Legal

Security at Spoon Hire

Last updated: June 8, 2026

An overview of how we protect your data. Security is a moving target; this describes our current practices, not a guarantee.

Encryption

Data is encrypted in transit (TLS) across the application and APIs, and encrypted at rest by our infrastructure providers (database and hosting).

Access & authentication

Sign-in is via Google OAuth, plus passwordless one-time codes/magic links for recruiters. We don't store passwords. Access to production systems is limited and least-privilege.

Privacy by design

Candidate contact details (name, email, phone, photo) are stripped before any recruiter or AI sees a profile, in a single enforced boundary in our code. The public API is read-only and anonymized.

Payments

Payments are processed by Stripe. We never see or store full card numbers.

Infrastructure

We run on reputable managed providers (hosting, database, email, AI) — see our Sub-processors page — each with their own security and compliance programs.

Reporting a vulnerability

Found a security issue? Please email security@spoonhire.com with details and steps to reproduce. We appreciate responsible disclosure and will respond promptly.

See also: Sub-processors · Privacy Policy · DPA. This page is a general template, not legal advice; we recommend review by qualified counsel before relying on it.