Security & Privacy Overview

1Hosting and Data Residency

• VeteranMatch is hosted in the United States on AWS infrastructure.
• User data is stored and processed in U.S.-based AWS regions, supporting domestic data residency expectations for most U.S. customers and partners.

2Security Philosophy (High Trust by Design)

VeteranMatch follows a “High Trust by Design” approach that emphasizes:

• Least-privilege access — users and administrators only access what is needed
• Defense-in-depth — multiple layers of security controls rather than single points of protection
• Auditability — security-relevant activity is logged for review
• Privacy-first data practices — user data is handled carefully and disclosed only as required to deliver Services

3Data Encryption and Protection

VeteranMatch implements encryption safeguards consistent with modern cloud-security expectations:

• Encryption in transit: Data is encrypted while transmitted using industry-standard TLS/HTTPS
• Encryption at rest: Stored data is protected using encryption mechanisms supported by AWS services
• Secure credential handling: Passwords and authentication secrets are protected using strong security practices (e.g., hashing, tokenization, access control)

These measures help reduce the risk of unauthorized access to data during transit or while stored.

4Identity and Access Management (IAM)

VeteranMatch is designed to ensure that only authorized users can access data:

• Role-based access controls (RBAC) to limit who can see and manage information
• Segmentation of user roles (e.g., veteran, employer, partner, coach)
• Administrative controls and governance around privileged access

When applicable, additional controls such as MFA can be enforced for privileged accounts.

5Monitoring, Logging, and Audit Controls

To support accountability and response readiness, VeteranMatch maintains:

• Security-focused logging of key system activity
• Monitoring tools to detect abnormal behavior or access patterns
• Operational visibility to support troubleshooting and incident review

These controls support internal security management and external audit requests when needed.

6Privacy Principles and Data Minimization

VeteranMatch follows core privacy principles:

• Collect only what is needed for matching, career planning, and recruiting workflows
• Limit internal access to sensitive user information
• Prevent unnecessary disclosure of veteran data to third parties
• Support user control over profile visibility and sharing decisions

Users can control whether their profile is visible to employers, and employers only access candidate information necessary to support hiring decisions.

7Sensitive Data and Clearance Information

VeteranMatch may allow users to include sensitive career information such as:

• Military occupational specialties
• Training qualifications
• Security clearance level (e.g., Confidential, Secret, Top Secret)

8AI Matching and Embeddings

Transparency Without Over-Claiming

VeteranMatch uses predictive analytics and AI-assisted tools to generate:

• Match scores and fit explanations
• Skill gaps and recommended upskilling pathways
• Resume summaries and translations of military roles into civilian equivalents
• SkillBridge matching recommendations

To improve matching accuracy, certain profile elements may be transformed into numerical representations (e.g., vector embeddings) that help the system compare job requirements and candidate profiles. These representations are used to support relevance and explainability, not to make final decisions. Outputs are informational and should be reviewed before being used for employment or career decisions.

9Compliance Alignment and Federal Readiness

VeteranMatch is designed to support environments that value security controls aligned with widely recognized frameworks such as:

• NIST-informed security practices
• Security control approaches consistent with NIST 800-53 / 800-171 principles

Formal certifications or authorizations (e.g., FedRAMP Moderate/High or Agency ATO) are not claimed unless contractually obtained and supported with documentation. VeteranMatch can provide security documentation and participate in security review processes as required by agency or enterprise partners.

10Data Retention and Deletion

VeteranMatch retains user data only as long as needed to:

• Provide Services
• Fulfill program reporting obligations
• Support outcomes tracking
• Comply with legal requirements

Users may request deletion of their data and account in accordance with the platform’s Privacy Policy, subject to any required retention obligations.

11Incident Response and Operational Readiness

VeteranMatch maintains operational safeguards to support secure operations including:

• Access review practices
• Incident handling workflows
• Recovery planning (e.g., backups and restore processes)

In the event of a suspected security incident affecting user data, VeteranMatch will take reasonable steps to investigate, mitigate impact, and provide notifications consistent with applicable law and contractual obligations.

12Summary: Security You Can Trust — Built to Scale