(202) 709-8337 info@krrsolution.com
KRR Solutions Workforce & Consulting
Security & Privacy

Built to protect the people whose data we hold.

We treat employer and candidate information as something to minimize, encrypt, and age out — not collect for its own sake. The site, the portals, and the back-office workflow are all wired through Cloudflare's edge with strong encryption by default.

AES-256 encryption, end to end

Candidate contact information, assignment records, and form submissions are encrypted with AES-256 at rest. In transit, all traffic uses TLS 1.3 with HSTS preloaded and modern cipher suites only.

  • AES-256-GCM for data at rest in Cloudflare KV and R2
  • TLS 1.3 enforced at the edge; legacy ciphers disabled
  • HSTS preloaded with includeSubDomains and a one-year max-age
  • Secrets isolated in Cloudflare Pages secrets and Worker bindings — never in source

Cloudflare edge security

The application runs on Cloudflare Pages with Workers handling every dynamic surface. Every input field is gated by Cloudflare Turnstile for human verification. DDoS mitigation, WAF managed rules, and bot management apply automatically.

  • Cloudflare Turnstile on contact, portal sign-in, and candidate intake
  • WAF managed rule sets (OWASP Top 10) plus custom rules for the staffing workflow
  • Bot Fight Mode and rate limiting on authentication endpoints
  • KV-backed rate limiting per email and IP on the contact API
  • Static pages served from Cloudflare's global edge for sub-100ms TTFB

Privacy by design

We collect the minimum information necessary to do the work, segregate it by role, and age it out on documented retention schedules. Candidates can request export or deletion of their data at any time.

  • Active candidate records: kept for the duration of the engagement plus the period required by applicable law
  • Inactive candidate intake forms: purged at 24 months absent re-engagement
  • Contact form submissions: 30 days, then purged from KV
  • Right-to-delete requests acknowledged within 30 days under applicable state law (CCPA, CDPA, CPA)
  • No third-party analytics trackers, no advertising pixels, no session replay

Operational integrity

Internal access to candidate and employer data is limited to the recruiters and operations staff working that engagement. Permissions are reviewed regularly.

  • Role-based access with least-privilege provisioning
  • Multi-factor authentication required for all internal systems
  • Hardware-key MFA for staff with administrative permissions
  • Vendor due diligence and contractual data-handling clauses with every subprocessor

Responsible disclosure

If you have discovered a security issue, we want to know. Reports are triaged within one business day. Researchers acting in good faith are protected from legal action.

Email security@krrsolution.com with details. PGP key on request.

Need our data-handling documentation?

Procurement and security review teams can request our privacy and data-handling packet under NDA.

Request documentation