Legal

Security

Last updated: 2026-04-22

Kattia handles your job-search data, resume content, and — if you connect Google — email and calendar events related to your search. Security is a first-class product concern, not an afterthought. This page summarizes our current controls.

Data protection

  • All traffic is encrypted in transit with TLS 1.2 or higher.
  • Data at rest in Supabase (Postgres) is encrypted by our infrastructure provider.
  • Row-level security policies enforce that you can only read or write your own data.
  • Routing guards on sensitive pages read profile state through a service-role client scoped to the authenticated user, preventing cross-user leakage even under edge cases.

Authentication

  • Sign-in options: Google OAuth, email + password, and magic link, all via Supabase Auth.
  • Sessions are stored in httpOnly, SameSite=Lax cookies. Client JavaScript cannot read the session token.
  • reCAPTCHA Enterprise protects signup, password reset, and OAuth entry points.
  • IP-level rate limiting throttles abusive traffic.

Application security

  • URL imports use SSRF-safe fetching: DNS is resolved explicitly, private and reserved IP ranges are blocked, and redirects are validated.
  • HTML captured from URL imports is sanitized with DOMPurify before display.
  • Stripe webhooks are signature-verified with the raw request body.
  • All AI entitlement checks are centralized: no API route reimplements tier logic.
  • Dependencies are scanned in CI; production audits expect zero high-severity vulnerabilities.

Third-party processors

We use a small number of vendors to run the service. Each is covered by a data processing agreement where applicable:

  • Supabase — database and auth
  • Stripe — payments (PCI DSS Level 1)
  • Vercel — hosting
  • Anthropic (via LLM gateway) — AI processing (zero-retention)
  • Google — OAuth, Gmail read and Calendar events read scopes
  • Resend — transactional email
  • PostHog — analytics and error capture

See our Privacy Policy for the full list of data handled by each.

Incident response

We monitor error rates and webhook failures continuously. If we detect a security incident affecting your account, we will notify you within 72 hours with what happened, what data was involved, and what actions you should take. Report suspected vulnerabilities to security@kattia.io; we acknowledge within 2 business days.

Data deletion

You can delete your account and all associated data from account settings. Backups are retained for 30 days and then purged. Stripe billing records are retained for 7 years where required by law.

Beta disclosures

During the closed beta, we may delete non-production data, roll forward schema changes, or temporarily reduce redundancy to iterate quickly. We will not reduce encryption, authentication, or isolation controls during the beta.

Contact

Security: security@kattia.io
Privacy: privacy@kattia.io