Security & Privacy — Legacy Job Ad Craft

Legacy Job Ad Craft is an internal HR tool operated by Ascend HR Corp on behalf of Legacy Community Health. This page explains in plain language what data we handle, how we protect it, which third-party services are involved, and what rights you have.

Last updated: May 27, 2026

What data this tool handles

Job posting content only. The platform stores job ad drafts: title, department, location, job description text, responsibilities, and qualifications. No candidate data is collected or stored. Uploaded documents are transient — processed in server memory and immediately discarded. User accounts are limited to email address, hashed password, and role.

Encryption & Data Protection

All traffic is encrypted via HTTPS/TLS. HSTS headers prevent protocol downgrade attacks. Data at rest is encrypted by the managed PostgreSQL database. All credentials are stored as environment secrets.

Credential Handling

Passwords are hashed using scrypt with a random salt. Session tokens are stored in httpOnly cookies with 24-hour expiry. Authentication is restricted to @legacycommunityhealth.org and @ascendhrcorp.com email domains.

Third-Party Services

OpenAI (via Replit AI) receives job description text only for AI parsing. JazzHR receives job ad content for publishing. Vimeo embeds recruitment videos. Google Sheets provides the approved video list. Replit is the hosting platform.

Frequently Asked Questions

Does Legacy Job Ad Craft store candidate resumes or personal data?
No. The platform only stores job posting content (title, department, description, location). It does not collect, store, or process candidate applications, resumes, or personal data.
What happens to documents I upload?
Uploaded Word, PDF, and TXT files are processed entirely in server memory for AI parsing and are immediately discarded. They are never written to disk or retained in the database.
Is this platform SOC 2 certified?
No. The platform is designed to support SOC 2 readiness and maps controls to the SOC 2 Trust Services Criteria, but has not undergone a formal SOC 2 audit.
Who can access the platform?
Access is restricted to users with @legacycommunityhealth.org and @ascendhrcorp.com email addresses. Other domains are rejected at authentication.
How do I request deletion of my data or report a security issue?
Contact the Ascend HR Corp technical team at the email address provided in the platform footer, or reach your Legacy Community Health IT contact directly.