Security, privacy & compliance

Raw camera and microphone streams are analyzed in-memory, in real time. Webcam snapshots are captured for human review, and keystroke events are captured for paste/burst detection. We do NOT store continuous raw video or audio. What persists is snapshots, keystroke timing events, A/V drift scores, and coherence ratings — never facial biometric identifiers or voiceprints.

Before any camera or microphone activates, candidates see a plain-language consent screen describing exactly which signals are collected, why, how long they are retained, and their right to refuse or withdraw. Refusal does not silently fail — the assessment offers a non-monitored fallback path where the hiring team has configured one. Consent is logged with timestamp and assessment ID.

Default retention windows for candidate-facing data: webcam snapshots 30 days; keystroke event logs 90 days; integrity scores & reports 12 months; interview recordings (if enabled) 6 months. Infrastructure-layer windows are separate and operate independently: database point-in-time recovery (PITR) 30 days on Enterprise, encrypted backups & system logs up to 90 days. Every primary window is configurable per organization — Enterprise customers commonly set automated deletion at 30, 60, or 90 days. A scheduled job purges expired records, cascades deletion to backups on next rotation, and writes a deletion audit entry. The full table lives in our Privacy Policy.

Candidates can request access, rectification, export, or erasure of their data at [email protected]. Requests are serviced within GDPR / revFADP statutory windows (typically ≤ 30 days). Erasure removes snapshots, event logs, and all derived data immediately and cascades to all downstream stores including backups on the next rotation.

EU and Swiss customers can elect EU-region (eu-central-1 / eu-west-1) processing on Enterprise plans, keeping all snapshots, event logs, and assessment artifacts inside the EU/EEA. Swiss-resident processing is available on request. Standard Contractual Clauses cover any incidental cross-border transfer.

Our full sub-processor register is published at /sub-processors (with a downloadable JSON for compliance automation). A pre-built Data Protection Impact Assessment template and signed Data Processing Agreement are available on request for security and privacy reviews. Our DPO can be engaged directly during your procurement review.

Email [email protected] with a clear description, reproduction steps, affected URL or endpoint, and any proof-of-concept. We acknowledge new reports within 2 business days and provide a triage update within 5 business days. Please do not file vulnerability reports through public support channels or social media.

For sensitive issues, encrypt your report with our PGP key (fingerprint and key file linked from /.well-known/security.txt). We also accept reports via Signal — request a number by emailing [email protected].

Good-faith research conducted under this policy will not be pursued legally. Stay within scope, avoid privacy violations and service degradation, do not access data beyond what is necessary to demonstrate the issue, and delete any retrieved data promptly.

In scope: clarity-hire.com, *.clarity-hire.com, our public APIs, and our mobile clients. Out of scope: third-party SaaS we use, social-engineering, physical attacks, and DoS. We currently run a private bounty — qualifying reports receive monetary rewards based on severity (CVSS) and impact, plus credit in our security acknowledgements.