Products

Solutions

Resources

Company

English

Products

Solutions

Resources

Company

English

Security & Privacy

Security & Privacy

Security & Privacy

Hatch is built on enterprise-grade infrastructure with privacy and security designed in from the ground up. Here's what that looks like in practice.

Certifications and Compliance

Certifications and Compliance

Hatch is built on Amazon Web Services (AWS), an infrastructure provider trusted by the world's largest enterprises and independently audited under SOC 1, SOC 2, and SOC 3 standards. This means the physical security, network protections, and operational controls behind our platform meet some of the highest benchmarks in the industry. Our privacy practices are aligned with Canada's PIPEDA requirements, reflecting our commitment to protecting the people who use Hatch.

Data Residency

Data Residency

Our data centers are located in Canada, hosted on AWS infrastructure built to enterprise-grade physical and operational security standards. We encrypt all data in transit using industry-standard TLS protocols, and we encrypt data at rest using AWS-managed encryption with keys protected by hardware security modules (HSMs). Access to encryption keys is tightly restricted through identity and access management controls, so only authorized systems and personnel can ever touch the underlying data.

We don’t sell Customer Data

We don’t sell Customer Data

We never sell your data. Any use of customer information is limited to operating, securing, and improving the platform, and is always governed by our Privacy Policy and contractual commitments to you. 

Multi-Tenant Data Segregation

Multi-Tenant Data Segregation

Your organization's data is logically separated from every other customer on the platform. Role-based access controls ensure that coaches, sponsors, and administrators can only see the data relevant to their own organization, never another customer's.

Customer Data Ownership

Customer Data Ownership

You own your data. Hatch acts solely as a service provider, processing and storing information on your behalf, never claiming ownership over it. Your résumés, career content, and organizational data remain yours at all times. 

Data Retention & Deletion

Data Retention & Deletion

When you no longer need your data with us, you can request deletion. We securely delete or anonymize customer information in line with our retention procedures, so your data doesn't linger indefinitely after your relationship with Hatch ends. 

Subprocessors

Subprocessors

To deliver certain features, Hatch works with a small number of trusted third-party service providers, including AWS, OpenAI, Anthropic, Google Gemini, xAI, and Customer.io. These providers are contractually required to protect your information and may only process data on Hatch's behalf, for the specific purpose of delivering the feature you're using. While our core data storage is located in Canada, some of these providers may process limited data in the United States to power their services. 

Incident Response & Vulnerability Disclosure

Incident Response & Vulnerability Disclosure

We maintain a documented incident response process designed to detect, contain, and resolve security events quickly. Our infrastructure is continuously monitored using AWS GuardDuty, which analyzes network and account activity in real time to flag suspicious behavior before it becomes a problem. When a security event does occur, our team investigates the scope and impact, takes corrective action, and notifies affected customers without undue delay, sharing what happened, what we did about it, and what you should know. We prioritize and deploy security updates and patches based on risk and severity, so known vulnerabilities don't sit unaddressed.