Security · Picked.ai

Trust · Security

Built for the legal review your security team is about to start.

London-hosted. Single jurisdiction. Audited. The full security posture, on one page, with the file your team needs at the bottom.

Send me the legal pack →Email security@picked.ai

Infrastructure

One region. London. Everything.

Component

Vendor

Region

Web hosting

Vercel

London (lhr1)

Database

Supabase Postgres

London (eu-west-2)

File storage

Cloudflare R2

EU

Real-time voice

LiveKit Cloud

EU

Background workers

Inngest

EU

Email

Resend

EU

Single-jurisdiction posture by design. UK is currently an EU adequacy country (renewed 2025), so UK-hosted data is legal for EU customers under GDPR. If adequacy is ever revoked, migration to Frankfurt is a half-day config change across the stack.

AES-256

at rest, across Supabase Postgres, Cloudflare R2, and Vercel's edge cache.

TLS 1.3

in transit. HSTS preload, no TLS 1.0/1.1 fallback.

Per-tenant scoping.

Supabase row-level security enforces organisation boundaries on every query. An attacker with a leaked JWT from org A cannot read org B's data.

Access

Who gets in. With what. For how long.

01

Hiring managers sign in via WorkOS AuthKit. Magic link, Google SSO, or SAML for enterprise. Passwords disabled at launch.

02

Candidates sign in via magic links with signed short-lived tokens. No passwords.

03

Picked staff access production only via SSO and short-lived elevated sessions. Every admin action is logged with the operator's identity.

04

SCIM for enterprise (user provisioning, de-provisioning via the customer's IdP).

05

Role-based access control at the organisation level: owner, admin, hiring manager, viewer.

06

Audit log of every authentication event, every administrative action, exportable on request.

Audit trail

Every decision, written down. Exportable.

Every score, every decision, every model call, is recorded with the candidate ID (hashed), the role ID, the model version, the prompt hash, the inputs, the outputs, and the timestamp. If a candidate, regulator, or your own counsel asks "why was this candidate not progressed?", we can answer in writing within minutes.

●Per-candidate audit JSON, available in the dashboard.
●Per-role bias report, available in the dashboard.
●Per-quarter aggregate report, emailed to admins.
●Independent annual audit, published on a public URL.
●Current model card, versioned. See /trust/model-cards.

audit · candidate · 7F2A91● live

{
  "candidate": "7F2A91",
  "role": "sr-backend-eng",
  "model": "picked-rank-3.1.0",
  "stages": [
    { "triage": 91, "why": "match 7/8 must-haves" },
    { "screen": 88, "why": "ownership signals strong" },
    { "assess": 94, "why": "system-design rubric" },
    { "iview": 92, "why": "see transcript §3.4" }
  ],
  "decision": "human:hm@acme.com",
  "adverse_impact_check": "role-level · 0.91",
  "retention_until": "2026-06-10"
}

Vulnerability disclosure

If you found a bug, here is how to tell us.

We run a responsible disclosure policy. Email security@picked.ai with the details and we will reply within one business day. Critical issues get same-day triage. The disclosure policy and .well-known/security.txt on our domain confirm scope, safe-harbour terms, and the bug-bounty range (USD 100 to USD 5,000 depending on severity).

security@picked.ai

PGP fingerprint: 5C8A 1F9D 04E2 7B3F 8C71 AB6E 92E4 D110 8F2A 47B8

Safe harbour: research conducted in good faith under our policy is welcomed and protected.

SOC 2 Type II

In progress. Letter Q4 2026.

We are working toward SOC 2 Type II attestation, with Drata as the continuous-monitoring platform and Prescient Assurance as the independent auditor. The Type II observation window runs Q3 to Q4 2026; the letter of attestation lands at the end of Q4 2026. Trust criteria covered: Security, Availability, Confidentiality, Processing Integrity.

●Drata-monitored controls, live dashboard available to enterprise customers under NDA.
●Prescient Assurance independent audit.
●Pre-audit letter available now on request (legal@picked.ai).
●Type I observation window completed Q2 2026.

ISO 27001. Certification is on the roadmap for 2027, sequenced after SOC 2 Type II. We will publish the start date when we begin the engagement.

Other practices

Six standard practices, named.

Penetration testing.

Annual third-party pen test, plus quarterly red-team probes in-house. Reports available under NDA.

Backups.

Daily encrypted backups, 30-day rolling. Point-in-time recovery to any minute in the last 7 days.

Secrets management.

Vercel and Supabase secret stores; no secrets in code or env files committed to git.

Dependency monitoring.

Renovate and Dependabot on the repo. Snyk on every PR.

Code review.

Two-reviewer rule on every production change. Branch protection enforced.

Incident response.

Documented runbook, on-call rotation, status page at status.picked.ai. See /trust/incidents for the public history.

Privacy

GDPR Article 22. Single-jurisdiction London residency. No training on candidate data.

Read →

TRUST · SUB-PROCESSORS

Sub-processors

17 vendors. London-default. 30-day notification on changes.

Read →

TRUST · COMPLIANCE

Compliance

Eight frameworks across four jurisdictions. Per-framework posture.

Read →

Last reviewed · 22 May 2026 · v1.0

Still on the legal review?

We'll send you the file.

Pre-filled vendor security questionnaire (SIG Lite), DPA, sub-processor list, SOC 2 letter, model card, latest bias audit. One zip. Reply within one business day.

Request the legal pack →Email legal@picked.ai ↗

Operated by Neuroworx Ltd · ICO #09910326623