messages, replies, scheduling tokens)
• Operational telemetry (audit logs, error traces, usage metrics)
• Billing data (handled by Stripe; TALNT stores customer/subscription IDs only)

• Data encrypted at rest (Supabase Postgres) and in transit (HTTPS / TLS 1.2+).
• Role-based access control with admin, recruiter, and hiring-manager scopes.
• JWT-based session tokens with rotation on logout.
• Rate limiting and audit logging on sensitive routes.
• Secrets stored in Vercel encrypted environment variables; never in source.

TALNT relies on the following sub-processors to operate the service:

• Supabase — managed Postgres + storage
• Vercel — application hosting + edge CDN
• Stripe — billing and payment processing
• Twilio — SMS delivery (when enabled)
• Resend — transactional email delivery

See Third-Party Services for the full disclosure.

TALNT's primary production database is hosted in the United States. Sub-processors may transfer data internationally consistent with their own published policies. Customers requiring regional data residency should contact us before signing.

If TALNT becomes aware of a security incident affecting your data, we will notify designated account admins without undue delay (and in any case consistent with applicable law) with the available facts and our remediation plan.

Requests by individual candidates to access, correct, or delete their data should be initiated by you as the controller. TALNT provides export and deletion tools to facilitate these requests within your account.