Figo

Security at Figo

Last updated: May 26, 2026

Security at Figo is a product property, not a checklist. The most important security decisions we make are in the product's architecture: where the data lives, who can read it, how the AI treats it, and what happens when something goes wrong. This page is the short version of those decisions.

1. Where your data lives

  • Primary database, auth, storage: a managed Postgres database in the European Union. All candidate records, resumes, and audit log entries are stored here.
  • AI inference (language model, speech-to-text, text-to-speech): EU-resident providers.
  • Real-time voice transport: EU-resident provider. No audio recording is enabled on any session.
  • Transactional email and a small number of operational services run outside the EU under Standard Contractual Clauses. The full vendor list is available with our DPA — see sub-processors.

2. Encryption

  • In transit: TLS 1.2+ on every connection — candidate browser to the voice service, recruiter browser to Figo, and Figo to every sub-processor.
  • At rest: standard managed-Postgres encryption-at-rest on the primary database; encryption-at-rest on stored documents.

3. Access control

  • Row-Level Security on every table. Tenant isolation is enforced at the database level. No table is accessible without an org-scope check.
  • Role hierarchy: Owner → Recruiter → Hiring Manager → Contributor → Viewer. Permissions are checked in three layers (UI gating, server action enforcement, database RLS).
  • Service-role usage is allowlisted with a dev-time guard rail; production paths never bypass RLS for user data access.
  • Enterprise SSO + SCIM is available on Enterprise plans, with 2FA enforcement and IP allowlists.

4. Audit log (historian)

  • Every server action that changes data writes a history entry — who, when, what changed, before/after.
  • AI extractions, candidate approvals, and recruiter decisions are all captured.
  • The history table has database-level UPDATE/DELETE revoked from non-service roles. History is append-only by enforcement, not convention.
  • Retention is indefinite (legal-defensibility window dominates). SIEM export is available on Enterprise.

5. AI invariants

Several security-relevant properties are guaranteed by Figo's AI architecture (see How Figo's AI works for detail):

  • No audio recording. The enrichment conversation runs as real-time speech-to-text; audio frames are dropped after transcription. No audio file is ever written to storage.
  • No AI scoring, ranking, or hiring decisions. The AI extracts; the recruiter decides.
  • Candidate approval gate. AI-extracted profile data does not reach a recruiter until the candidate reviews and approves it. Unapproved drafts expire after seven days.
  • No candidate data used to train external AI models. Customer and candidate data is not used to fine-tune the LLM, STT, or TTS providers' base models.

6. Authentication

  • Recruiter authentication via email + password, or enterprise SSO.
  • Candidate access via per-invitation tokenised links — no password, no account creation required.
  • 2FA enforcement, SAML SSO, SCIM provisioning, and IP allowlists available on Enterprise.

7. Breach response

  • Detection is built on signal aggregation across the platform.
  • Customer notification within 24 hours of Figo confirming a breach that affects a customer's data. Notification includes the data categories affected and the recommended response steps.
  • Your 72-hour clock to notify your supervisory authority (GDPR Art. 33) starts from our notification — not before. We will support you with the technical detail your regulator needs.
  • Internal runbook in docs/breach-response.md is rehearsed and updated when the platform changes.

8. Candidate rights tooling

  • DSAR export. One-click export of all data Figo holds about a candidate, ready for forwarding under GDPR Art. 15.
  • Erasure. Per-candidate permanent-delete action that cascades to all storage (resume, transcript, draft) and writes a tombstone in the audit log.
  • Retention auto-purge. Per-org retention settings enforced by a scheduled cron, with per-candidate jurisdiction floors (e.g. US EEOC 1-year minimum) applied automatically.
  • Legal holds suspend retention purge when a dispute is active.

9. Sub-processors

The current sub-processor list is at /legal/sub-processors. We commit to 30 days' notice before adding or changing a sub-processor that handles customer or candidate data.

10. Responsible disclosure

If you find a security issue, please email hello@usefigo.com with details. We aim to acknowledge within 48 hours and to keep you informed as we work toward a fix. We do not currently run a paid bounty programme but we publicly credit researchers who report in good faith.

11. Certifications

Figo does not currently hold SOC 2 Type II or ISO 27001 certifications. We will not claim either until we have completed the relevant third-party audit. If your procurement process requires either certification, please contact us to discuss timelines.

12. Questions

Email hello@usefigo.com — we will route security questions to the right person.