Security controls for RecruiterDocs.

We treat every placement, contract and candidate record as sensitive data.

In short

What this page covers

This page summarizes the controls visible in the product and codebase today, plus the areas where customers should ask for deployment-specific detail.

Access controlsRole-based permissions, approval tokens, and restricted admin surfaces.

Integration securityAuthenticated API tokens, webhook verification, and fail-closed endpoints.

Need the full pack?Email security@recruiterdocs.com for DPA or deployment details.

RecruiterDocs is designed around role-based access, auditable contract actions, internal-only document preview, and fail-closed handling for the integration endpoints implemented today. This page describes the controls present in the repo today and the deployment checks that can block unsafe production settings.

Need something specific such as a DPA or sub-processor list? Email security@recruiterdocs.com.

Security highlights

HTTPS/TLS in transit – the application is intended to run behind HTTPS, and production startup validation blocks deployment when SSL redirect or secure-cookie protections are disabled.
Role-based access – admin/reporting areas are restricted to admin users, and contract artifacts are checked against a shared access policy.
Auditability – contract, approval, and status actions are recorded so teams can review who sent, approved, rejected, or changed a contract flow.
Internal-only preview and fail-closed machine endpoints – document preview stays inside the app, /contracts/api/v1/ requires bearer API tokens, DocuSign Connect rejects requests without a valid HMAC signature, and the signatures webhook receiver rejects unknown or unconfigured providers.

1. Application access control

Admin-only pages such as contract history, audit, and workspace settings are protected in the view layer.
Contract downloads, previews, packs, audit reports, and support bundles are checked against a central version-access policy.
Approval links are token-based and no longer expose authenticated download links meant for internal users.

2. Data protection in the product

Production deployment is expected to run behind HTTPS; startup validation blocks production boot when SSL redirect or secure-cookie settings are disabled.
Bullhorn iframe entry links can be HMAC-verified. In production, unsigned embed mode is blocked by startup validation.
Document preview is generated internally as PDF by default. If a native Office viewer service is explicitly configured, Office files can be rendered through that service instead of the fallback PDF path.
Our processing of personal data is governed by our Privacy Policy and, where applicable, a Data Processing Agreement (DPA).

Personal data and GDPR

Candidate and client-contact personal data can appear in contract snapshots and related contract metadata, including fields such as name, email, phone, address, date of birth, NI number, and client contact details.
Nightly retention purges can delete or scrub aged personal data using configurable command thresholds for snapshot retention and post-signature grace periods.
GDPR Article 17 right-to-erasure requests are handled per placement. Personal-data fields are scrubbed from contract metadata and snapshots while non-personal structural data needed for audit continuity is retained.
OAuth tokens, webhook signing secrets, and API credentials stored by the application are encrypted at rest using RD_ENCRYPTION_KEY.
In production, startup validation blocks local filesystem document storage unless the operator explicitly acknowledges the risk. Object storage is the intended default for contract documents that may contain PII.
A DPA is available on request at security@recruiterdocs.com.

3. Authentication and integration security

Individual user accounts use Django’s standard authentication and password hashing.
API endpoints under /contracts/api/v1/ require a Bearer API token and reject invalid, expired, or wrong-workspace tokens.
DocuSign Connect accepts POST requests only and rejects requests when the configured HMAC signature is missing or invalid.
The generic signature-provider webhook endpoint under /webhooks/signatures/<provider>/ is fail-closed: unknown providers are rejected, and no provider is accepted unless verification and handler code are explicitly registered.

4. Production hardening

Production startup validation blocks unsafe defaults such as DEBUG=True, a weak/default SECRET_KEY, empty or wildcard hosts, disabled SSL redirect, disabled secure cookies, SQLite, sandbox DocuSign URLs, or unsigned Bullhorn embed mode.
Admin tooling and configuration screens are restricted to admin-capable users.
Input validation and output encoding are used throughout the app to reduce common web-application risks.

5. Operational documents

Some operational controls depend on how RecruiterDocs is deployed. If you need deployment-specific details such as hosting location, logging, backups, restore procedures, or incident handling commitments, request the current security pack from the team.

6. Customer responsibilities

Security is a shared responsibility. To keep your data safe, we ask customers to:

Use strong, unique passwords and enable SSO or MFA where available in your wider stack.
Keep user accounts up to date and promptly remove access for leavers.
Configure internal permissions and approval flows appropriately for your agency.
Ensure that the data you upload is collected and processed lawfully.
Notify us promptly if you suspect unauthorised access to your account.

7. Questions and security contact

If you have any security questions, need a copy of our DPA, or would like more details about our controls:

Security email: security@recruiterdocs.com
General support: support@recruiterdocs.com