Health Talent Staffing home
Create Profile
Security & Trust

Security Center

How we protect the data of healthcare professionals and employers on this platform.

Last updated: · Data Methodology

Health Talent Staffing protects user data with TLS 1.2+ encryption in transit, encryption at rest, dual OTP verification, role-based access controls, and OWASP Top 10 protections — from day one, not as an afterthought.

Data Scope

We collect professional and business contact data only. No patient health information (PHI) is ever collected, stored, or transmitted. See our HIPAA Compliance page →

Encryption & Transmission

  • TLS 1.2+ enforced on all connections; HTTP Strict Transport Security (HSTS) enabled
  • Data at rest — database and backups are encrypted
  • All API traffic uses HTTPS; no sensitive data over plain HTTP

Authentication & Access Control

  • Role-Based Access Control (RBAC) enforced server-side on every endpoint — admin / editor / recruiter / professional / employer roles
  • Mandatory MFA on all admin accounts (TOTP)
  • Passwords hashed with Argon2 — the current gold standard
  • Short-lived JWT access tokens (15 min) + refresh token rotation
  • All admin actions written to an immutable audit log (who did what, when, from which IP)

Dual OTP Verification

All lead capture and profile creation on this platform requires dual OTP verification — both email and WhatsApp phone must be confirmed before a lead or profile becomes active. This prevents bots, disposable addresses, and fake numbers from entering the system.

  • Rate-limited per identifier, per IP (prevents pumping abuse)
  • OTP codes expire in 10 minutes; max 5 attempts before lockout
  • Codes stored as SHA-256 hashes — never plain text
  • Disposable email domains blocked; employer free-email domains blocked
  • Bot protection (hCaptcha/Turnstile) on all OTP triggers

Professional PII Protection

Healthcare professional contact details (name, email, phone) are never exposed publicly. They are only revealed to a verified employer who has explicitly unlocked that professional's contact — and every unlock is audit-logged. Public search results show specialty, availability, and experience only.

Application Security (OWASP Top 10)

  • SQL Injection — parameterized queries via SQLAlchemy ORM; no raw string-built SQL
  • XSS — output encoding + Content-Security-Policy headers
  • CSRF — CSRF tokens on all state-changing requests
  • SSRF — server-side request validation on all external URL inputs
  • Insecure Deserialization — Pydantic v2 server-side validation on every endpoint
  • Security Headers — X-Content-Type-Options, X-Frame-Options, Referrer-Policy, CSP

Infrastructure Security

  • WAF + DDoS protection (Cloudflare / AWS WAF) in front of the application
  • Secrets in a vault (AWS Secrets Manager) — never committed to git or in plain env files
  • Automated dependency vulnerability scanning (Dependabot/Snyk) in CI
  • Container image scanning on every build
  • Encrypted, tested backups with a documented restore procedure
  • Principle of least privilege on all cloud IAM roles

Mobile App Security

  • Auth tokens stored in iOS Keychain / Android Keystore — never in plain local storage
  • Certificate pinning on all API communication
  • No API keys or secrets hardcoded in the app bundle

US Privacy Law Compliance

We comply with CCPA/CPRA and applicable US state privacy laws. Users have the right to access, correct, and delete their data. Read our Privacy Policy →

Reporting a Vulnerability

If you discover a security vulnerability, please report it responsibly to security@healthtalentstaffing.com. We aim to acknowledge all reports within 48 hours.