Skip to main content

Overview

This document describes the security model of the Firstwork platform — authentication mechanisms, access boundaries, data handling practices, and areas relevant to security assessments.

1. Authentication

Supported Login Methods

MethodDescription
Email + PasswordTraditional credential-based login
Email OTPOne-time password delivered via email
Phone OTPOne-time password delivered via SMS
Google OAuthSingle sign-on through Google
Dual OTPRequires both email and phone verification
Magic LinkOne-click authentication via emailed link
Invite LinkRegistration through a pre-shared invitation URL
Login methods are configurable per company through feature flags. Companies can enable any combination of methods.

Password Policy

RequirementValue
Minimum length8 characters
Maximum length64 characters
Uppercase letterRequired
Lowercase letterRequired
DigitRequired
Special characterRequired

Session Management

  • Authentication is token-based (JWT)
  • Sessions persist until explicit logout or token expiry
  • Invalid sessions are terminated with redirection to the login page
  • Conflict detection triggers automatic session refresh

CAPTCHA

Google reCAPTCHA can be enabled per company to protect login and registration forms from automated abuse.

2. Access Control

Role-Based Access

The platform enforces strict role-based access control with four tiers:
RoleAccess Scope
ApplicantOwn applications, forms, and profile only
WorkerOwn contract, documents, tasks, onboarding, and profile
AdminAll company data — hiring flows, applications, automations, settings
Platform StaffCross-company access to all platform management tools
Unauthorized access attempts result in a generic “not found” response (not a permission error) to avoid revealing the existence of restricted resources.

Company Data Isolation

Each company’s data is fully isolated. Admins see only their own company’s data. Platform staff can switch between companies but data is never mixed across tenants. Resources within a company can be further scoped to specific legal entities, ensuring that subsidiaries or regional offices maintain independent configurations.

User Impersonation

Platform staff can impersonate any user for support purposes. A visual indicator is displayed during impersonation. This capability can optionally be extended to admin-to-admin impersonation through a feature flag.

3. User Input Surfaces

Form Submissions

The primary input surface. Candidates and workers submit data through multi-page forms that include:
  • Text fields (with optional regex validation)
  • Email and phone fields (with format validation)
  • Numeric fields (with min/max constraints)
  • Selection fields (dropdowns, radio buttons, checkboxes)
  • Date fields
  • Rich text editors (for admin-created content)
  • Free-text cancellation reasons (scheduler)
All form inputs are validated client-side via schema validation and server-side on submission.

Rich Text Editors

Admins use rich text editors for:
  • AI Caller conversation scripts
  • Email and SMS templates
  • Course descriptions
  • Form description elements
These editors support dynamic variable interpolation using placeholder syntax.

Code and Script Editors

Platform staff have access to:
  • A JavaScript editor for server-side scripts
  • Custom Python function configuration in automations
  • JSON editors for webhook request bodies

Search Fields

List views throughout the platform include search fields for filtering records. These are used across hiring flows, applications, automations, courses, and other entity lists.

4. File Upload Surfaces

SurfaceWho Can UploadFile Types
Document upload (forms)Applicants, WorkersDocuments, images
Camera captureApplicantsPhotos (for document scanning)
Video captureApplicantsVideo (for identity verification)
Liveness checkApplicantsCamera capture (for face verification)
E-signatureApplicants, WorkersCanvas-drawn signature image
Profile avatarAll usersImage
Course cover imageAdminsImage
Company logoAdminsImage
AI Caller avatarAdminsImage
AI Agent file inputsAdmins (testing)Any file type
Bulk importPlatform StaffZIP, CSV
Static filesPlatform StaffAny file type
Description mediaAdminsImages, videos (for form content)

5. External Communication Channels

Outgoing Communications

ChannelProviderTriggered By
EmailSendGridAutomations, system notifications
SMSTwilio, Plivo, ExotelAutomations, OTP delivery
SlackSlack APIAutomations
Phone callsPlivoAI Caller
Video meetingsDaily.coScheduler meet queues

Outgoing HTTP Requests

SurfaceDescription
Webhook automation actionSends HTTP requests to arbitrary external URLs with configurable method, headers, body, and authentication
App integration actionsCustom integrations that make HTTP requests to configured endpoints
Background check servicesSterling API calls
Identity verificationVeriff API calls
Employment verificationE-Verify API calls
ATS synchronizationFountain API calls
Spreadsheet operationsGoogle Sheets API

Incoming HTTP Requests

SurfaceDescription
Webhook triggersExternal systems can invoke automations via unique webhook URLs
External APIApplications can be created via authenticated API calls

6. Integration Credential Storage

IntegrationCredential Type
SterlingUsername and password
VeriffAPI key and private key
Google servicesOAuth 2.0 tokens
HotjarTracking ID
Google Tag ManagerContainer ID
API keys generated within the platform are shown only once at creation time and displayed in masked form thereafter.

7. Admin-Level Sensitive Operations

OperationDescription
Creating admin accountsNew admins receive full company access
Generating API keysCreates credentials for external API access
Configuring integrationsStores third-party credentials
Building automationsCan trigger webhooks, execute code, send messages, and modify data
Managing compliance rulesControls candidate progression and decision logic
Viewing applicationsAccesses candidate personal information and documents
Exporting billing dataAccesses financial and usage data
Custom Python functionsServer-side code execution via automations

8. Platform Staff Sensitive Operations

OperationDescription
User impersonationAssumes the identity of any platform user
Feature flag managementControls which capabilities are available per company
Script executionRuns arbitrary JavaScript on the server
Company creationCreates new tenant environments
Global template managementCreates resources accessible across all companies
Bulk data importInjects application data from files
Demo account creationCreates companies with sample users and data
Static file hostingUploads files accessible via URL

9. Publicly Accessible Pages

The following pages are accessible without authentication:
PageData Visible
Job postingJob title, salary, location, description
LoginCompany branding
RegistrationCompany branding, job reference
Password resetNone
Auth landingCompany branding
Public API endpoints include company information lookup (by slug) and job detail retrieval.

10. Third-Party Services

The platform integrates with the following external services that process user data:
ServicePurposeData Shared
SentryError monitoring and session replayError context, user identifiers, session data
Microsoft ClarityUser behavior analyticsUser identifiers, company context, page interactions
Daily.coVideo conferencingAudio/video streams during meetings
PlivoTelephonyPhone numbers, voice data during AI calls
DeelPayrollEmbedded third-party interface

11. Data Validation

LayerTechnologyScope
Client-side schema validationSchema-basedAll forms and configuration inputs
Field-level validationType-specificEmail format, phone format, password policy, numeric ranges
Custom regex validationAdmin-configuredText fields with admin-defined patterns
Server-side validationAPI-levelAll data mutations

12. Sensitive Data Categories

CategoryExamples
Personal InformationNames, emails, phone numbers, addresses
Identity DocumentsPassports, IDs, work authorization documents
Biometric DataCamera captures, liveness check images, e-signatures
Financial DataSalary information, billing records
Authentication CredentialsPasswords, API keys, OAuth tokens, integration credentials
Location DataGPS coordinates, addresses