Trust Center

Security & Trust

Last updated: 2026-04-30

PMHNP Hiring handles personal information that matters — resumes, contact details, sometimes credentialing identifiers. This page explains how we protect that data, which vendors we share it with, and what to do if you spot a security issue. It is intentionally specific. If a customer or auditor wants more detail, the documents linked below back every claim with code and policy references.

Encryption everywhere

All traffic is served over TLS 1.3 with HSTS enabled (`includeSubDomains; preload`). Data at rest is encrypted by default in Supabase Postgres and Supabase Storage. Resume files are stored in a private bucket and only accessed via signed URLs that expire after one hour, so a leaked link cannot be replayed days later.

Resume & file safety

Resume uploads are virus-scanned before they are written to storage. The scan refuses executables, scripts, macro-laden Office files, password-protected archives, and XML external-entity payloads. In the rare case the scanning service itself is unreachable we accept the upload and log the gap, rather than block legitimate users. Aggregate counters track scanner availability so we know quickly if it stays offline.

Privacy by default

Analytics and advertising cookies default to denied and only load after the visitor explicitly accepts. Vercel Speed Insights waits for the same consent. Visitors from the EEA, UK, Switzerland, Canada, Brazil, and Australia see a strict opt-in banner; visitors in implied-consent regions keep one-click control via the "Cookie Settings" link in the footer and the Do Not Sell or Share page.

We honor the Global Privacy Control (Sec-GPC) and Do Not Track (DNT) browser signals as a binding opt-out — no banner appears, no analytics fire.

Authentication & access

Authentication is handled by Supabase Auth. Session cookies are HttpOnly + Secure + SameSite=Lax. Password resets are rate-limited to 3 requests per hour per IP and respond identically whether or not the email is registered, so attackers can't enumerate accounts.

Account deletion is soft-delete with a 30-day grace window — accidental deletions are reversible. After the grace period, a daily cron hard-purges the record and the matching Supabase Auth identity. Inactive accounts that haven't logged in for 23 months receive a warning email and are then soft-deleted; total dormancy lifecycle to hard delete is ~25 months.

Incident response

Every sensitive action (account deletion, data export, role change, DSAR receipt, soft-delete purge) is recorded in an append-only audit log. We operate a written incident-response runbook with a 72-hour notification commitment that aligns with GDPR Art. 33 — privacy regulators get notified, affected users receive a plain-language email, and a post-incident review is published within 30 days.

Spotted something suspicious? Email security@pmhnphiring.com. We acknowledge within one business day.

Compliance posture

We are committed to good privacy hygiene now and progressively to formal attestations as the platform grows.

Framework	Status
GDPR / UK GDPR	Aligned. DPIA on file — see Privacy Policy §11–§16.
CCPA / CPRA	Aligned. Opt-out endpoint + GPC honored.
PCI-DSS	SAQ-A. Card data captured by Stripe Checkout — never stored on our infrastructure.
SOC 2	In progress — Type 1 attestation planned when our first enterprise customer requires it. Most controls are already in place; see audit summary below.
HIPAA	Not applicable — we do not process Protected Health Information. Job seekers may voluntarily disclose health-related items in resumes; that content is not parsed for clinical data.
CASL / PIPEDA / LGPD	Strict opt-in for marketing email; double opt-in on job alerts. Sub-processors disclosed.

Documents we publish

Privacy Policy — what we collect, why, retention.
Sub-processors — every vendor with DPA + privacy-policy links.
Data Request — file access / deletion / correction requests.
Do Not Sell or Share — CCPA / CPRA one-click opt-out.
Terms of Service.

Internal documents we'll share on request to enterprise prospects: incident-response runbook, DPIA, and the 25-gap compliance audit with closure evidence.

Reporting a vulnerability

If you believe you've found a security vulnerability, please email security@pmhnphiring.com with reproduction steps and any affected URLs. We commit to:

Acknowledge receipt within one business day.
Provide a triage update within five business days.
Not pursue legal action against good-faith researchers who follow these guidelines.
Credit you publicly (if you wish) once the issue is resolved.

Please do not exfiltrate data, run automated denial-of-service, or test against accounts that aren't yours. We do not currently run a paid bug bounty program; we acknowledge contributions in writing.

Privacy questions: privacy@pmhnphiring.com · Security reports: security@pmhnphiring.com