Security
Security at SwiftShortlist
We take security seriously. Here is an overview of the technical and organisational measures we have in place to protect your data.
Data encryption
- All data in transit is encrypted with TLS 1.2 or higher.
- Data at rest is encrypted using AES-256 via Supabase managed storage.
- CV files are stored in private, access-controlled object storage buckets.
Authentication and access
- Authentication is managed by Supabase Auth with industry-standard PKCE flows.
- Passwords are hashed using bcrypt and never stored in plaintext.
- Google OAuth is supported as an alternative sign-in method.
- Row-level security (RLS) on all database tables ensures users can only access their own data.
- API endpoints validate session tokens on every request.
Infrastructure
- Hosted on Vercel (compute) and Supabase (database and storage) with SOC 2 Type II certification.
- Database hosted in the EU (Frankfurt) to support GDPR compliance.
- Automatic backups with point-in-time recovery.
- No sensitive secrets are stored in source code. Environment variables are managed via Vercel secrets.
AI processing
- CV analysis is performed via the Google Gemini API.
- PDFs are sent to Gemini as base64-encoded documents over an encrypted HTTPS connection.
- Google does not use API request data to train models by default.
- Raw CV content is not persisted beyond the analysis request.
Organisational controls
- Access to production systems is limited to authorised personnel only.
- Third-party dependencies are reviewed and kept up to date.
- Security incidents are logged and reviewed.