§ PLATFORM / SECURITY · Security & Architecture

Pre-hire scores aren't CJI.
We give your CSO
the paper to prove it.

ReadyFirst was designed assuming your CSO, your counsel, and your CIO would each read the architecture before approving the contract. The decisions that shaped it — pre-hire scope, tenant isolation, identity posture, audit — answer the questions those three people ask first.

Send us your security questionnaire → ▾ Book a 30-min walkthrough

// THE PROCUREMENT GATE

Most assessment vendors lose deals at the security review, not the pricing review. The CSO asks "is this CJIS?", the CIO asks "how is tenancy isolated?", and counsel asks "what happens to candidate data?". ReadyFirst was built to answer those three questions first.

§ How it's built

Three architectural choices, each a procurement answer.

Per-organization SAML identity

Each agency runs identity through their own IdP. ReadyFirst doesn't store passwords on your behalf or maintain a parallel directory.

Your IT team controls the access lifecycle — provisioning, deprovisioning, MFA policy, conditional access — under the same governance you already operate.

Tenant isolation at the database row

Every query is scoped by organization through Postgres row-level security, enforced in the database, not the application.

A bug in app code can't accidentally leak across tenants. The isolation boundary lives below the layer most likely to break.

Action-level audit trail

Every administrative action is logged with the user, IP address, user agent, and outcome. Indexed and exportable.

Built for the auditor who asks "who saw this candidate's score and when" — and gets a precise answer instead of a hand-wave.

[ SPEC SHEET ]

The line-items your security team will copy into the matrix.

Identity: SAML 2.0, per-organization IdP. No shared identity directory.
Admin MFA: TOTP-based two-factor required on administrative accounts.
Tenant isolation: Postgres row-level security policies, enforced in the database.
Audit trail: Per-action log: user, organization, IP, user agent, outcome, timestamp.
Score integrity: Scoring is computed server-side from raw response data; client-submitted scores are never trusted.
Transport: TLS 1.2 or higher, enforced.
CJIS posture: Pre-hire cognitive scores are not Criminal Justice Information under FBI CJIS Security Policy. We provide your CJIS Security Officer a one-page applicability statement that documents the data flow and answers the boilerplate question without forcing a full attestation.
Hosting: US-based infrastructure. Specifics for your data residency requirements available in the procurement packet.

Items not covered here — penetration test cadence, vulnerability disclosure policy, sub-processor list, incident response timing — are in the procurement packet. Send us your standard questionnaire and we'll return it filled out.

§ Next

Send us the questionnaire
your security team uses.

We'll fill it out and return it inside three business days. If something we don't yet support is on it, we'll tell you that too — in writing.

Send your questionnaire → Book a walkthrough