JobGuru handles sensitive personal data — resumes, contact details, work history. We take security seriously at every layer.
Infrastructure
Hosting: Deployed on Fly.io with automatic TLS/HTTPS on all endpoints
Database: PostgreSQL on Neon with encrypted connections (TLS 1.3) and encrypted storage at rest
Email: Transactional emails via Resend with DKIM, SPF, and DMARC configured
Error tracking: Sentry with PII scrubbing enabled — no personal profile data in error reports
Authentication
Passwords are hashed using bcrypt with a work factor of 12
Google OAuth 2.0 supported as a passwordless alternative
Session tokens are signed JWTs with short expiration
Email verification required for new accounts
Data Protection
All API communication is encrypted in transit (TLS)
Database credentials and API keys are stored as environment variables, never in source code
LLM API calls use per-request data — we do not persist conversation logs with providers
File uploads (resumes) are validated and sanitized before processing
Application Security
Input validation and parameterized queries to prevent SQL injection
Content Security Policy headers to mitigate XSS
CORS restricted to authorized origins
Rate limiting on authentication endpoints
Dependencies monitored for known vulnerabilities
Open Source Transparency
JobGuru's core pipeline is open source under AGPL-3.0. You can audit the code at github.com/Pickle-Pixel/JobGuru. We welcome security reviews from the community.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly: