Security
Two-factor authentication and active session management.
Go to Settings > Security to manage your account's security settings.
Two-Factor Authentication
Add an extra layer of security using any TOTP-based authenticator app — Google Authenticator, Authy, 1Password, or similar.
Click Enable 2FA
Scan the QR code with your authenticator app
Enter the 6-digit code from the app to confirm it's working
Click Verify — 2FA is now active on your account
Once enabled, you'll need to enter a code from your authenticator app every time you sign in.
Click Disable next to the "Enabled" status. This removes 2FA from your account immediately.
If your administrator has made 2FA required for your organization, you will not be able to disable it. The button will be locked.
Required by Administrator
If your organization requires 2FA, you'll be redirected to this page with a warning banner when you try to access any other page. You must enable 2FA before you can continue using the platform.
Active Sessions
See every device where you're currently signed in:
| Column | What It Shows |
|---|---|
| Browser and OS | e.g., "Chrome on macOS" |
| IP address | Where the session connected from |
| Last active | When you last used that session |
Revoking a Session
If you see a session you don't recognize, click Revoke to sign it out. The device loses access on its next request.
If you ever suspect unauthorized access, revoke all unfamiliar sessions immediately and change your password.
Idle Timeout
If you're inactive for a period configured by your administrator, a warning popup appears. Click I'm Still Here to stay signed in. If you don't respond within 60 seconds, you'll be automatically signed out.
Candidate Data Privacy
The platform handles candidate personal data under GDPR-aligned controls. As an employer:
- Every candidate is asked to consent to interview recording and resume processing before any interview begins. If a candidate declines, the interview is blocked at the start; no recording or scoring occurs.
- Candidates can request deletion of their data directly from their account. Once a request is submitted, their record is scheduled for permanent deletion after a 30-day grace period. During the grace period the candidate can still log in and is shown a banner with the scheduled deletion date.
- After 30 days, an automated daily process permanently removes the candidate's record and all derived artifacts (resume text, scorecards, transcripts, integrity events).
- IP addresses recorded for audit purposes are anonymized after 90 days.
- All security-relevant events (role changes, permission edits, login attempts, deletion requests, cron runs) are written to an immutable audit log and retained per your organization's policy.
If you receive a deletion request from a candidate by email and need to process it manually, contact platform support; the standard path is for the candidate to use the in-app account-deletion flow.