SOC 2 Type II Aligned
Conovio undergoes annual SOC 2 Type II Aligned audits across the AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Reports available under NDA.
Conovio is trusted with sensitive candidate intelligence by executive search firms, in-house talent teams, and private equity operators. Our SOC 2 Type II Aligned program is the foundation of that trust.
Conovio undergoes annual SOC 2 Type II Aligned audits across the AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Reports available under NDA.
All candidate data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Sensitive credentials and API keys are stored in an isolated, encrypted secrets vault.
Every firm operates inside an isolated workspace with row-level security enforced at the database layer. Your candidate data is never blended with another customer's.
SAML 2.0 and OIDC SSO, granular owner / partner / associate roles, and least-privilege access. Session policies and MFA enforced for admin tier.
Every dossier generated, exported, shared, or viewed is recorded in an immutable audit trail — exportable for your security and compliance teams.
GDPR and CCPA aligned. Data minimization, configurable retention, DSR tooling, and a documented sub-processor list. Candidate data is never used to train third-party AI models.
Conovio's platform is built on a tightly scoped set of enterprise sub-processors. Each is bound by a Data Processing Agreement and assessed for security posture.
| Sub-processor | Role / Purpose | Data handled | Compliance |
|---|---|---|---|
| Supabase | Production database, auth, storage, and row-level security. AWS (us-east-1). | Confidential candidate dossier data (system of record). Encrypted in transit and at rest. | SOC 2 Type II Aligned |
| Cloudflare | Edge hosting, CDN, DDoS protection, and TLS termination for conovio.com. | Static assets and HTTPS termination. No candidate data at rest. | SOC 2 Type II Aligned |
| OpenAI | LLM provider for Conovio Context™ synthesis and per-candidate scoring. | Transient candidate notes and JD context during generation; not retained for training. | SOC 2 Type II Aligned |
| Stripe | Subscription billing and payment processing for Conovio plans. | Billing contact and payment instrument data only. No candidate data. | SOC 2 Type II AlignedPCI DSS |
| Lovable Cloud | Application platform — server functions, secrets vault, deploy pipeline. | Operates the runtime; no independent retention of candidate data. | SOC 2 Type II Aligned |
| GitHub | Source control, CI/CD, and branch protection for the Conovio codebase. | Source code only. No customer or candidate data. | SOC 2 Type II Aligned |
Primary customer data. A separate, isolated dev environment holds only test/anonymised data.
Hyperscale cloud (AWS) with independent SOC 2 / ISO 27001. Conovio operates no data center.
Customers notified of material sub-processor changes per the governing agreement, with advance notice.
SOC 2 Type II Aligned is the most critical third-party security certification for selling software into mid-market and enterprise organizations. Unlike a Type I attestation — which captures controls at a single point in time — a Type II report verifies that Conovio's security, availability, and confidentiality controls operate effectively over an extended audit window (typically 6–12 months).
Our independent auditor evaluates controls against the AICPA Trust Services Criteria, including access management, change management, system monitoring, incident response, vendor management, and data confidentiality. The resulting report is what enterprise security, procurement, and legal teams ask for during vendor review.
Customers and active prospects can request the latest SOC 2 Type II Aligned report, our penetration test summary, and our sub-processor list by emailing security@conovio.com. Reports are shared under a mutual NDA.
See also our Privacy Policy and Terms of Service.