Built with bank-level security architecture, PIPEDA/FCRA compliance, and $1M insurance coverage. Because your screening data deserves the same protection as financial data.
These protections are live and defending your data right now.
All sensitive data encrypted at rest. Voice recordings encrypted before storage with individual encryption keys.
ActiveEvery connection encrypted with TLS 1.3. No data moves between systems without encryption.
ActiveSecure JWT-based sessions with automatic token refresh, expiration, and revocation on logout.
ActiveEnterprise PostgreSQL with continuous backups and point-in-time recovery. Your data is never at risk.
ActiveRBAC with least-privilege principles. Admin, user, and API key permissions are strictly separated.
ActiveReal-time health monitoring with automated alerting. 99.9% uptime SLA with public status page.
ActiveData deletion processed within 48 hours of request. Configurable retention policies per customer.
ActiveProfessional cloud infrastructure with enterprise-grade networking, firewalls, and DDoS protection.
ActiveMulti-factor authentication available for all accounts. Additional protection for admin-level access.
ActiveBuilt-in protections for every participant in the screening process.
Our AI identifies itself immediately and explains the purpose of the call to every reference. No deception, ever.
Consent obtained before any recording begins. References can opt out of calls at any time.
Automated compliance for all two-party consent jurisdictions across Canada and the US.
Any participant can request their data or its deletion. Processed within 48 hours.
Voice recordings: 3 years. Hiring decisions: 4 years. Fully configurable to your policy requirements.
Data minimization principles applied throughout. We collect only what's needed for screening.
AI assists human decision-making. It never replaces it.
All employment decisions are made by qualified humans. AI provides structured data and insights only.
Our AI does not score, rate, or rank candidates as individuals. No "fit scores." No numerical rankings.
Candidates are never automatically disqualified. Every screening result requires human review before any action.
Virvell never recommends hire/no-hire decisions. Workflow labels indicate process steps, not outcomes.
Active monitoring for demographic bias patterns. Continuous refinement of conversational AI systems.
Every vendor in our stack meets enterprise security standards.
All critical infrastructure and voice AI vendors maintain SOC 2 Type II certification with annual re-assessment.
Payment processing via Stripe meets the highest PCI-DSS security standards. No card data touches our servers.
All vendors undergo regular third-party security assessments. We review vendor security posture annually.
Comprehensive security evaluation before any vendor is selected. No vendor touches data without passing review.
Note: Specific vendor details are available under NDA during security reviews. We don't disclose infrastructure providers publicly to maintain security best practices.
Comprehensive coverage that exceeds typical startup standards.
$1M professional errors and omissions coverage through Tokio Marine. Protects against technology failures and professional liability.
Active$1M cyber liability coverage including data breach response, forensic investigation, and notification costs.
ActiveImmediate access to security and legal experts through our insurance provider's incident response network.
ActiveWritten incident response plan, data breach notification procedures, and business continuity documentation.
ActiveReady for your procurement and security review process.
3–5 business day turnaround for standard security questionnaires (SIG, CAIQ, custom).
DPAs available upon request, covering PIPEDA and provincial privacy requirements.
COIs available for contracts, RFPs, and vendor onboarding processes.
Coordinated penetration testing available for enterprise customers upon request.
Third-pay audit cooperation and comprehensive security documentation packages.
Designed for Canadian and US privacy regulations from the ground up.
Compliant with Canadian federal privacy law and provincial equivalents (PIPA Alberta, Quebec Law 25).
ActiveDesigned for CCPA, CPRA, and emerging state privacy regulations. Two-party consent automation built in.
ActiveBackground checks run through Certn, which handles all FCRA compliance, adverse action workflows, and dispute processes.
ActiveTransparent consent, data minimization, purpose limitation, and configurable retention built into every workflow.
ActiveWe're transparent about our security roadmap. Enterprise customers drive certification priorities.
Real-time bias analysis dashboard for demographic fairness monitoring
Enhanced DDoS protection and abuse prevention layer
Dedicated Canadian infrastructure (AWS ca-central-1) for data residency
Automatic data deletion based on configured retention policies
Comprehensive audit logging for compliance reporting
Enterprise SSO (SAML/OIDC) for larger organizations
Pursuing formal certifications as we scale with enterprise customers.
Third-party validation of security controls and processes. Timeline driven by enterprise customer requirements.
PlannedInternational standard for information security management systems.
PlannedProfessional external security assessments with published remediation timelines.
PlannedWe'll walk you through our security architecture, share documentation, and answer your team's questions. Most security reviews complete in under a week.