- TLS 1.2+ encryption in transit with HSTS enforcement.
- AES-256 encryption at rest through AWS infrastructure.
- Passwords hashed with bcrypt (industry-standard adaptive hashing).
- Database connections encrypted in transit.
Trust · Code2College
Security & compliance
How we protect your data, our infrastructure controls, and the certifications
backing the HireWheel platform.
Last updated: March 2026
- Hosted on Heroku (AWS us-east-1 region).
- All data stored in United States data centers.
- No data transferred outside the US.
- CSRF protection on all forms (Flask-WTF).
- Rate limiting on authentication and API endpoints.
- Secure cookies: HttpOnly, SameSite=Lax, Secure flag.
- Content Security Policy headers.
- Security headers: HSTS, X-Content-Type-Options, X-Frame-Options.
- Input validation and output encoding.
- Four distinct user roles with strict separation: Intern, Employer, Admin, and Coordinator.
- Session management via Flask-Login.
- Email verification required for all accounts.
- Role-based route protection on all endpoints.
- Content moderation: All student inputs are screened by OpenAI's Moderation API before processing.
- Restrictive system prompts constrain AI behavior.
- Per-user daily rate limits on AI features.
- Student data is anonymized before AI processing (PII stripped from skill analysis).
- Zero-data-retention configuration with AI providers.
| Provider | Certifications |
|---|---|
| Heroku (Salesforce) | SOC 2 Type II |
| AWS | SOC 2, ISO 27001, FedRAMP |
| OpenAI | SOC 2 Type II |
| Anthropic | SOC 2 Type II |
Code2College leverages certified infrastructure providers. Application-level organizational certification is under evaluation.
- Immutable audit logs tracking data access and administrative actions.
- FERPA consent management framework.
- Data export capabilities for student data portability.
- Minor detection and protection mechanisms.
For security inquiries, please contact us at zachary@code2college.org.