Trust & Security

Security at JobFront

JobFront is built and operated on Amazon Web Services, with security engineered into every layer — how data is encrypted and who can access it. The platform is powered by a shared dataset of publicly available job-market data, while your account, saved collections, and configuration are encrypted and access-controlled, scoped to your organization. This overview summarizes the controls that protect it.

Hosting
Built on AWS
Encryption
In transit & at rest
Access
Org-scoped
Payments
No card data stored
Sign-in
Password or Google SSO
Last updated June 2026 Security questions? security@jobfront.com
Our approach

Security built into every layer

We treat infrastructure, application, and data security as equally important — protecting how the platform runs, how it's built, and the integrity of the data it holds.

01 — INFRASTRUCTURE SECURITY
Hardened cloud infrastructure
JobFront runs on AWS, inheriting its audited physical and network controls — with data encrypted in transit and at rest and least-privilege access between systems.
02 — APP SECURITY
Defensive engineering
We build with established defensive practices — parameterized data access, pinned dependencies, and rate limiting — and every deploy is double-checked by adversarial AI reviewers.
03 — DATA SECURITY
Protected, verified data
We safeguard your account data and the integrity of our overall dataset alike. AI agents verify every data edit, so the data you rely on stays accurate and trustworthy.
01 — Infrastructure security

Hardened cloud infrastructure

JobFront runs on AWS, inheriting its audited physical and network controls. We encrypt data in transit and at rest, lock down our systems, and build for resilience.

Hosting & encryption

Cloud provider
JobFront runs on Amazon Web Services (AWS) and inherits AWS's independently audited physical, network, and environmental controls — including SOC 1, 2, and 3, ISO 27001, and PCI DSS. These certifications are held by AWS as our infrastructure provider; JobFront builds its application-layer controls on that foundation.
Data location
Primary processing takes place in the us-west-2 (Oregon) region.
Encryption in transit
All traffic to JobFront is served over modern TLS (1.2 or higher), and plaintext HTTP requests are automatically redirected to HTTPS. Traffic to our managed data services is encrypted in transit, with node-to-node encryption on our managed search layer.
Encryption at rest
Customer data is encrypted at rest with AES-256. Encryption keys are managed through AWS Key Management Service (KMS), which handles secure key storage and rotation.
Secrets management
Application credentials and integration keys are stored in an AWS-hosted security vault and decrypted only at runtime. Secrets are never committed to source code or bundled into application images.
Network security
TLS is terminated at an AWS load balancer, and back-end systems run with no public inbound access and no default remote-shell (SSH) access. Instance metadata is protected with IMDSv2, and internal components communicate with least-privilege access between them.

Resilience & monitoring

Reliability & backups
We build on AWS's managed, redundant data services. Containers auto-scale and auto-restart and drain gracefully during instance lifecycle events, and background work is processed at least once with idempotent writes. Automated backups support point-in-time recovery.
Monitoring
Application and infrastructure activity is centrally logged, with metrics and alarms that notify our team automatically so we can respond to availability and security-relevant events quickly.
02 — App security

Defensive engineering

Security is part of how we build. We apply established defensive practices across the codebase, and we control who can sign in and what they can access.

Authentication & access

Customer sign-in
Customers sign in with email and password or with Google single sign-on (SSO). Passwords are stored only as salted hashes — never in plaintext — and password resets use single-use, time-limited tokens.
Sessions
User sessions are maintained with cryptographically signed session cookies.
API access
Programmatic access uses per-organization API tokens that are validated on every request and scoped to the issuing organization.
Tenant isolation
JobFront is multi-tenant. Your account, saved collections, filters, and export configurations are scoped to your organization and checked on every request. The underlying job-market dataset is built from public sources and shared across the platform.
Internal access
Access to production systems and customer data is restricted to authorized personnel on a need-to-know basis, and cloud permissions follow least-privilege policies.

Secure development

Secure data access
Database access uses parameterized queries as the standard pattern, and dynamic inputs are validated against explicit allow-lists to guard against injection.
Supply-chain integrity
All dependencies — direct and transitive — are pinned to exact versions in a lock file, so builds are reproducible and a malicious or breaking upstream release cannot silently slip in. Container images are built in AWS CodeBuild, stored in a private registry, and tagged by commit for traceability.
Abuse protection
The platform enforces rate limiting and automated abuse-detection to protect availability and detect anomalous access.
Change management
Every change goes through a pull-request workflow and an automated build-and-deploy pipeline, so changes are versioned and traceable. Two adversarial AI reviewers independently check every deploy for errors, security vulnerabilities, and accuracy.
03 — Data security

Protected, verified data

We protect your account data and the integrity of our overall dataset alike — with controls spanning how we handle your data, how we collect public information, and how AI keeps the dataset accurate.

Privacy & data handling

Payments
Billing is handled by Stripe. JobFront does not store or process raw card data — we retain only billing identifiers, keeping cardholder data out of our environment.
Data minimization
We collect the data needed to operate the product, validate enriched fields against allow-lists before storing them, and minimize the personal data moved between internal systems.
Privacy
We honor data-subject access, correction, and deletion requests and offer a Data Processing Addendum (DPA) on request. See our Privacy Policy for how we collect and use personal information.
Audit trail
Operator changes to source data are recorded with attribution and before-and-after values, creating a record of who changed what and when.

Responsible collection

Respect for site policies
We honor robots directives and follow established web-scraping best practices when collecting publicly available job and company data.
Considerate crawling
We deliberately spread requests out over time and avoid swarming any single site, minimizing load and downtime for the sites we collect from.
Public information focus
Collection focuses on publicly accessible job postings and company career pages — not job-seeker applications, resumes, or candidate accounts.

AI & data quality

AI providers
We use leading AI providers — including Anthropic, OpenAI, and AWS Bedrock — to structure and enrich job and company content, which is predominantly drawn from publicly available sources. Customer passwords, secrets, and payment data are never sent to AI providers.
Input sanitization
Data is sanitized before it is sent to AI models, so only clean, relevant content is processed.
Content moderation
Content is run through automated moderation checks that flag profanity, violence, and other unsafe material.
Output validation
AI output is validated against allow-lists before it is stored or used, and automated spend controls cap AI usage.
Automated QA & self-healing
An automated quality-assurance system continuously checks data for completeness and accuracy. When it flags an issue, the record is routed back through our discovery and processing pipeline to be corrected automatically.
Sub-processors

Trusted providers we work with

We rely on a small set of established, security-vetted providers to operate the service — each selected and reviewed for its security posture.

Amazon Web Services
Cloud hosting, storage, and managed data services.
Stripe
Payment processing and billing — card data never touches our systems.
Anthropic & OpenAI
AI structuring and enrichment of job and company content.
We also work with established providers for transactional email delivery, and a full, current sub-processor list is provided to customers on request.
Disclosure & diligence

Working with security teams

We welcome scrutiny of our security, and we make it easy for researchers and reviewers to engage with us.

REPORT AN ISSUE
Responsible disclosure
If you believe you've found a security vulnerability, email security@jobfront.com with details and steps to reproduce. We review every report and work in good faith with researchers who disclose responsibly.

Talk to our team

Whether you're evaluating JobFront or completing a security review, we're glad to answer questions and share the documentation you need.

security@jobfront.com