Security

PursuitLane is designed around least-privilege access, environment-scoped secrets, guarded automation, and clear operational health checks for production dependencies.

Security controls are reviewed as the product changes, especially around resume storage, session handling, AI provider calls, OAuth, email delivery, and billing workflows.

The app uses signed session cookies and production-only secure-cookie behavior. Google OAuth is available when Supabase OAuth keys are configured, with email/password fallback for supported accounts.

Users are responsible for protecting their devices, browsers, passwords, and inboxes. If you suspect account compromise, sign out and contact support promptly.

Sensitive resume fields should be encrypted with the configured resume encryption key. Production deployments must use real database, Redis, session, and encryption secrets rather than development defaults.

Access to production infrastructure should be limited to authorized maintainers and monitored through provider-level controls.

If you believe you found a vulnerability, please report it privately using the footer contact link. Include reproduction steps, affected endpoints, impact, and any relevant screenshots or logs.

Do not access data that is not yours, disrupt service availability, run destructive tests, or publicly disclose details before we have had a reasonable opportunity to investigate.