Your workforce data,
protected by design.

Isolation is enforced in the database itself with Postgres row-level security, not just in application code. Even if a request slipped past the app layer, the database would still refuse to return another account's rows.

• Each account can read only its own full record. There is no policy that lets one user query everyone.
• When employers browse the talent pool, they see a privileged view that exposes only non-sensitive fields. Email, phone, contact links, CVs and internal flags are physically excluded from it.
• A worker's contact details unlock only after an active hiring relationship or an accepted contact request — a rule checked inside the database, not assumed by the front end.
• Document downloads use short-lived signed links (expiring in about a minute) and are re-checked against the relationship on every request.
• When a worker is offboarded, the former employer's access to their files is revoked immediately.

Roles for Worker, Employer and Admin are separated throughout. See the Privacy Policy for what each side can and cannot see.

Every file is scanned for malware before it can be viewed. We support PDF, JPG, PNG and HEIC uploads up to 10 MB each.

• Uploads are checked against VirusTotal's threat intelligence the moment they land.
• If a file is flagged as malicious, it is deleted from storage straight away and the document is marked infected — it is never shown to an employer.
• Scan activity is rate-limited per user to prevent abuse.

• In transit: all traffic is HTTPS/TLS, enforced by HSTS with a one-year max-age, subdomain coverage and preload.
• At rest: the database and uploaded files are encrypted with AES-256 by Supabase on AWS.
• Sessions: authentication uses secure, same-site cookies that are cleared when you close your browser unless you opt into “remember me”.
• Security headers on every route: X-Frame-Options: DENY, X-Content-Type-Options: nosniff, a strict referrer policy, a restrictive Permissions-Policy, and a Content-Security-Policy that blocks framing and untrusted script origins.
• Global rate limiting (shared across every server instance) guards password resets, document scans and other sensitive endpoints.

Our privacy programme is built around GDPR, UK GDPR, the Australian Privacy Act 1988 and CCPA/CPRA. The rights below are real buttons and flows in the product, not just policy text.

• Access & portability: download a structured export of your data from your dashboard at any time.
• Erasure: delete your account in one confirmed step. Files are removed from every storage bucket, and two-sided records are wiped on both sides.
• Consent for health data: medical and immunisation records are special-category data and require explicit, timestamped consent before upload, which you can withdraw.
• Documented retention: we publish exactly how long each category of data is kept.

Details: Privacy Policy, Data Retention and Data Processing Agreement.

We use a short, named list of established providers. Each is bound by a written agreement with equivalent data-protection obligations, and we give 30 days' notice before adding a new one.

International transfers rely on the EU-US Data Privacy Framework, Standard Contractual Clauses and the UK IDTA. Full list and transfer mechanisms are in the DPA.

CertVault runs on Vercel and Supabase and targets calendar-month availability of 99.5% or higher, measured against those upstream providers. Our Service Level Agreement sets out that commitment, the service credits that apply if we miss it, and what is excluded. Larger accounts can also negotiate a bespoke SLA — just ask.

Security is never finished. We would rather tell you where we are headed than imply we are already there. These are in progress: