Enterprise-grade security, compliance, and infrastructure designed to protect your data and ensure trust at every layer of the platform.
Exterview AI is built on Microsoft Azure with a security-first architecture designed for enterprise hiring workflows. This page describes the security controls, certifications, and practices that protect customer and candidate data across the platform.
Provider: Microsoft Azure (Enterprise)
Architecture: Fully serverless Azure Functions v4, Cosmos DB, Azure Blob Storage
No VMs: Immutable deployments with no persistent virtual machines
Region: Configurable Azure region per customer requirement
Program: Microsoft for Startups Pegasus program participant
Zero Trust Architecture: No public endpoints for backend services
API Management: All external traffic routed through Azure API Management (APIM)
WAF: Web Application Firewall protects all public-facing endpoints
DDoS Protection: Azure DDoS Protection Standard enabled
Private Networking: Production access restricted to essential personnel with time-limited elevated access via Azure PIM
SSO: Microsoft Entra ID (Azure AD) with SAML 2.0 and OIDC
MFA: Multi-factor authentication enforced for all platform access
RBAC: Role-based access control with configurable permission levels
Least Privilege: Production access restricted to essential personnel with time-limited elevated access via Azure PIM
At Rest: AES-256 encryption for all data stored in Cosmos DB and Azure Blob Storage
In Transit: TLS 1.3 for all data transmitted between clients, APIs, and internal services
Key Management: Azure Key Vault for all secrets, API keys, and encryption keys — no hardcoded credentials
Partition Key: Every Cosmos DB container uses /tenantId as the partition key (ADR-002)
Logical Isolation: Customer data is logically separated at the database level, no cross-tenant data access is possible
Query Enforcement: All database queries include tenant context, queries without tenantId are rejected
Default: US Azure regions
Configurable: Customers may request data residency in specific Azure regions (EU, India, APAC)
Sub-processor Transparency: Full sub-processor list available in our Data Processing Agreement
Active Data: Retained for the duration of the customer subscription
Post-Termination: Customer data available for export for 30 days, then permanently deleted
Backup Purge: Backup copies purged within 90 days of primary deletion
Candidate Data: Retention period configurable per customer policy
Code Review: All code changes require peer review before merge
Static Analysis: Automated security scanning in CI/CD pipeline
Dependency Scanning: Regular scans for known vulnerabilities (CVEs) in dependencies
Secret Detection: Automated checks prevent credentials from entering source code
Threat Modeling: Conducted for all new features and agent architectures
Schema-Pinned Outputs: All AI-generated outputs are validated against predefined schemas before storage (ADR-006)
Prompt Security: Prompt injection protections and input validation on all agent interactions
Model Governance: AI models deployed through Azure OpenAI Service with enterprise data boundaries
Explainability: Every AI output includes reasoning chains and evidence for auditability
Bias Monitoring: Configurable bias detection thresholds with automated alerts
Liveness Detection: Real-time verification during video interviews
Deepfake Analysis: AI-powered detection of synthetic media
Proctoring: Live monitoring during panel and assessment sessions
Immutable Audit Logs: All interview sessions produce tamper-proof records
SIEM: Azure Sentinel for security event monitoring and correlation
Logging: Centralized logging with Azure Application Insights
Alerting: Real-time alerts for anomalous access patterns and security events
Incident Response: Documented IR procedures with defined escalation paths and SLAs
Post-Incident: Root cause analysis and remediation tracking for all security incidents
Availability Target: 99.9% uptime SLA for Enterprise customers
Geo-Redundancy: Data replicated across Azure availability zones
Disaster Recovery: Automated failover with RPO < 1 hour and RTO < 4 hours
Backup: Every AI output includes reasoning chains and evidence for auditability
Bias Monitoring: Daily automated backups with point-in-time recovery capability
EDR: Microsoft Defender for Endpoint on all employee devices
MDM: Mobile Device Management enforcing encryption, screen lock, and remote wipe
Background Checks: Required for all employees with access to production data
All sub-processors are required to maintain security certifications equivalent to or exceeding Exterview's standards.
External penetration testing conducted annually by independent third-party auditors
Critical and high findings remediated within 30 days
Summary reports available to enterprise customers under NDA
The following documents are available on request:
Security Whitepaper
Penetration Test Summary
AI Model Card
Data Processing Agreement (DPA)
VSA Full / VSA Core Assessment
SIG Lite Assessment
SOC 2 Type II Report
Request access at exterview.ai/contact or email security@exterview.ai.
If you discover a security vulnerability in the Exterview platform, please report it responsibly:
Email: security@exterview.ai
Response SLA: Acknowledgment within 24 hours, triage within 72 hours
We do not pursue legal action against researchers who report vulnerabilities in good faith.
For security-related questions:
Email: security@exterview.ai
Trust Center: exterview.ai/trust
Address: Exterview Inc., 16192 Coastal Highway, Lewes, Delaware 19958, USA