How we protect your data, authenticate users, and respond when something goes wrong. An honest description of where we are today and where we're heading.
Last updated: June 1, 2026
All traffic between your browser and our services is encrypted in transit using TLS 1.2 or higher. HTTP requests are redirected to HTTPS. Modern cipher suites only; weak protocols and ciphers are disabled at the load balancer.
We use magic-link authentication for admin access, rather than passwords. The flow is:
Because we store only the SHA-256 hash, the raw token is never readable from our database, even by us.
Customer-facing application authentication (Governance 1st, MyCareer Navigator) uses email verification codes and Google Sign-In via Google Identity Services. Customer passwords, where used, are hashed with industry-standard algorithms and never logged.
Admin sessions are stored server-side, scoped to the admin path, and timeout after 4 hours of inactivity. Session identifiers are regenerated on sign-in to mitigate session-fixation attacks. Cookies are flagged HttpOnly, Secure, and SameSite=Lax.
Internal access to customer data is limited to the minimum personnel required, granted on a need-to-know basis, and logged.
Customer data is stored in managed databases hosted by reputable U.S.-based cloud providers. Data is encrypted at rest using the provider's standard encryption (typically AES-256). Backups are encrypted and retained according to the provider's standard policy.
Governance 1st is built multi-tenant from the ground up. Each customer workspace is logically isolated; queries are scoped to the requesting workspace at every layer of the stack.
The Governance 1st Browser Extension is built on Chromium Manifest v3 and follows a local-first model:
api.hrrebooted.com for activity records to flow into your organization's Governance 1st workspace. Prompts and responses are not transmitted unless your organization explicitly enables that.The extension does not request kernel privileges, does not install a driver, and runs in the same browser sandbox as any other Chromium extension.
Every admin action on the website (sign-in, create, update, delete, upload) is recorded in an immutable audit log with the actor's email, IP address, action, target, and timestamp. Logs are retained for 24 months.
Inside Governance 1st, every model call, configuration change, and user action is logged into the platform's audit trail, available to your administrators on demand.
Sensitive endpoints (magic-link requests, login attempts, API calls) are rate-limited by both IP address and email. Excessive activity triggers progressive blocks. The 10-behavior monitoring inside Governance 1st and the Browser Extension also functions as a real-time defense against prompt-injection and other LLM-layer attacks.
We use a small set of vendors to operate the service. Current subprocessors include:
A current, named subprocessor list is available to enterprise customers on request.
If you believe you've found a security vulnerability in our services, please report it to security@hrrebooted.com. Please include enough information for us to reproduce the issue. We commit to:
We ask researchers to test only their own accounts, avoid accessing other users' data, and refrain from social engineering, denial-of-service testing, and physical attacks.
We maintain a documented incident-response process. If we confirm a security incident that affects your personal data, we will notify affected customers without undue delay and, where applicable, within 72 hours of becoming aware of the incident, in line with GDPR requirements.
HR Rebooted is currently preparing for SOC 2 Type II certification. We expect to begin the formal audit window in 2026. Until that is complete, we are happy to walk enterprise customers through our current controls in detail during the procurement process.
We will publish a customer-facing trust center, including downloadable evidence under NDA, when our SOC 2 report is available.
HR Rebooted LLP — Security
security@hrrebooted.com