Our approach to security
The confidentiality, integrity, and availability of the information we process, store, and host is fundamental to how HackerEarth operates. Customers trust us with data that matters to their business, and safeguarding it sits at the core of our platform and our practices. We think you should be able to see exactly how we do that. This page brings together our certifications, the security controls we operate, how we handle data, and the audit reports that verify our claims — so you can assess our security against your own requirements and choose us with confidence. Security is never finished. We monitor, test, and audit continuously, and we keep this page current as our posture evolves.
Certifications and attestations.
We hold a comprehensive set of certifications. Every control is independently audited and continuously monitored — not just checked once a year.
SECURITY FRAMEWORKS
ISO 27001:2022
ISO 27017
ISO 27701
ISO 27018
SOC 2 Type II
ISO 42001:2023ISO 27001 is the internationally recognized equivalent that many enterprises accept in place of SOC 2. Our SOC 2 Type II attestation is underway, and the draft letter is available under NDA on request.
PRIVACY AND DATA REGULATIONS
DPF
GDPR
CPRA
DPDPA 2023Why this matters to you: four ISO certificates including the two privacy-specific standards (27701, 27018) mean HackerEarth is certified on how it handles personal data, not just on general security. Combined with GDPR, CPRA, and DPDPA, your candidates' data is covered whether they're in the EU, the US, or India.
Your data, handled the way you'd want it handled.
HackerEarth treats your data as carefully as you'd expect — and give you the controls to meet your own obligations to your stakeholders.
Your data. Under your terms.
We don't sell your data, and we don't share it with third parties for their own purposes. We use it to run and improve your assessments under your DPA. Where we work with data to improve our products more broadly, it's aggregated and de-identified first. Your DPO can review exactly what's in scope.
Right to erasure
Candidates can request deletion of their personal data at any time. Erasure requests are processed within 30 days, with a full audit trail.
Breach notification
In the event of a data breach, you're notified within 72 hours (GDPR Article 33), and affected individuals without undue delay.
Retention you control
Candidate data is retained for a maximum of three years after last activity, or as your law requires — and you can configure shorter windows to match your own policy.
AI you can put in front of your legal team.
HackerEarth is the evaluation layer for humans and AI — so AI governance isn't an afterthought here, it's the core of what we do. Here's how our AI behaves, in the terms your risk and legal teams care about.
Why this matters to you: automated facial and emotion analysis in hiring is increasingly restricted (NYC Local Law 144, the Illinois AI Video Interview Act, the EU AI Act). HackerEarth doesn't do it — by design — so adopting our AI doesn't add to your regulatory exposure. Every decision your team makes on our evaluation is one you can defend.
Technical and operational safeguards.
The controls protecting your data, all continuously active.
AES-256 for all data at rest; TLS 1.2+ enforced for all communications; keys managed via AWS KMS.
Least-privilege enforced, access reviews quarterly, SSO and MFA required for all staff.
Real-time event correlation, anomaly detection, automated alerting with a 15-minute SLA for critical threats.
Mandatory peer review, SAST/DAST scanning in CI/CD, dependency vulnerability tracking via Snyk.
CrowdStrike EDR on all devices; Mobile Device Management enforces disk encryption and remote wipe.
Daily encrypted backups, 30-day retention, multi-region failover with RPO < 1 hour and RTO < 4 hours.
Policies, certificates, and reports.
Available for your review. Public documents download directly; confidential reports are released under NDA via the request panel.
Third-party subprocessors.
The vendors with whom we may share customer data to deliver the service, and where that data is processed. Updated as our subprocessor list changes.
