Our security principles
CloudFlow processes high volumes of job applications on behalf of recruitment teams, so security and privacy are designed into how the platform works — not added afterwards. Three principles guide us:
- Minimise what we hold. We collect and keep only the data needed to do the job, for as long as it is needed.
- Make every decision auditable. Explainable AI output means every score can be traced to evidence — for your team, your clients and regulators.
- Use proven infrastructure. We build on established cloud providers and their independently certified security programmes.
Platform security
Hosting and infrastructure
CloudFlow runs on Amazon Web Services (AWS), whose data centres hold independent certifications including ISO 27001 and SOC 2. Infrastructure access is restricted, logged and reviewed.
Encryption
Data is encrypted in transit using TLS (HTTPS) across our website and APIs, and encrypted at rest using industry-standard mechanisms provided by our cloud infrastructure.
Access control
Access to customer data is limited to personnel who need it to operate and support the service, protected by role-based access controls and strong authentication.
Audit trails
Application processing produces full audit trails: what was analysed, when, against which requirements, and with what outcome. This supports GDPR accountability and client transparency obligations.
Data protection & GDPR
CloudFlow is designed to support GDPR-compliant recruitment: secure storage within your systems of record where applicable, configurable data-retention policies, and explainable output for every candidate decision. Details of how we handle personal data on this website are in our Privacy Policy.
This website
- The live demo minimises data movement. Job-spec analysis is processed transiently by CloudFlow's AI service over HTTPS and not stored; résumé analysis runs entirely in your browser and résumé text is never transmitted to our servers.
- Contact form submissions travel over HTTPS to a dedicated, access-controlled AWS function — we do not publish email addresses that could be harvested by spammers.
- Forms are protected against automated abuse (bot detection and spam filtering).
- Analytics run only with your consent, applied through Google Consent Mode via the cookie banner.
Reporting a security concern
If you believe you have found a vulnerability in our website or service, please tell us promptly and responsibly through the contact form — include enough detail for us to reproduce the issue. We ask that you do not access or modify data that is not yours, do not degrade the service, and give us reasonable time to remediate before any public disclosure. We appreciate good-faith reports and will respond as quickly as we can.
Security questions?
Enterprise customers can request further detail on our security practices, subprocessors and data-processing terms as part of procurement — get in touch via the contact form.