Information Security and Compliance

LevelUP is certified to the ISO/IEC 27001 international standard for information security management. Our Information Security Management System (ISMS) is built to address risks across people, processes, and technology and is continuously monitored and improved to stay aligned with global best practices.

Under the California Consumer Privacy Act (CCPA), individuals have the right to access, review, and request deletion of their personal information. LevelUP is CCPA compliant, honoring all consumer data rights and maintaining transparent records of how candidate and client data is collected and used.

LevelUP complies with the General Data Protection Regulation (GDPR), ensuring that the personal data of EU citizens is processed lawfully, transparently, and securely. Our data handling practices are regularly reviewed to maintain alignment with evolving EU privacy requirements.  

LevelUP supports clients who are subject to Office of Federal Contract Compliance Programs (OFCCP) requirements. We maintain record-keeping standards and provide diversity reporting tools that help clients demonstrate good-faith efforts in equitable hiring practices — making audits easier to navigate and compliance easier to maintain.  

LevelUP's infrastructure is hosted on a noted and reputable cloud data platform, which operates across AWS, Microsoft Azure, and Google Cloud — inheriting world-class physical security standards from each. The platform maintains certifications including SOC 1 & 2 Type II, ISO 27001, PCI DSS Level 1, HIPAA, FedRAMP Moderate, and GDPR/CCPA compliance, backed by continuous risk management and regular third-party audits. Learn more at snowflake.com/trust.  

All client and candidate data stored on LevelUP's platform is encrypted using AES-256 — the industry-standard symmetric encryption protocol — ensuring your data is protected even at the storage layer. 

All data transmitted to and from LevelUP's platform is protected via HTTPS and SSL/TLS connections. We require TLS 1.2 or higher with strict cipher suites for all network communication, preventing interception or tampering in transit.  

Clients may request removal of their data at any time to meet their own retention requirements. Absent an explicit removal request, LevelUP retains data for a defined period before it is securely and permanently destroyed. Hardware decommissioning follows NIST 800-88 guidelines for media sanitization, ensuring data cannot be recovered from retired infrastructure. 

LevelUP performs daily database backups, with copies retained across geographically distributed AWS regions. All backup data is encrypted with AES-256, ensuring recoverability without compromising security.  

Our infrastructure resides in AWS data centers protected by professional security staff, multi-factor access controls, 24/7 video surveillance, and intrusion detection systems. Physical access is strictly limited to authorized personnel with a verified business need, and all access is logged and audited.

Access to client and candidate data within LevelUP is governed by the principle of least privilege — team members are granted only the access they need to perform their roles. We support SAML 2.0 and SSO integration, and enforce multi-factor authentication (MFA) to prevent unauthorized access. 

As a cloud-native organization, LevelUP benefits from the built-in resilience and redundancy of our cloud platform providers. Disaster recovery, failover, and high availability are managed at the infrastructure level, ensuring client data and services remain accessible and protected at all times.