Trust & Safety

SECURITY

Last updated: June 1, 2026

Our Approach

Scryyn handles sensitive data — candidate CVs, video responses, compensation information, and hiring decisions. We treat security as a product requirement, not an afterthought. This page describes the controls we have in place.

Infrastructure

  • All data is hosted on Vultr cloud infrastructure in India-region data centres
  • Candidate files (CVs, video responses) are stored in Cloudflare R2 with private bucket access only — no public URLs without signed tokens
  • Database runs on PostgreSQL with encrypted connections (TLS) and access restricted to application servers only
  • All data at rest is encrypted using AES-256
  • All data in transit is encrypted via TLS 1.2+

Authentication

  • Scryyn uses OTP-only authentication — there are no stored passwords to breach
  • OTPs are single-use, expire in 10 minutes, and are hashed before storage
  • Sessions are stored server-side with 30-day expiry and can be revoked instantly
  • Session tokens are httpOnly cookies — not accessible to JavaScript

Access Controls

  • Role-based access control enforced at the API layer on every request
  • Organisation data is strictly isolated — no cross-tenant data access is possible
  • Business Unit scoping restricts member access to only their assigned roles and pipelines
  • Admin routes are protected by a separate secret not exposed in the application

AI and Third-Party Data Sharing

  • CV and job description data is sent to Anthropic's API solely to generate fitment scores and interview questions
  • Anthropic processes this data under a zero-data-retention policy for API customers — data is not used to train their models
  • No candidate personal data is shared with advertising, analytics, or data broker services

Incident Response

In the event of a data breach or security incident that affects personal data, we will notify affected users within 72 hours of becoming aware of the incident, in accordance with the Digital Personal Data Protection Act 2023.

Responsible Disclosure

If you discover a security vulnerability in Scryyn, please report it to us at prasanna@lynkstr.com. We will acknowledge receipt within 2 business days and work with you to resolve the issue. We ask that you give us reasonable time to investigate before public disclosure.

Contact

Lynkstr Private Limited
prasanna@lynkstr.com