SOC 2 Type II Aligned

Privacy and confidentiality
built into every layer.

Conovio is trusted with sensitive candidate intelligence by executive search firms, in-house talent teams, and private equity operators. Our SOC 2 Type II Aligned program is the foundation of that trust.

SOC 2 Type II AlignedGDPR-alignedCCPAEnterprise SSO

SOC 2 Type II Aligned

Conovio undergoes annual SOC 2 Type II Aligned audits across the AICPA Trust Services Criteria — Security, Availability, Processing Integrity, Confidentiality, and Privacy. Reports available under NDA.

Encryption everywhere

All candidate data is encrypted in transit (TLS 1.2+) and at rest (AES-256). Sensitive credentials and API keys are stored in an isolated, encrypted secrets vault.

Per-tenant isolation

Every firm operates inside an isolated workspace with row-level security enforced at the database layer. Your candidate data is never blended with another customer's.

SSO & role-based access

SAML 2.0 and OIDC SSO, granular owner / partner / associate roles, and least-privilege access. Session policies and MFA enforced for admin tier.

Audit-ready logs

Every dossier generated, exported, shared, or viewed is recorded in an immutable audit trail — exportable for your security and compliance teams.

Privacy by design

GDPR and CCPA aligned. Data minimization, configurable retention, DSR tooling, and a documented sub-processor list. Candidate data is never used to train third-party AI models.

Sub-processor register

The vendors behind Conovio.

Conovio's platform is built on a tightly scoped set of enterprise sub-processors. Each is bound by a Data Processing Agreement and assessed for security posture.

Sub-processorRole / PurposeData handledCompliance
SupabaseProduction database, auth, storage, and row-level security. AWS (us-east-1).Confidential candidate dossier data (system of record). Encrypted in transit and at rest.
SOC 2 Type II Aligned
CloudflareEdge hosting, CDN, DDoS protection, and TLS termination for conovio.com.Static assets and HTTPS termination. No candidate data at rest.
SOC 2 Type II Aligned
OpenAILLM provider for Conovio Context™ synthesis and per-candidate scoring.Transient candidate notes and JD context during generation; not retained for training.
SOC 2 Type II Aligned
StripeSubscription billing and payment processing for Conovio plans.Billing contact and payment instrument data only. No candidate data.
SOC 2 Type II AlignedPCI DSS
Lovable CloudApplication platform — server functions, secrets vault, deploy pipeline.Operates the runtime; no independent retention of candidate data.
SOC 2 Type II Aligned
GitHubSource control, CI/CD, and branch protection for the Conovio codebase.Source code only. No customer or candidate data.
SOC 2 Type II Aligned
Data residency
AWS us-east-1

Primary customer data. A separate, isolated dev environment holds only test/anonymised data.

Physical security
Delegated

Hyperscale cloud (AWS) with independent SOC 2 / ISO 27001. Conovio operates no data center.

Change policy
Notified

Customers notified of material sub-processor changes per the governing agreement, with advance notice.

Certification detail

SOC 2 Type II Aligned — the standard enterprises require.

SOC 2 Type II Aligned is the most critical third-party security certification for selling software into mid-market and enterprise organizations. Unlike a Type I attestation — which captures controls at a single point in time — a Type II report verifies that Conovio's security, availability, and confidentiality controls operate effectively over an extended audit window (typically 6–12 months).

Our independent auditor evaluates controls against the AICPA Trust Services Criteria, including access management, change management, system monitoring, incident response, vendor management, and data confidentiality. The resulting report is what enterprise security, procurement, and legal teams ask for during vendor review.

What's in scope

  • The Conovio platform, APIs, and Conovio Context™ generation pipeline
  • Production infrastructure, databases, and secrets management
  • Engineering access, change management, and SDLC controls
  • Sub-processor management and data handling procedures

How to request the report

Customers and active prospects can request the latest SOC 2 Type II Aligned report, our penetration test summary, and our sub-processor list by emailing security@conovio.com. Reports are shared under a mutual NDA.

Security questions?
Our security team responds within one business day.
Contact security

See also our Privacy Policy and Terms of Service.