Security
Effective: 1 February 2026
1. Our Commitment
At OnPass, security is foundational to everything we build. OnPass is an AI-powered pre-employment screening product operated by Faaro (ABN 74 611 345 530). Our platform screens and verifies candidates through AI interviews and compliance checks. We understand that candidate data and employer data are highly sensitive.
This page provides an overview of our security practices, compliance posture, and the measures we take to protect your data. If you have security questions or need additional detail for a vendor assessment, please contact us at security@faaroglobal.com.
2. Compliance and Certifications
We are committed to meeting and exceeding industry security standards:
SOC 2 Type II — In Progress
ISO 27001 — Planned 2026
- SOC 2 Type II: We are actively working toward SOC 2 Type II certification, covering the Trust Services Criteria of Security, Availability, and Confidentiality. Our programme includes policy development, control implementation, and evidence collection.
- ISO 27001: We have planned our ISO 27001 certification programme for 2026, building on our existing Information Security Management System (ISMS) framework.
- Annual penetration testing: We engage independent, qualified third-party security firms to conduct annual penetration tests of our platform, infrastructure, and APIs. Findings are triaged and remediated based on severity.
- Australian Privacy Principles (APPs): We comply with the Privacy Act 1988 (Cth) and the Australian Privacy Principles. See our Privacy Policy for details.
3. Privacy and Data Processing
- Data Processing Agreement (DPA): We provide a comprehensive DPA to all customers that outlines our obligations as a data processor, including data handling, sub-processor management, breach notification, and data deletion procedures.
- Data usage framework: Customer and candidate data is only used to provide and improve the screening Services as agreed in the customer's service agreement. We do not use candidate data for advertising, profiling, or any purpose unrelated to service delivery.
- Sub-processor management: We maintain a list of sub-processors and notify customers of changes. All sub-processors are bound by data processing agreements with security requirements equivalent to our own.
4. Product Security Features
Our platform includes comprehensive security features designed to protect candidate and employer data at every layer:
🔒
Authentication
Single Sign-On (SSO) via SAML 2.0 and OIDC. Multi-factor authentication (MFA) support. OAuth 2.0 for ATS integrations. Session management with configurable timeouts. Account lockout after failed attempts.
🛡
Authorization
Role-based access control (RBAC) with granular permissions. Tenant isolation ensures complete data separation between employers. Recruiter-level and admin-level access controls. Least-privilege principle enforced across all services.
📋
Auditing
Comprehensive audit logging of all screening actions and data access. Immutable audit trail for candidate screening decisions. Evidence chain for compliance verification. Exportable audit reports for external review.
🌐
API Security
All API communications encrypted with TLS 1.2 or higher. API key management with rotation support for ATS integrations. Rate limiting and throttling to prevent abuse. Input validation and output encoding on all endpoints.
5. Infrastructure Security
Our platform is hosted on Amazon Web Services (AWS) in the Sydney region (ap-southeast-2), providing enterprise-grade infrastructure security:
- AWS Sydney (ap-southeast-2): Primary data storage and processing occurs in the AWS Sydney region, ensuring data residency within Australia
- Virtual Private Cloud (VPC): All services operate within isolated VPCs with strict network segmentation. Private subnets are used for databases and internal services.
- Web Application Firewall (WAF): AWS WAF protects against common web exploits including SQL injection, cross-site scripting (XSS), and other OWASP Top 10 threats
- DDoS protection: AWS Shield provides always-on DDoS protection
- Network monitoring: VPC Flow Logs and security group analysis for continuous network monitoring
- Infrastructure as Code: All infrastructure is defined and managed through code, ensuring consistent, auditable, and repeatable deployments
6. Application Security
We integrate security throughout our software development lifecycle:
- SAST (Static Application Security Testing): Automated static analysis of source code during development and CI/CD pipelines to identify vulnerabilities before deployment
- DAST (Dynamic Application Security Testing): Regular dynamic testing of running applications to identify runtime vulnerabilities and misconfigurations
- SCA (Software Composition Analysis): Continuous monitoring of third-party dependencies for known vulnerabilities, with automated alerts and remediation workflows
- Secure development practices: Code reviews, security-focused design reviews, and developer security training
- Vulnerability management: Documented vulnerability management process with SLAs for remediation based on severity (Critical: 24h, High: 7 days, Medium: 30 days, Low: 90 days)
7. Encryption
🔀
Encryption in Transit
All data transmitted between clients and our Services is encrypted using TLS 1.2 or higher. We enforce HTTPS for all web traffic. API communications use TLS with strong cipher suites. Internal service-to-service communication is encrypted.
💾
Encryption at Rest
All stored data is encrypted using AES-256 encryption. Database encryption is enabled at the storage layer. Backups are encrypted using the same standards. Encryption keys are managed through AWS KMS with automatic rotation.
8. Identity and Access Management
We implement strict identity and access management controls across our organisation and platform:
- Employee access: All Faaro employees use SSO with MFA for access to internal systems. Access is granted on a least-privilege basis and reviewed quarterly.
- Production access: Access to production systems is restricted to authorised personnel only, with all access logged and auditable. Just-in-time access is used for elevated privileges.
- Customer data access: Faaro personnel do not access customer or candidate data unless explicitly authorised by the customer for support purposes. All support access is logged.
- Offboarding: Employee access is revoked within 24 hours of termination. Automated processes ensure complete access removal across all systems.
9. Business Continuity
We maintain business continuity and disaster recovery capabilities to ensure service availability:
- Recovery Time Objective (RTO): 24 hours — Maximum targeted time to restore service after a major disruption
- Recovery Point Objective (RPO): 4 hours — Maximum targeted data loss window in the event of a disaster
- Automated backups: Database backups are performed continuously with point-in-time recovery capability
- Geographic redundancy: Backup data is replicated to a secondary AWS region for disaster recovery
- Disaster recovery testing: Recovery procedures are tested regularly to validate RTO/RPO targets
- Incident communication: We maintain a status page and will proactively communicate service disruptions to affected customers
10. Incident Response
We maintain a documented incident response plan that is reviewed and tested regularly:
- Detection: Automated monitoring and alerting for security events across infrastructure and application layers
- Triage: Incidents are classified by severity and assigned to the appropriate response team
- Containment: Immediate steps to contain the incident and prevent further impact
- Investigation: Thorough investigation to determine root cause, scope, and impact
- Notification: Affected customers are notified in accordance with contractual obligations and applicable law (including the Notifiable Data Breaches scheme under the Privacy Act 1988)
- Remediation: Root cause remediation and implementation of preventive measures
- Post-incident review: Blameless post-mortem review with documented lessons learned
To report a security incident or vulnerability, contact security@faaroglobal.com.
11. Third-Party Services
We carefully evaluate and monitor all third-party services integrated into our platform:
- Vendor assessment: All third-party vendors undergo a security assessment before onboarding, including review of their security certifications, practices, and data handling procedures
- Ongoing monitoring: We continuously monitor the security posture of our vendors and review their certifications and audit reports annually
- Contractual protections: All vendors are bound by contractual security and data protection obligations
- ATS integrations: Integrations with Applicant Tracking Systems such as Bullhorn, JobAdder, and FastTrack360 are implemented with secure API connections, encrypted credentials, and minimal data exposure (only the data required for the configured screening workflow is transmitted)
- Compliance check providers: Third-party providers used for police checks, work rights verification, and credential validation are assessed for security and data handling compliance before integration
12. AI/ML Transparency
OnPass uses AI for candidate pre-screening interviews. Transparency and fairness are central to how we build and operate our AI capabilities:
- AI-powered screening: The AI conducts voice or chat interviews and assigns candidate scores based on role-specific criteria configured by the employer
- Human oversight: AI screening supports but does not replace recruiter decision-making. All AI-generated scores and recommendations are presented to recruiters for final review. Automated suggestions can be accepted, modified, or rejected by authorised users.
- Human review requests: Candidates can request human review of AI screening outcomes
- Data isolation: Customer data is not used to train models for other customers. Screening models are tuned per-employer configuration, not across customer datasets.
- Purpose limitation: AI/ML features are used solely to improve screening accuracy, compliance detection, and candidate experience. They are not used for discriminatory profiling.
- Transparency: We are transparent about where AI is used in the screening process and provide documentation on how these features work. See our Privacy Policy for further details on AI data processing.
13. Shared Responsibility
Security is a shared responsibility between OnPass and our customers. While we are responsible for the security of our platform and infrastructure, customers share responsibility for:
- Account security: Using strong passwords, enabling MFA, and managing user access within their organisation
- Candidate consent: Ensuring that appropriate consent is obtained from candidates before submitting them for AI screening and compliance checks
- Access management: Configuring appropriate roles and permissions for their recruiters and administrators, and promptly revoking access when no longer needed
- Integration credentials: Securing API keys, tokens, and credentials used for ATS integrations (Bullhorn, JobAdder, FastTrack360, and others)
- Incident reporting: Promptly reporting any suspected security incidents or vulnerabilities to security@faaroglobal.com
- Compliance: Ensuring their use of the platform complies with applicable laws and regulations in their jurisdiction, including employment and anti-discrimination laws
Contact Our Security Team
We welcome security inquiries, vendor assessment requests, and responsible vulnerability disclosures.