Security isn't a certification you slap on a marketing page — it's the set of decisions that went into every layer of the product. Here's what we actually do.
TLS 1.2 or better for every request. Database storage encrypted at rest with AES-256. Backup volumes encrypted in the same key hierarchy.
Row-level security enforced in Postgres — not just at the application layer. Least-privilege IAM for employees. MFA required for admin access.
Multi-tenant data model scoped by org_id at every query. Recruiter workspaces cannot see each other. Candidate PII never leaves the candidate's control without explicit opt-in.
24-hour on-call rotation with documented playbooks. Breach notification within 72 hours per GDPR Article 33. Post-mortems published to customers.
Data subject request tooling built in. Subprocessors under contract. DPA available for customers processing EU/UK data.
California residents can access, correct, delete, and opt out directly from the product. No sale of personal information.
Controls implemented. Audit observation period begins this year. Full report will be available under NDA once complete.
On the 18-month roadmap. Happy to discuss timeline and scope with enterprise customers.
Card data is handled by Stripe; getremotejobs never stores raw payment details.
Job and career data is not PHI. We do not process health information as part of the Service.
| Provider | Purpose | Data category | Location |
|---|---|---|---|
| Supabase | Database, auth, object storage | All customer + candidate data | US (AWS us-east-1) |
| Vercel | Application hosting | Request metadata, no content at rest | Global edge |
| Anthropic | Resume parsing (Claude Haiku) | Resume content (ephemeral) | US |
| OpenAI | Embedding generation | Resume + job text (ephemeral) | US |
| Resend | Transactional + alert email | Email address, message content | US |
| Stripe | Payment processing | Billing metadata (no card data) | US / EU |
| Sentry | Error monitoring | Stack traces, request metadata | US |
Changes to this list are announced 30 days in advance to enterprise customers. For the full DPA, including Standard Contractual Clauses for EU transfers, see /dpa.
If you've discovered a security issue, we want to hear about it. We don't sue security researchers acting in good faith. Our disclosure policy and PGP contact live at /.well-known/security.txt. Bounties are paid on a case-by-case basis for impactful, previously-unreported findings.