Information Security Policy

Philosophy

CandidateSeekers adopts a "Security by Design" approach. We leverage enterprise-grade infrastructure providers (Supabase, Vercel) to inherit world-class physical and network security, allowing us to focus rigorous controls on the application logic and data access layers.

Data Encryption

• In Transit: All data transmitted between clients and our servers is encrypted using strong TLS 1.2/1.3 protocols.
• At Rest: Data stored in our database (Supabase) is encrypted at rest using AES-256.

Application Security

• Row Level Security (RLS): We strictly enforce PostgreSQL Row Level Security. Database requests are authenticated at the database layer; users can *only* access rows they are explicitly permitted to see (e.g., a Candidate can only edit their own profile).
• SQL Injection Protection: We use parameterized queries and ORMs (Supabase Client) to prevent SQL injection attacks.
• Input Validation: All user input is validated on both the client-side and server-side to prevent XSS and malicious data entry.

Authentication

We utilize Supabase Auth (based on GoTrue) for secure identity management.

• Passwords are salted and hashed (Argon2 or bcrypt) and never stored in plain text.
• We support and encourage secure OAuth providers (Google, LinkedIn).
• Sessions use secure, HttpOnly cookies or short-lived JWTs.

Vulnerability Management

• We conduct regular code reviews for all changes.
• Dependencies are monitored for CVEs via automated tools (npm audit, GitHub Dependabot).
• Critical security patches are applied within 72 hours of release.