How we protect your data

TLS 1.3 in transit. AES-256 at rest in Convex storage. Per-tenant isolation at the application layer — every row carries the owning user's id and access checks run server-side on every read.

Authentication runs through Clerk. We support passwordless email magic links and OAuth via Google and GitHub. Sessions are short-lived and rotate on every privileged action.

We never see your password — Clerk handles the credential lifecycle, including breach monitoring and forced rotation when leaks are detected upstream.

Default deployment is Vercel (US edge) for the Next.js front end and Convex (US region) for the backend. EU and PH residency are available on Career+ — the same agent pipeline routes through the regional Convex deployment with no functional difference at the API layer.

Stripe handles all card data under PCI-DSS scope. HiredNa never sees primary account numbers, only the last four digits and brand for receipts. Webhook signatures are verified on every event before we mutate billing state.

LLM calls route through Vercel AI Gateway with primary Google Gemini and fallback to Anthropic Claude and OpenAI GPT. None of these providers retain your prompts long-term; prompt content is used only for the duration of the inference call.

We monitor pipeline error rates, workflow checkpoint failures, and authentication anomalies in real time. On a Sev-1 incident we post status to the changelog within one hour and a full post-mortem within seven days.

Found something concerning? Email security@hiredna.app. Include reproduction steps and any relevant traces.

We acknowledge within 48 hours, triage within 5 business days, and credit researchers (with consent) in the changelog after the fix ships.