How We Protect
Your Data
Honest disclosure of our security practices, third-party services, and limitations. No overclaiming. Every statement on this page is verifiably true.
You are trusting us with sensitive career information: your resume, employment history, salary expectations, and job search activity. We take that seriously.
Our approach to security is built on one principle: tell the truth about where we are. Most companies fill their security pages with buzzwords and self-assigned ratings. We would rather be honest about what we do, what our vendors provide, and where we have room to grow.
Honest communication about security practices. No marketing language masquerading as technical truth. Prompt notification if something goes wrong. Continuous improvement as we grow.
Data We Store
- Your resume: Stored in our database so you can analyze jobs against it. You can delete it instantly from your dashboard.
- Analysis history: Past job analyses are saved so you can review them and track applications.
- Account information: Email address and a cryptographically hashed password.
- Session tokens: Temporary authentication tokens that expire after 30 days of inactivity.
Data We Do Not Store
- Credit card numbers: All payment data is handled entirely by Stripe. Card numbers never touch our servers.
- Social Security numbers or government identification.
- Browsing history outside of MintCareer.
Data Sent to AI for Processing
When you analyze a job, the following is sent to Anthropic's Claude API:
- Your resume text (content only, no metadata or account information)
- The job description text you paste into the analyzer
- System prompts that instruct the AI how to perform the analysis
Your email address, payment information, IP address, device identifiers, and browsing behavior are never sent to the AI.
Encryption
- In transit (HTTPS/TLS): All data transmitted between your browser and our servers is encrypted via HTTPS, enforced through Cloudflare. This is the same encryption standard used by banks and government agencies.
- At rest (PostgreSQL on Neon): Your data is stored in an encrypted PostgreSQL database hosted on Neon with SSL/TLS-encrypted connections. The database includes automatic point-in-time recovery, plus AES256-encrypted backup copies stored separately for disaster recovery.
- Passwords (bcrypt): User passwords are hashed using bcrypt with salt rounds. We cannot see your password. Even if our database were compromised, passwords would remain protected.
- API credentials: Our Anthropic API key and Stripe keys are stored as encrypted environment variables in Replit Secrets, never in source code or version control.
Application Security
- Input sanitization: All user input is sanitized to prevent cross-site scripting (XSS) and injection attacks.
- Rate limiting: Flask-Limiter protects against abuse and brute-force attacks on all routes.
- CSRF protection: Flask session-based CSRF protection is enabled.
- Character limits: Input fields are capped at 10,000 characters to prevent abuse.
- Secure sessions: Session tokens use cryptographically secure random generation and expire after inactivity.
Infrastructure
- Hosting: MintCareer runs on Replit, which provides container isolation, automatic security patching, and DDoS protection.
- SSL certificate: Managed by Cloudflare with automatic renewal.
- DNS protection: Cloudflare CDN with built-in threat filtering.
We integrate with the following services. Each handles a specific function and has its own security certifications:
Our vendors (Anthropic, Stripe, Cloudflare) hold security certifications like SOC 2 and PCI DSS. MintCareer itself does not currently hold these certifications. We benefit from our vendors' security infrastructure, but we want to be clear about the distinction.
- We do not sell your data. Not to recruiters, not to employers, not to data brokers, not to anyone, for any price.
- We do not share your resume with employers or recruiters without your explicit consent.
- We do not use your data to train AI models. Anthropic's API terms prohibit training on API data.
- We do not use advertising trackers. No Facebook Pixel, no Google Ads tracking, no retargeting cookies.
- We offer Google Sign-In for convenience. When you log in with Google, we receive only your name and email address. We do not access your Google contacts, calendar, or other Google data.
- We do not make deletion difficult. Delete your account and all data at any time. No questions, no retention tricks, no "are you sure" dark patterns.
- We do not require more information than necessary. We ask for what we need to provide the service and nothing more.
We use Google Analytics 4 with IP anonymization to understand how the site is used. We do not use invasive tracking or sell analytics data.
We build the infrastructure. You protect your access. Here is your part:
- Use a strong, unique password. Do not reuse passwords from other sites. Use a password manager (1Password, Bitwarden, or similar).
- Enable two-factor authentication on your email. Your email is the key to password resets. If your email is compromised, your MintCareer account could be too.
- Log out on shared devices. Always log out if using a public or shared computer.
- Review your resume before uploading. Remove sensitive information you do not want processed (Social Security numbers, detailed home addresses, etc.).
- Keep your browser and operating system updated. Most breaches exploit known vulnerabilities in outdated software.
- Report suspicious activity. If you see anything unusual in your account, contact us immediately.
We will never ask for your password via email, text, or phone. If you receive a message claiming to be from MintCareer asking for your password, it is a scam. Forward it to security@mintcareer.ai and delete it.
If We Experience a Breach
In the unlikely event of a security incident affecting your data:
- Notification within 72 hours: We will notify all affected users via email within 72 hours of discovering the breach.
- Full transparency: We will disclose what data was affected, how the breach occurred, and what steps we are taking. No corporate spin.
- Regulatory notification: We will notify relevant authorities as required by CCPA, and other applicable laws.
- Remediation: We will implement fixes, conduct forensics, and share what we are doing to prevent future incidents.
If You Suspect Unauthorized Access
- Change your password immediately.
- Review your analysis history for unfamiliar activity.
- Email security@mintcareer.ai with details. We will respond as quickly as possible.
- If concerned, you can delete your account and all data instantly.
We believe transparency about limitations builds more trust than overclaiming. Here is where we are:
Current State
- Solo founder operation. MintCareer LLC currently has a single operator with access to production systems. This means fast response but limited 24/7 coverage.
- No independent security audit. We have not yet undergone a formal third-party security audit or penetration test. Our vendors have, but we have not.
- No SOC 2 certification. Our vendors (Anthropic, Stripe) are SOC 2 certified. MintCareer itself is not. We follow SOC 2 principles but have not completed the certification process.
- No two-factor authentication yet. We do not currently offer 2FA for user accounts. We rely on strong password requirements and session security.
What We Are Working Toward
- Two-factor authentication for user accounts
- Independent security audit once we reach scale
- Role-based access controls as the team grows
- Automated security monitoring and alerting
Most startups at our stage do not have SOC 2, independent audits, or dedicated security teams. That is normal. What is not normal is admitting it. We would rather earn your trust through honesty than lose it through overclaiming.