Security & Trust

Security Policy

Effective: 1st July 2026
Last Updated: June 24, 2026
Version: 1.0
Contact: security@64skills.com

64Skillls is committed to enterprise-grade information security. This policy defines the technical controls, governance framework, and security obligations that protect every user, employer, and piece of data entrusted to our platform.

🔒 ISO/IEC 27001 Aligned
✅ SOC 2 Principles
🔐 NIST Framework
🌐 OWASP Standards
01

Governance & Scope

This Information Security Policy establishes the security principles, governance framework, technical controls, and risk management practices implemented by 64Skillls to protect information assets, systems, infrastructure, and services.

🎯 Purpose

To protect the confidentiality, integrity, and availability of all information, safeguard personal data entrusted to the Platform, maintain trust among job seekers, employers, and partners, and support compliance with applicable privacy, cybersecurity, and regulatory obligations.

Framework Alignment

64Skillls maintains a risk-based information security programme (ISMS) strategically aligned with internationally recognized frameworks:

ISO/IEC 27001:2022
Information Security Management Systems
SOC 2 Type II
Trust Services Criteria — Security, Availability, Confidentiality
NIST Cybersecurity Framework
Identify, Protect, Detect, Respond, Recover
OWASP Application Standards
Top 10 web application security protections
GDPR & DPDP Act 2023
EU data regulation & India's privacy framework
CCPA / CPRA
California Consumer Privacy Act rights

Alignment with these frameworks does not constitute formal certification unless expressly stated by the Company.

Security Leadership

Security governance is overseen by designated leadership including the Chief Information Security Officer (CISO), Data Protection Officer (DPO), Security Operations Team, Incident Response Team, and Compliance Officers. These roles operate under the principle of accountability and least privilege, and the executive board reviews audit metrics annually.

Policy Scope

This Policy applies to all Users, contractors, employees, partners, and third parties interacting with the Platform, and governs all web applications, mobile apps, APIs, cloud infrastructure, databases, communication systems, and candidate management environments operated by 64Skillls.

02

Data & Cryptographic Standards

The Company enforces strict cryptographic controls across all lifecycle phases of data custody, ensuring sensitive data is rendered unreadable to unauthorized actors at all times.

Encryption Standards at a Glance

🔒
Data in Transit
TLS 1.2 / TLS 1.3
🗂️
Data at Rest
AES-256
🔐
Password Hashing
Argon2id / bcrypt
🔓
HSTS Enforced
Globally Active
🔁
Key Rotation
90-Day Cycle
🥥
Key Management
Enterprise KMS

Data in Transit

All data transmitted between users' browsers, mobile apps, API endpoints, and platform infrastructure is secured using TLS 1.2 and TLS 1.3. Legacy insecure protocols (SSLv3, TLS 1.0, TLS 1.1) are categorically rejected. HTTP Strict Transport Security (HSTS) is enforced globally to prevent protocol-downgrade attacks. Unencrypted transmission of sensitive data is prohibited.

Data at Rest

All user repositories, candidate profiles, resume data, and operational databases are encrypted at rest across all production, testing, and backup environments using AES-256. Cryptographic keys are managed through an enterprise Key Management Service (KMS) enforcing strict envelope encryption and automated 90-day key rotation schedules.

Credential Security

User passwords are never stored in plaintext or reversible encryption. Credentials are processed using computationally intensive, salted hashing algorithms — specifically Argon2id or bcrypt with a minimum work factor of 12. Additional protections include salt generation, key stretching, and adaptive work factors.

PII Protection & Masking

Candidate Personally Identifiable Information is structurally masked or pseudonymized within search indexes until a Job Seeker explicitly grants profile visibility or submits a formal application. Additional controls include data tokenization, field-level encryption, and role-based visibility restrictions limiting PII access to personnel with legitimate business requirements.

Data Classification

  • Public Data — No access restrictions
  • Internal Data — Restricted to employees
  • Confidential Data — Need-to-know basis
  • Restricted Data — Highest-level controls
03

Network & Infrastructure Security

The platform architecture is natively hosted within an enterprise-grade, highly resilient cloud environment with geographically isolated availability zones to guarantee high availability and systemic redundancy.

Web Application Firewall (WAF)

The platform's public-facing edge layers are protected by a state-of-the-art WAF maintaining real-time threat intelligence rule sets to detect and neutralize OWASP Top 10 vulnerabilities:

  • SQL Injection (SQLi)
  • Cross-Site Scripting (XSS)
  • Remote Code Execution (RCE)
  • Command Injection
  • Cross-Site Request Forgery (CSRF)
  • Local File Inclusion (LFI)
  • Directory Traversal
  • Malicious Bot Activity

Automated DDoS Mitigation

The network edge features continuous, inline DDoS mitigation engines capable of absorbing and neutralizing multi-gigabit Layer 3, 4, and 7 volumetric flooding attacks through traffic filtering, rate limiting, behavioral analysis, and traffic scrubbing — ensuring uninterrupted platform availability.

Environment Segmentation

🔒 Production Isolation

Production systems are hosted within strictly isolated Virtual Private Clouds (VPCs), physically and logically separated from Development, Staging, and Testing environments. No live production data or authentic candidate PII may be imported into testing environments — all test data must be synthetic or fully anonymized.

Network Monitoring

Network traffic is continuously monitored 24/7 for anomalous behavior, intrusion attempts, abuse patterns, and unauthorized access activity. The Security Operations Center (SOC) deploys centralized SIEM tools to aggregate and analyze system logs across all firewalls, operating systems, and application frameworks in real time.

04

Identity & Access Management

Access to all platform systems follows the Principle of Least Privilege (PoLP) and the Need-to-Know baseline. Our IAM framework utilizes Role-Based Access Control (RBAC) to ensure personnel receive only the minimum access necessary for their assigned duties.

🔐
Password Policy
Minimum 12 characters, mandatory uppercase, lowercase, numeric, and special character. Checked against known compromised credential databases (pwned password indices).
📱
Multi-Factor Authentication
Mandatory MFA (TOTP apps or hardware tokens) for all internal admins, developers, and data controllers. Strongly enforced for employer recruiter accounts.
🏗️
Least Privilege Access
Elevated access requires a justified ticketed request, is comprehensively logged, and is automatically revoked upon task completion. Engineers denied live DB access by default.
⏱️
Session Timeout
Inactive web dashboard sessions auto-terminate after 30 minutes of dormancy. Risk-based re-authentication enforced. Sessions may be terminated at any time for security reasons.
05

Vulnerability Management & Threat Detection

Audit logs record all authentication attempts, privilege escalation actions, configuration changes, and direct database queries involving PII. Log archives are cryptographically signed, immutable, and retained for a minimum of one (1) year to support legal forensic auditing.

Penetration Testing

At least once per calendar year, the Company retains an independent, certified third-party cybersecurity firm to perform rigorous grey-box and black-box penetration tests across all web applications, mobile apps, APIs, and infrastructure. Executive summaries and SOC 2 attestation documents are available to enterprise clients under a formal NDA.

Automated Patch Management

⏱️ Patch SLAs

Critical & High Severity: Security patches applied within 72 hours of validation via automated pipelines.
Medium Severity: Deployed during scheduled monthly maintenance cycles.
Vulnerability scanning runs continuously across all cloud repositories to identify outdated dependencies, zero-day flaws, and configuration drift.

Responsible Disclosure — Safe Harbour Programme

64Skillls welcomes responsible security research from the global white-hat community. Report vulnerabilities privately to info@64skillls.com.

✅ Safe Harbour Pledge

We will not initiate legal proceedings against researchers who discover flaws in good faith, provided they: do not exploit vulnerabilities to view, alter, or exfiltrate real user data; do not disrupt platform operations via denial-of-service tests; and maintain confidentiality and allow a reasonable remediation window before any public disclosure. Unauthorized testing remains strictly prohibited.

06

Incident Response & Breach Protocol

64Skillls maintains an agile, standing Cyber Incident Response Team (CIRT) chaired by the CISO and staffed by senior cloud architects, legal counsel, and forensic specialists, operating under a formal documented Incident Response Plan (IRP).

Response Lifecycle

🔍
1. Detection & Analysis
SIEM alerts trigger immediate CIRT notification. Incident severity classified: Critical, High, Medium, or Low based on impact scope and data exposure risk.
🔒
2. Containment
Affected systems are immediately isolated from the production network. Compromised credentials revoked. Lateral movement blocked at the VPC boundary level.
🚪
3. Eradication
Root cause identified and eliminated. Malicious artifacts removed. Vulnerability patched or mitigated. System integrity verified before any restoration begins.
4. Recovery & Restoration
Systems restored from verified clean backups. Full end-to-end testing conducted before returning services to production. Monitoring intensified post-restoration.
📣
5. Regulatory Notification
Supervisory authorities notified per GDPR within 72 hours where applicable. National and state jurisdiction reporting mandates executed within statutory windows. Affected users notified promptly.
📋
6. Post-Incident Review
Full forensic analysis conducted. Lessons learned documented. Security controls updated. Executive summary prepared. Preventive measures implemented.

Affected User Notifications Will Include

  • The nature of the breach and estimated categories of compromised data
  • Name and contact details of the Data Protection Officer
  • Immediate mitigation measures implemented by the CIRT
  • Recommended defensive steps (e.g., credential rotation, account monitoring)
⚠️ Security Limitations

While commercially reasonable safeguards are implemented, no security programme can guarantee absolute protection against all threats. 64Skillls does not warrant that security incidents can be completely prevented. Liability for security incidents is governed by applicable agreements, Terms & Conditions, and applicable law.

07

Third-Party Vendor Security

The Company implements a formal vendor risk management lifecycle. Any third-party SaaS application, cloud sub-processor, or external service tool integrated into our environment must undergo comprehensive security screening before engagement.

Vendor Requirements

  • Vendors must supply up-to-date SOC 2 Type II certifications or equivalent documentation proving internal controls match or exceed our security baselines
  • Assessment criteria include security controls, compliance certifications, privacy practices, and operational resilience
  • No customer data or candidate PII may be shared with any sub-processor until a legally binding Data Processing Agreement (DPA) with standard contractual clauses is signed
  • DPAs explicitly limit vendors to processing data strictly under our written instructions and prohibit selling, leasing, or repurposing user information

Payment Processing Security

💵 PCI-DSS Compliance

64Skillls does not collect, transmit, or store raw credit card numbers or sensitive banking credentials on its servers. All commercial payments are securely offloaded to independent, fully certified PCI-DSS Level 1 compliant payment gateways (e.g., Stripe / Razorpay). The Company disclaims liability for payment gateway interruptions or third-party transaction anomalies occurring within those isolated payment networks.

⚠️ Third-Party Disclaimer

64Skillls cannot guarantee the security practices of independent third parties. Users acknowledge that third-party integrations may introduce risks beyond Company control. Interactions with external platforms are governed by their independent terms and security policies.

08

User Responsibilities

Information security is a shared responsibility. The Platform enforces structural network boundaries and technical controls, but users must maintain basic security hygiene across their own endpoint environments.

User Security Obligations

  • Maintain strict confidentiality of login credentials — never share passwords with colleagues or third parties
  • Protect authentication devices used for MFA
  • Keep account information current and accurate
  • Immediately report any suspected account compromise, unauthorized access, or security anomaly to info@64skillls.com
  • All actions executed under an authenticated login are legally attributed to the account holder

Strictly Prohibited User Actions

👽
Malicious File Uploads
Uploading malware, viruses, trojans, ransomware, logic bombs, or weaponized documents disguised as resumes or assets. All uploads are scanned via real-time anti-malware and heuristic detonation. Violations result in permanent account block.
🤖
Automated Scraping & Bots
Deploying scraping scripts, bots, headless browsers, spiders, crawlers, or data extraction tools to harvest resumes, candidate records, or proprietary platform data. These represent protected corporate assets.
🔐
Unauthorized System Access
Hacking, vulnerability probing, password attacks, security testing without written authorization, or attempting to exploit platform vulnerabilities.
📈
Reverse Engineering
Copying, decompiling, disassembling, translating, or attempting to derive source code or underlying architecture of the platform's proprietary diagnostic frameworks.
09

Business Continuity & Disaster Recovery

To preserve systemic resilience against ransomware, infrastructure failure, or regional disasters, the platform implements an automated, tiered backup infrastructure with geographically isolated storage completely separated from the live production network topology.

Backup Architecture

  • Incremental backups: Every hour across all production databases
  • Full snapshot images: Compiled daily and weekly
  • Encryption: All backups encrypted using AES-256 keys
  • Geographic redundancy: Backups synchronised to isolated cloud storage vaults
  • Immutable storage: Backup integrity protected against ransomware modification
  • Tested regularly: Restoration procedures validated periodically for operational readiness

Recovery Targets

4 hrs
RTO
Recovery Time Objective — Maximum time to fully restore core web services and platform access following a catastrophic failure
24 hrs
RPO
Recovery Point Objective — Maximum data loss window ensuring minimal transactional data loss in a worst-case recovery scenario

ⓘ Actual recovery timelines may vary depending on incident severity, infrastructure complexity, and third-party dependencies.

10

Policy Control & Updates

This Security Policy is a living governance document under the direct ownership of the Chief Information Security Officer (CISO). It undergoes formal compliance review at least once per calendar year, or immediately following any significant change in platform architecture, system features, or applicable privacy laws.

Security Enforcement Rights

64Skillls reserves the absolute, unilateral right to instantly suspend, restrict, or permanently terminate any account — without prior notification, compensation, or liability — where the Company reasonably suspects:

  • Unauthorized vulnerability scanning or system probing
  • Brute-force or credential stuffing attempts
  • Scraping candidate data or platform assets
  • Malicious file distribution or injection
  • Account compromise or identity fraud
  • Any violation of this Security Policy or the Terms of Service

Policy Modifications

🔔 Policy Updates

Updated versions of this Policy become effective upon publication unless otherwise required by law. Continued use of the Platform after an update constitutes acceptance of the revised Policy. Material changes may be communicated via email notification, platform dashboard alerts, or website notices.

11

Responsible Disclosure & Bug Bounty

We take the security of our platform and our users' data very seriously. If you discover a security vulnerability in 64Skills, we encourage you to disclose it to us responsibly.

How to Report

Please email your findings directly to security@64skills.com with the subject line "Responsible Disclosure - [Vulnerability Type]". Include the following details in your report:

  • A detailed description of the vulnerability and its potential impact.
  • Clear, step-by-step instructions or proof-of-concept (PoC) code to reproduce the issue.
  • Your contact details and preferred name for acknowledgement.

Our Commitments

  • Response Timeline: We will acknowledge receipt of your report within 48 hours and work to deploy a patch within 14 days for high-severity issues.
  • Safe Harbour: We will not pursue legal action against security researchers who act in good faith, do not access or modify user data, and give us reasonable time to remediate the issue before public disclosure.
  • Recognition & Rewards: Researchers who submit valid, previously unknown vulnerabilities will be listed on our Security Hall of Fame and may be eligible for swags or financial rewards depending on severity.
12

Security Contact

For security compliance inquiries, vendor risk assessments, or official data protection queries, contact our dedicated security team:

🛡️ Security & Compliance Team

🏛️
64Skills
Attn: Chief Information Security Officer / Data Protection Team
Hyderabad, Telangana, India
💌
🌐
📄
Document Ref: 64S-ISMS-SEC-2026  •  Version 1.1