Security & Compliance

1. Security Philosophy

Security is not an afterthought at JobCompanion — it is a foundational design principle. We handle sensitive professional data including resumes, employment history, and job application records. We apply industry-standard security practices across all layers of our infrastructure to protect this data from unauthorized access, disclosure, alteration, and destruction.

We acknowledge that no system can guarantee 100% security. Cybersecurity threats evolve continuously, and absolute security is not achievable. However, we commit to implementing reasonable and appropriate security measures, monitoring for threats proactively, and responding to incidents promptly and transparently.

2. Authentication and Access Control

2.1 Authentication Infrastructure

User authentication is managed by Supabase Auth, an enterprise-grade authentication service built on industry-standard protocols. Authentication options include:

• Email and Password: Passwords are never stored in plaintext. Supabase uses bcrypt hashing with salting for all password storage.
• OAuth (Social Login): Users may authenticate via trusted OAuth providers (e.g., Google). OAuth tokens are managed by Supabase and are never stored on our application servers.
• Session Management: Authenticated sessions are managed via secure, HTTP-only cookies and JWT tokens with configurable expiration. Refresh tokens are rotated on use to prevent token reuse attacks.

2.2 Row-Level Security (RLS)

All database tables containing user data are protected by Row-Level Security policies enforced at the PostgreSQL database level. These policies ensure that:

• Users can only read and write their own data
• No user can access another user's resume, profile, or application data
• RLS policies are enforced at the database layer, independent of application-level checks

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between users' browsers and our servers is encrypted using Transport Layer Security (TLS) version 1.2 or higher. We enforce HTTPS across all Platform endpoints. Unencrypted HTTP connections are automatically redirected to HTTPS.

3.2 Encryption at Rest

All data stored in our database and object storage is encrypted at rest using AES-256 encryption. This includes:

• User profile and preference data in PostgreSQL
• Application history and tracking records
• Resume files stored in Supabase object storage
• Authentication credentials and session tokens

Encryption keys are managed by Supabase and the underlying cloud infrastructure provider (AWS), using hardware security modules (HSMs) where available.

3.3 API Communication Security

All communications with third-party APIs (including OpenAI) are conducted over encrypted HTTPS connections. API keys are stored as server-side environment variables and are never exposed to client-side code or included in public repositories.

4. Infrastructure Security

4.1 Cloud Infrastructure

JobCompanion is hosted on cloud infrastructure that adheres to industry-leading security standards. Our database and authentication services are provided by Supabase, which is hosted on AWS and maintains SOC 2 Type II compliance. Our application layer is deployed on Vercel's edge network, which provides DDoS protection and global content delivery.

4.2 Network Security

• Database access is restricted to application servers via network-level access controls
• Direct public access to the database is disabled
• API rate limiting is implemented to prevent abuse and denial-of-service attacks
• Input validation and sanitization are applied to all user-submitted data to prevent injection attacks

4.3 Dependency Management

We regularly audit and update third-party software dependencies to address known security vulnerabilities. Critical security patches are applied promptly upon availability.

5. Organizational Security Controls

• Minimal Access Principle: Internal team members are granted the minimum level of access required to perform their job functions. Access to production data is restricted and requires explicit authorization.
• Access Logging: All administrative access to production systems is logged and subject to periodic review.
• Secure Development Practices: Our development process includes code review, security-focused testing, and adherence to OWASP secure coding guidelines.
• Vendor Assessment: Third-party service providers are evaluated for security practices before integration. We maintain Data Processing Agreements (DPAs) with key infrastructure providers.

6. Data Retention and Deletion

We adhere to a minimal data retention philosophy:

• User data is retained only for as long as your account is active or as required by law
• System logs are automatically purged after 90 days
• Deleted accounts and associated data are permanently removed within 30 days of deletion request
• Backup data is retained for a maximum of 30 days and then purged

7. Incident Response

In the event of a security incident that may affect your data, we commit to:

• Investigating and containing the incident promptly
• Notifying affected users within 72 hours of discovering a breach that poses a risk to their rights and freedoms
• Providing clear information about what data was affected, what actions we have taken, and what steps you can take to protect yourself
• Reporting to relevant regulatory authorities as required by applicable law

To report a security vulnerability or concern, please contact us immediately at support@jobcompanion.app with the subject line "Security Report."

8. Compliance Standards

JobCompanion operates in alignment with the following standards and frameworks:

• GDPR (General Data Protection Regulation): For users in the European Union and EEA, we apply GDPR-aligned data protection principles including lawful basis for processing, data subject rights, and data minimization.
• CCPA (California Consumer Privacy Act): For California residents, we honor rights to know, delete, and opt-out of data sale (we do not sell data).
• IT Act 2000 (India): For users in India, we comply with the Information Technology Act, 2000 and associated rules regarding sensitive personal data.
• OWASP Top 10: Our development practices are informed by the OWASP Top 10 security risks framework.
• SOC 2 (via Supabase): Our primary infrastructure provider (Supabase) maintains SOC 2 Type II compliance, providing assurance over security, availability, and confidentiality controls.

9. Security Limitations Disclosure

While we implement comprehensive security measures, we must disclose that no internet-based service can guarantee absolute security. Factors outside our control — including sophisticated cyberattacks, zero-day vulnerabilities, and user-side security practices — may affect the security of your data. We strongly recommend that users:

• Use strong, unique passwords for their JobCompanion account
• Enable two-factor authentication when available
• Log out of the Platform when using shared or public devices
• Report any suspicious account activity immediately