Infrastructure
- Hosting: Deployed on Fly.io with automatic TLS/HTTPS on all endpoints
- Database: PostgreSQL on Neon with encrypted connections (TLS 1.3) and encrypted storage at rest
- Email: Transactional emails via Resend with DKIM, SPF, and DMARC configured
- Error tracking: Sentry with PII scrubbing enabled — no personal profile data in error reports
Authentication
- Passwords are hashed using bcrypt with a work factor of 12
- Google OAuth 2.0 supported as a passwordless alternative
- Session tokens are signed JWTs with short expiration
- Email verification required for new accounts
Data Protection
- All API communication is encrypted in transit (TLS)
- Database credentials and API keys are stored as environment variables, never in source code
- LLM API calls use per-request data — we do not persist conversation logs with providers
- File uploads (resumes) are validated and sanitized before processing
Application Security
- Input validation and parameterized queries to prevent SQL injection
- Content Security Policy headers to mitigate XSS
- CORS restricted to authorized origins
- Rate limiting on authentication endpoints
- Dependencies monitored for known vulnerabilities
Open Source Transparency
JobGuru's core pipeline is open source under AGPL-3.0. You can audit the code at github.com/Pickle-Pixel/JobGuru. We welcome security reviews from the community.
Responsible Disclosure
If you discover a security vulnerability, please report it responsibly:
- Email security@jobguru.to
- Include steps to reproduce the issue
- Do not publicly disclose the vulnerability until we have addressed it
- We aim to acknowledge reports within 48 hours and resolve critical issues within 7 days
We appreciate responsible disclosure and will credit reporters (with permission) in our changelog.
Contact
Chronobyte, Inc.
131 Continental Dr Suite 305
Newark, DE 19713
United States
security@jobguru.to