Security
How we protect your data and keep ResumeKraft safe.
Transparency about our practices, controls, and how to reach us.
Overview
Security is foundational to everything we build at ResumeKraft. Your resume data contains some of your most personal professional information — work history, contact details, and career goals. We treat it accordingly.
This page describes the technical and organisational measures we use to protect your data, our processes for responding to incidents, and how you can help keep your account secure.
Found a vulnerability? Please report it responsibly to mehtasystemsdev@gmail.com. We respond to all security reports within 48 hours.
Infrastructure
ResumeKraft runs on AWS (Amazon Web Services), one of the world's most audited cloud providers. Our infrastructure is configured with security as the default — not an afterthought.
Data protection
Your data is encrypted at every stage — whether it's moving across the internet or sitting in our databases.
- Encryption in transit — All communication between your browser and our servers uses TLS 1.3. Older, weaker protocols are disabled.
- Encryption at rest — All databases and storage volumes are encrypted with AES-256, including automated backups.
- Password hashing — Passwords are hashed using bcrypt with a strong cost factor. We never store or log plaintext passwords.
- Payment data — Card details are never stored on our servers. All payment processing is handled by Stripe, a PCI DSS Level 1 certified provider.
Access controls
We apply the principle of least privilege throughout our organisation. Access to production systems and user data is tightly restricted.
- Production system access requires multi-factor authentication (MFA) for all engineers
- Access is granted on a need-to-know basis and reviewed quarterly
- All production access is logged and auditable
- No engineer can access your resume content without a specific, documented support reason
- Departing team members have access revoked immediately upon offboarding
We recommend enabling MFA on your own ResumeKraft account under Settings → Security for an extra layer of protection.
Application security
Security is built into our development lifecycle, not bolted on at the end.
- Secure development — Code reviews are mandatory for all changes. Security considerations are part of every pull request checklist.
- Dependency scanning — Automated tools scan our dependencies daily for known CVEs and alert the team immediately.
- Penetration testing — We conduct third-party penetration tests at least annually and remediate all critical findings before deployment.
- OWASP practices — Our applications are built against OWASP Top 10 guidelines, including protections against XSS, CSRF, SQL injection, and more.
- Rate limiting — All API endpoints are rate-limited to prevent brute-force attacks and abuse.
Incident response
Despite best efforts, no system is immune to incidents. We maintain a documented incident response plan and practice it regularly.
- Detection — automated monitoring alerts the on-call engineer within minutes of anomalous activity
- Containment — affected systems are isolated immediately to prevent lateral spread
- Investigation — root cause analysis is performed and documented within 24 hours
- Notification — affected users are notified within 72 hours of a confirmed breach, as required by GDPR and applicable law.
- Remediation — fixes are deployed and post-incident reviews improve our processes
If you believe your account has been compromised, change your password immediately and contact us at mehtasystemsdev@gmail.com.
Third-party providers
We rely on a small, carefully vetted set of third-party providers. Each is selected for their security posture and bound by data processing agreements.
| Provider | Purpose | Certification |
|---|---|---|
| AWS | Cloud hosting, storage, databases | SOC 2, ISO 27001, PCI DSS |
| Stripe | Payment processing | PCI DSS Level 1 |
| Postmark | Transactional email delivery | SOC 2 Type II |
| Anthropic | AI model inference for writing features | SOC 2 Type II |
| Plausible | Privacy-friendly analytics (anonymised) | GDPR compliant, EU-hosted |
We do not use advertising networks or data brokers. Our full list of sub-processors is available on request.
Vulnerability disclosure
We welcome responsible disclosure from security researchers. If you discover a potential vulnerability in ResumeKraft, please follow these guidelines:
- Email your findings to mehtasystemsdev@gmail.com with a clear description and reproduction steps.
- Give us reasonable time to investigate and remediate before any public disclosure
- Do not access, modify, or delete user data beyond what is necessary to demonstrate the issue
- Do not perform denial-of-service attacks or social engineering against our users or staff
Researchers who report valid, previously unknown vulnerabilities in good faith will receive public acknowledgement (if desired) and our sincere gratitude. We aim to respond within 48 hours.
Your role
Security is a shared responsibility. Here's how you can help protect your own account:
- Use a strong, unique password — Avoid reusing passwords from other services. A password manager makes this easy.
- Watch for phishing — We will never ask for your password by email. If in doubt, go directly to mehtasystems.dev rather than clicking links.
- Keep your email secure — Your email is the master key to your account. Use a strong password and MFA on your email provider too.
- Report suspicious activity — If something looks wrong with your account, contact us immediately at mehtasystemsdev@gmail.com.
Contact us
For security reports, questions about our practices, or anything else security-related, reach our team directly:
Security Team — ResumeKraft
We respond to all security-related enquiries within 48 hours.
mehtasystemsdev@gmail.com