Security

SalaryArc handles your resume and salary information — we take that seriously.

Where your data lives

• Profile, skills, career maps, and daily-task history sit in a Supabase Postgres database in ap-southeast-1 (Sydney). Each row is locked down by row-level security policies that only let you see your own data — never another user's.
• Resume files live in a private Supabase Storage bucket scoped per-user. Service-role keys aren't exposed to the browser.
• Production secrets (API keys, Supabase service role) live in Vercel encrypted env vars — never committed to git, never shipped in the client bundle.

How traffic is protected

• HTTPS-only via Vercel-managed Let's Encrypt certificates.
• HSTS, X-Frame-Options DENY, and standard secure-cookie flags applied to auth sessions.
• Auth sessions are short-lived JWTs refreshed via Supabase's SSR client.

Third parties

See the Privacy Policy for the full list of subprocessors. The short version: only Supabase, OpenAI, Adzuna/JSearch, Stripe, and Vercel ever see your data, and each only sees what they strictly need to do their job.

Reporting a vulnerability

Found something? Please email security@salaryarc.com — we'll respond within two business days. Please don't publicly disclose until we've had a chance to fix it.

Roadmap

We're working toward a SOC 2 Type 1 attestation in 2027. In the meantime we follow the OWASP Top 10 in our review checklist for every code change.