Security You Can Trust

Your financial data deserves bank-level protection. CareerPhases uses industry-leading security practices to keep your information safe.

🔒

256-bit Encryption

All data encrypted in transit and at rest using AES-256

🏦

Read-Only Access

We can never move your money or make transactions

🛡️

Bank-Level Security

Same security standards used by major financial institutions

Plaid Certified

Bank connections powered by Plaid, trusted by 12,000+ institutions

🔍

Automated Security Testing

Continuous SAST scanning and security checks on every code change

🚫

Deny by Default

Every API endpoint requires explicit authorization to access

How We Handle Bank Connections

We never see your bank login credentials. When you connect a bank account, you authenticate directly with your bank through Plaid. Your username and password are never shared with CareerPhases.

  • Read-only access: CareerPhases cannot move money, initiate transfers, or make any changes to your accounts.
  • You control the connection: Disconnect any bank account at any time from your account settings.
  • Minimal data access: We only request the transaction data needed to provide our services.
  • Powered by Plaid: The same secure infrastructure trusted by Venmo, Coinbase, Robinhood, and thousands of other apps.

Learn more about how Plaid handles data: plaid.com/how-we-handle-data

Data Encryption

  • In Transit: All connections use TLS 1.3 encryption (HTTPS) with HSTS preloading.
  • At Rest: Your data is encrypted using AES-256 encryption in our database.
  • Strict Transport Security: HSTS headers ensure your browser always uses secure connections.

Authentication & Access Control

  • Secure authentication: Industry-standard OAuth 2.0 and JWT-based session management.
  • Session protection: Automatic session timeouts and secure cookie handling.
  • Step-up authentication: Sensitive financial operations require additional verification for your protection.
  • CSRF protection: All state-changing requests are protected against cross-site request forgery.
  • Row-level security: Database-level access controls ensure you can only access your own data.

Application Security

  • Content Security Policy: Strict CSP headers prevent XSS attacks and unauthorized script execution.
  • Rate limiting: Distributed rate limiting with fail-closed protection for critical endpoints like authentication and payments.
  • Input validation: All user inputs are sanitized to prevent injection attacks.
  • Security headers: X-Frame-Options, X-Content-Type-Options, and Referrer-Policy headers enabled.

Payment Security

  • PCI-compliant payments: Subscription payments are processed by Stripe, a PCI Level 1 Service Provider.
  • No card storage: CareerPhases never stores your credit card details. All payment data is handled by Stripe.
  • Webhook verification: All payment and bank notifications are cryptographically verified with replay attack protection.

AI Safety & Privacy

  • CareerPhases AI Coach provides career planning assistance based on the information you provide.
  • AI processing is performed through secure API connections with enterprise-grade providers.
  • Your data is not used to train AI models.
  • AI-generated outputs may contain errors. Always verify important information before making decisions.

Infrastructure Security

  • Cloud hosting: Hosted on enterprise-grade cloud infrastructure with SOC 2 Type II certification.
  • Database: Managed PostgreSQL with automatic backups and encryption.
  • Edge functions: Serverless architecture with built-in DDoS protection.
  • Monitoring: 24/7 monitoring and alerting for security anomalies.

Compliance & Standards

  • Regular security reviews and vulnerability assessments.
  • Designed with GLBA Safeguards Rule principles in mind.
  • Incident response procedures maintained for security events.
  • Third-party vendors evaluated for security practices.

Continuous Security

  • Automated scanning: Every code change is scanned for vulnerabilities using industry-standard SAST tools.
  • Dependency monitoring: Third-party dependencies are continuously monitored for security vulnerabilities.
  • Security-first development: Built with OWASP Top 10 protections from the ground up.
  • Supply chain security: All dependencies are pinned and verified to prevent supply chain attacks.

What We Never Do

  • Store your bank login credentials
  • Move money or initiate transfers from your accounts
  • Sell your personal data to third parties
  • Use your data to train AI models
  • Share your financial information with advertisers

Report a Vulnerability

We take security seriously. If you believe you have discovered a security vulnerability, please report it responsibly to: security@careerphases.com

For general questions, contact: support@careerphases.com

Related Policies

Last updated: December 2025