Privacy

GDPR Readiness (In Progress)

NexeraHR is actively working toward stronger GDPR readiness. This page explains which product controls are already in place and which legal, operational, and documentation steps are still being formalized.

This page is not a certification or a claim of full GDPR compliance. It is an overview of current controls and the work still underway.

What is already in place

NexeraHR already implements a number of product-level controls that support privacy-by-design principles, including tenant isolation, encrypted PII, and role-based access.

  • AES-256-GCM encryption for sensitive fields like email and phone.
  • Hashed email lookup to reduce exposure of raw identifiers.
  • JWT sessions in httpOnly cookies via Auth.js / NextAuth.js.
  • Tenant-level separation of jobs, applications, assessments, interviews, surveys, and analytics.
  • Granular RBAC across hiring resources.
  • Audit logging for selected sensitive actions.
  • Security headers, CSP, CORS, and rate limiting where configured.

How NexeraHR supports privacy-by-design

The platform is built so that users only access what they need for their role. Recruiters work on assigned jobs, viewers see read-only data, candidates access their own applications and portal, and super-admin capabilities are isolated into dedicated internal routes.

Public-facing flows—such as assessments, AI interviews, surveys, and career pages—use token-based or scoped access instead of broad platform access.

GDPR work currently in progress

Beyond product controls, GDPR readiness also requires formal processes, legal documentation, and operational practices. These areas are actively being developed.

  • Data inventory and records of processing activities.
  • Formal retention and deletion schedules for hiring records.
  • Clearer internal access review and incident response processes.
  • Customer-facing data processing terms and vendor transparency materials.
  • Operational support for data subject requests where required.
  • Ongoing review of cookie and consent requirements for public experiences.

What this means for customers today

Today, NexeraHR already offers strong product-level controls around tenant isolation, access control, encrypted PII, secure authentication, and scoped public flows. At the same time, some GDPR-related legal and operational components are still being finalized.

If your legal, security, or procurement team is evaluating GDPR readiness, we recommend contacting us directly so we can provide the latest information and discuss how NexeraHR fits into your overall privacy program.

Need up-to-date GDPR details?

We're happy to walk through our current controls and roadmap with your review team.