Ixyle
Legal · Ixyle Technologies Private Limited

Security

Effective · 27 April 2026

Draft pending legal review. This page reflects Ixyle's current product practices but has not been formally signed off by counsel. If you're a customer relying on legal terms before purchasing, email info@ixyle.com and we'll send the latest reviewed version directly.

We treat your interview data with the care it deserves — voice, video, transcripts, and resumes are sensitive. Here's how we protect them.

Authentication

  • Passwords hashed with Argon2id (memory-hard, the OWASP-recommended algorithm).
  • Email-OTP verification on signup, via AWS SES.
  • Session cookies are httpOnly + Secure + SameSite=Lax — invisible to client-side JS.
  • Rate-limiting on auth endpoints to mitigate brute-force.
  • Forgot-password flow uses single-use, time-bound tokens; no security questions.

Transport + storage encryption

  • All traffic over TLS 1.3. HTTP redirects to HTTPS.
  • Database (Cosmos MongoDB) and Blob Storage encrypted at rest with AES-256.
  • Secrets (API keys, DB connection strings) live in Azure Key Vault; never in code, never in env files committed to git.
  • HSTS preload pending; CSP, X-Frame-Options, X-Content-Type-Options headers enforced.

Infrastructure

  • Region: India / Central India. Customer data does not leave India for storage. (LLM processing transits via Anthropic's APIs which are global; we send minimum-necessary context per call.)
  • Microsoft Azure (Cosmos MongoDB, Container Apps, Blob Storage, Key Vault).
  • LiveKit self-hosted on Azure VM (real-time voice/video transport stays in our infrastructure, not a third-party SaaS).
  • Network isolation: backend services accessible only via internal VNet; only the public-facing app gateway is internet-exposed.

Data minimisation

  • Audio recordings: discarded within 24 hours of transcription unless explicitly downloaded.
  • Video recordings: retained 7 days unless saved.
  • We send only round-relevant context to LLM providers (round type, company profile, your last utterance) — not your full identity, not your email, not your payment info.
  • Resume PDFs are processed in-memory and the binary discarded; only the structured-extraction JSON is retained.

Operational security

  • Mandatory 2FA on all staff accounts (Microsoft Entra ID).
  • Principle-of-least-privilege: engineers don't have prod data access by default; just-in-time elevation with audit log.
  • Quarterly penetration testing (planned: Q3 2026 first formal pen-test).
  • Dependency audit on every CI build; SCA tool flags high-severity CVEs.
  • Incident response runbook published internally; blameless postmortems for any P0/P1 incident.

Compliance

  • India's Digital Personal Data Protection Act, 2023 — compliant. Data Protection Officer designated; grievance-redressal process documented.
  • India's Consumer Protection Act 2019 — terms of service + refund policy comply.
  • For B2B college contracts: we sign a separate Data Processing Agreement that covers college-specific student-data flows.

Reporting a vulnerability

Found a security issue? Email info@ixyle.com with the subject line “Security report — [brief description]”. We acknowledge within 24 hours, investigate within 7 days, and credit responsible reporters in our hall-of-fame (with permission).

Please don't public-disclose before we patch — give us 90 days. We don't prosecute good-faith research.