Security

Security and compliance baseline

Keep user data private, keep workspaces isolated, and keep the product on a conservative legal path from day one.

Per-user isolationPublic-source rules

Core controls

Identity and access

  • Supabase auth
  • Per-user workspace isolation
  • Role-based admin access

Data protection

  • Encrypted secrets
  • Private storage buckets
  • Audit logs and deletion flow

Legal-safe sourcing

  • Public sources only
  • Respect robots.txt
  • No LinkedIn automation

Secret handling

  • Local env files stay out of Git
  • Rotate any key that was pasted into shared chat/history
  • Use server-side keys only in backend routes

Before Selling

Minimum trust baseline

Data isolation

Every user must only see their own workspaces, packets, and billing state.

Deletion flow

Users need a clear path to remove their account data, resumes, and generated packet history.

Operational logging

Billing events, auth state, and packet generation need audit-friendly records without storing unnecessary personal data.

Secret handling

What not to mess up

  • Keep `.env.local` out of Git.
  • Rotate any key ever pasted into chat or shared notes.
  • Use server-side keys only in backend routes and webhooks.

Legal-safe rule

Borrow patterns, not code or branded assets. Use public sources, respect robots, and keep LinkedIn automation off-limits.