Your data is safe with us

What data we collect

Role Canary scans publicly available job posting URLs you provide. We extract and analyse the text of those job ads against our compliance rule engine. We do not collect, store, or process candidate data of any kind.

Account data we hold: your work email, company name, billing address (processed by Stripe — we never see your card number), and the URLs of job ads you submit.

Infrastructure security

• All infrastructure hosted on AWS in US-East and EU-West regions with data residency controls
• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Production environment isolated from development with strict access controls
• Automated vulnerability scanning on all dependencies, run on every deployment
• Database backups every 6 hours with 30-day retention and point-in-time recovery
• DDoS protection via Cloudflare on all public endpoints
• 99.9% uptime SLA with real-time monitoring

Access controls

• Multi-factor authentication enforced for all internal staff accounts
• Role-based access control — engineers only access production data when required
• All access to production systems is logged and audited
• Customer data is logically isolated — no cross-tenant access is possible
• Departing employee access revoked within 1 hour of offboarding

Data retention & deletion

Scan results are retained for 12 months by default to support audit history. You can export or delete your data at any time from account settings. On plan cancellation, your data is fully deleted within 30 days.

We do not sell, rent, or share your data with third parties for marketing purposes. Ever.

Penetration testing

We commission independent penetration tests annually from a CREST-accredited firm. Summary reports are available to Enterprise customers on request.

Report a vulnerability