Security & Data Protection

This Security & Data Protection Statement describes the security measures and practices Career Cortex LLC (“Career Cortex,” “we,” “us,” or “our”) employs to protect your data. This document supplements our Privacy Policy and Terms of Service.

1. Encryption

1.1 Encryption in Transit

All data transmitted between your browser and our Platform is encrypted using HTTPS with TLS (Transport Layer Security) 1.2 or higher. This applies to:

• All web traffic to and from www.careercortex.com
• API communications between our frontend and backend services
• Data transmitted from our backend API to third-party AI services
• Communications between our application servers and database infrastructure
• Authentication and session management traffic

We enforce HTTPS across all endpoints. HTTP requests are automatically redirected to HTTPS. We use HSTS (HTTP Strict Transport Security) headers to prevent protocol downgrade attacks.

1.2 Encryption at Rest

All data stored in our database infrastructure is encrypted at rest using AES-256 encryption, an industry-standard algorithm. This includes:

• User account information
• Resume content and parsed data
• Cover letter content
• Job descriptions and tracking data
• Mock interview sessions and AI analysis results
• All associated metadata

Encryption keys are managed by our cloud infrastructure providers and are not accessible to application-level code or personnel.

2. Authentication and Access Control

2.1 User Authentication

User authentication is handled by a dedicated third-party authentication provider that specializes in identity management. Our authentication implementation includes:

• Password hashing: User passwords are hashed using bcrypt with appropriate salt rounds before storage. We never store, log, or have access to plaintext passwords.
• Secure session management: Authentication tokens are issued upon successful login and are transmitted securely. Session tokens have defined expiration periods and are invalidated upon logout.
• Email verification: Account creation requires email verification to prevent unauthorized account registration.

2.2 Row-Level Security (RLS)

Our database implements Row-Level Security (RLS) policies that enforce data isolation at the database level. This means:

• Every database query is automatically filtered by the authenticated user's identity
• Users can only read, update, or delete records that belong to their own account
• RLS policies are enforced by the database engine itself, not by application code — providing a strong security boundary even in the event of an application-level vulnerability
• Administrative access to user data is restricted and logged

Row-Level Security is one of our most important security controls. It ensures that even if application logic were to contain a bug, the database itself prevents unauthorized cross-user data access.

2.3 API Authentication

Our backend API implements the following access controls:

• All API requests require valid authentication tokens
• API keys for third-party services (AI providers, payment processing, email delivery) are stored securely as environment variables — never in source code or client-side code
• Backend service-to-service communications are authenticated and encrypted
• CORS (Cross-Origin Resource Sharing) policies restrict which domains can interact with our API

3. Infrastructure Security

3.1 Cloud Hosting

Our infrastructure is hosted on industry-leading cloud platforms that maintain rigorous security certifications, including SOC 2 Type II, ISO 27001, and other compliance standards. Our architecture includes:

• Frontend application: Hosted on a globally distributed edge network with built-in DDoS protection, automatic HTTPS, and content delivery optimization
• Backend API: Runs in isolated, containerized environments on a managed cloud compute platform with automatic scaling, network isolation, and encrypted inter-service communication
• Database: Managed by a third-party database hosting provider with automated encryption, regular security patching, network-level access controls, and SOC 2 Type II compliance

3.2 Network Security

Our infrastructure employs multiple layers of network security:

• Content delivery and edge protection via a CDN with built-in Web Application Firewall (WAF) capabilities
• DDoS mitigation at the network edge
• Service-level network isolation between application components
• Restricted database access — direct database connections are not exposed to the public internet

4. AI Data Processing Security

4.1 How Your Data Flows Through AI Services

When you use AI-powered features (resume parsing, scoring, ATS optimization, job-targeted optimization, cover letter generation, or mock interviews), your data follows this path:

• Step 1 — Browser to Platform: Your content (resume text, job description, or interview response) is sent from your browser to our Platform over an encrypted HTTPS connection.
• Step 2 — Data preparation: Our backend API prepares the request, including only the content necessary for the specific AI task. Account credentials, payment information, and analytics data are never included.
• Step 3 — Platform to AI provider: The prepared request is sent from our backend API to the third-party AI service over an encrypted HTTPS connection, authenticated with API keys stored securely as environment variables.
• Step 4 — AI processing: The AI service processes the request and returns results. Processing occurs in memory; the AI provider does not persistently store your submitted data for its own purposes.
• Step 5 — Results stored: The returned results are stored in our encrypted database, associated with your account, and made available to you through the Platform.

4.2 Third-Party AI Provider Security

We use commercially licensed AI APIs and have selected providers based on their security and privacy commitments:

• No model training on your data: Under our commercial API agreements, data submitted through the API is not used to train, improve, or fine-tune the provider's AI models.
• Limited retention: The AI provider may temporarily retain API request data for a short period (typically up to 30 days) solely for abuse and safety monitoring, after which it is automatically deleted. No human review of your data occurs unless required by law or to investigate a specific abuse or safety concern.
• Encrypted transmission: All communication with AI providers occurs over encrypted HTTPS/TLS connections.
• Data processing agreements: We maintain data processing agreements with our AI providers that include appropriate security and privacy safeguards.

4.3 What Is NOT Sent to AI Providers

To minimize data exposure, we only send the minimum data necessary for each AI task. The following data is never transmitted to AI providers:

• Your email address or account credentials
• Your internal user ID or account identifiers
• Payment or billing information
• Browsing behavior, analytics, or usage data
• Data from other users

5. Data Backup and Recovery

We implement the following data protection measures to guard against data loss:

• Automated backups: Our database hosting provider performs automated daily backups of all data, with point-in-time recovery capabilities.
• Backup encryption: All backup data is encrypted at rest using the same AES-256 encryption applied to production data.
• Geographic redundancy: Database backups are stored in geographically separate locations from the primary database to protect against regional outages or disasters.
• Retention period: Database backups are retained in accordance with our infrastructure provider's policies, typically for a minimum of 7 days, allowing recovery from accidental data loss or corruption.

In the event of a data loss incident, we will work to restore affected data from the most recent available backup and notify impacted users as quickly as possible.

6. Application Security Practices

We incorporate the following security practices into our development and operations:

• Secure development: We follow secure coding practices, including input validation, output encoding, parameterized queries, and protection against common web vulnerabilities (XSS, CSRF, SQL injection).
• Dependency management: We regularly monitor and update third-party libraries and dependencies to address known security vulnerabilities.
• Secret management: All API keys, secrets, and credentials are stored as environment variables or in secure secret management systems — never committed to source code repositories.
• Rate limiting: API endpoints are rate-limited to prevent abuse, brute-force attacks, and resource exhaustion.
• Content Security Policy: We implement CSP headers to mitigate cross-site scripting and data injection attacks.
• Input sanitization: All user-supplied input is validated and sanitized before processing, storage, or transmission to third-party services.

7. Incident Response Plan

Career Cortex maintains an incident response process to address security events promptly and transparently.

7.1 Incident Classification

We classify security incidents based on severity:

• Critical: Confirmed unauthorized access to user data, data breach affecting personal information, or complete service compromise.
• High: Attempted unauthorized access with partial success, vulnerability actively being exploited, or significant service degradation due to a security issue.
• Medium: Vulnerability discovered but not yet exploited, suspicious activity under investigation, or isolated unauthorized access attempt.
• Low: Minor security configuration issues, unsuccessful attack attempts, or informational security alerts.

7.2 Response Process

Our incident response process follows these steps:

• Detection and assessment: Identify and classify the incident to determine scope, severity, and affected systems or users.
• Containment: Take immediate action to contain the incident and prevent further damage, which may include revoking credentials, isolating affected systems, or temporarily suspending specific services.
• Investigation: Conduct a thorough investigation to determine the root cause, extent of impact, and what data (if any) was affected.
• Remediation: Fix the underlying vulnerability or issue and implement measures to prevent recurrence.
• Notification: Notify affected users and relevant authorities as required by applicable law (see Section 7.3).
• Post-incident review: Document lessons learned and update security practices, policies, and monitoring accordingly.

7.3 Breach Notification

In the event of a confirmed data breach that affects your personal information, we will:

• Notify affected users via email as soon as reasonably practicable, and no later than 72 hours after confirmation for GDPR-covered users
• Provide clear information about what data was affected, what we are doing to address the situation, and what steps you can take to protect yourself
• Notify relevant supervisory authorities as required by GDPR, CCPA/CPRA, the Ohio Data Protection Act, and other applicable privacy laws
• Provide ongoing updates as our investigation progresses

8. Data Deletion and Your Rights

8.1 Deleting Individual Items

You can delete individual resumes, cover letters, job descriptions, mock interview sessions, and other content at any time through the Platform. Deleted items enter a soft-deleted state for up to 30 days (to allow restoration without re-processing by AI services) and are then permanently purged. For more details, see our Privacy Policy.

8.2 Deleting Your Account

You can request full account deletion through your account settings or by contacting us at support@careercortex.com. Upon account deletion:

• All data associated with your user ID is permanently deleted immediately, including all resumes, cover letters, job descriptions, mock interview data, AI analysis results, account settings, and any soft-deleted items
• This action is irreversible — deleted account data cannot be recovered
• Payment records may be retained as required by tax and financial regulations, but all personal career data is removed

8.3 Data Export

Before deleting your account, you may export your data. You can download your resumes, cover letters, and other career documents through the Platform. If you need assistance exporting your data in a specific format, contact us at support@careercortex.com.

8.4 Formal Deletion Requests

If you wish to make a formal data deletion request under GDPR (right to erasure), CCPA/CPRA (right to delete), or other applicable privacy laws, please email privacy@careercortex.com with the subject line “Data Deletion Request.” We will verify your identity and process your request within 30 days (GDPR) or 45 days (CCPA/CPRA).

9. Responsible Disclosure and Vulnerability Reporting

We value the security research community and welcome responsible disclosure of potential vulnerabilities. If you believe you have discovered a security vulnerability in our Platform, please report it to us:

When reporting a vulnerability, please include:

• A description of the vulnerability and its potential impact
• Steps to reproduce the issue
• Any relevant screenshots, logs, or proof-of-concept code

We ask that you:

• Give us reasonable time to investigate and address the issue before any public disclosure
• Avoid accessing, modifying, or deleting data belonging to other users
• Act in good faith and do not exploit the vulnerability beyond what is necessary to demonstrate it

We are committed to working with researchers in good faith and will not pursue legal action against individuals who report vulnerabilities responsibly.

10. Ongoing Security Commitment

Security is not a destination but an ongoing process. We are committed to:

• Regularly reviewing and updating our security practices as threats evolve
• Monitoring our systems for suspicious activity and potential vulnerabilities
• Keeping our infrastructure, dependencies, and third-party integrations up to date with security patches
• Evaluating additional security measures such as multi-factor authentication, advanced monitoring, and third-party security audits as the platform grows
• Maintaining transparency about our security practices through this statement

We will update this Security & Data Protection Statement periodically to reflect changes in our practices. Material updates will be noted by updating the “Last Updated” date at the top of this page.

11. Contact Us

For security-related concerns, questions about our data protection practices, or to report a vulnerability: