Security is our highest priority. We employ multiple layers of protection to keep your resume data and account safe at all times.
Data Encryption
- In Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (the latest standard)
- At Rest: All data stored on our servers is encrypted using AES-256, the same standard used by banks and government agencies
- Passwords: User passwords are hashed using bcrypt with a salt factor of 12 — we never store plain-text passwords
- API Keys: API keys are stored as salted SHA-256 hashes
Infrastructure Security
- Cloud Provider: AWS with SOC 2 Type II certification
- Network: Private VPC with strict firewall rules and DDoS protection
- Access Control: Role-based access control (RBAC) — employees access only what they need
- Monitoring: 24/7 security monitoring and intrusion detection systems
- Backups: Automated daily backups with point-in-time recovery, retained for 30 days
Application Security
- Authentication: Secure session management with automatic expiry after 30 days of inactivity
- CSRF Protection: All forms protected against cross-site request forgery
- XSS Prevention: Content Security Policy headers and output encoding on all user-generated content
- SQL Injection: Parameterised queries and ORM used throughout — no raw SQL with user input
- Rate Limiting: API rate limiting to prevent brute-force attacks
- Dependency Scanning: Automated scanning of all dependencies for known vulnerabilities
Payment Security
We use Stripe for payment processing. Stripe is PCI DSS Level 1 certified — the highest level of payment security certification. We never store, process, or transmit full credit card numbers on our servers. All payment data goes directly to Stripe's secure servers.
Security Audits & Compliance
- Annual third-party penetration testing by certified security professionals
- Quarterly internal security reviews and vulnerability assessments
- GDPR compliant data handling and processing
- OWASP Top 10 vulnerability protection
Responsible Disclosure
We take security vulnerabilities seriously. If you discover a security issue in our service, we encourage responsible disclosure:
- Email: [email protected]
- Include a detailed description of the vulnerability
- Do not access or modify other users' data
- Give us reasonable time to investigate and fix before public disclosure
We do not pursue legal action against researchers who follow responsible disclosure guidelines. We appreciate every security report and will acknowledge your contribution.
Incident Response
In the unlikely event of a security breach affecting your personal data, we will:
- Notify affected users within 72 hours of discovery
- Report to relevant regulatory authorities as required by GDPR
- Provide clear information about what data was affected and what steps to take
- Take immediate action to contain and remediate the incident