Security

Uploaded files are stored in Amazon S3 in the London (eu-west-2) region with server-side encryption enabled at the bucket level. The database that holds your account and career data is hosted on encrypted storage volumes. Passwords are stored as one-way cryptographic hashes — we have no ability to read or recover your password under any circumstances.

Uploaded documents are never publicly accessible. S3 buckets are configured with public access blocked at the bucket policy level, meaning no file can be served directly via a public URL.

Every file download uses a presigned URL generated at the point of access. Presigned URLs expire after one hour. If a URL expires before use, a new one is generated on the next authenticated request. Files you upload for CV import are validated for file type signature and size before any parsing occurs — oversized or unsupported files are rejected before they reach AI processing.

The production database has no public network endpoint. Only authenticated application services running in the same infrastructure environment can establish a database connection. Direct external access by individuals, including Alynd team members, requires additional authenticated access controls.

Role-based access controls govern which personnel can reach production systems and in what capacity. Production startup checks verify that all critical credentials are configured and that debug mode is disabled before the application begins accepting user requests. Server-side error details are written to internal logs only — user-facing error responses are deliberately generic to avoid leaking system information.

Account access is controlled by token-based authentication. Password changes require your current password. Account deletion requires both your current password and an explicit typed confirmation phrase.

Password reset and sign-in flows are designed to avoid revealing whether a given email address has an Account — responses to authentication requests are kept consistent regardless of whether the email exists in the system. You can view all active login sessions and revoke any session you do not recognise from Settings → Sessions at any time.

The Service allows you to import CV files and fetch public job descriptions from URLs. Both of these surfaces are controlled to prevent abuse.

External URL fetching is restricted to public HTTP and HTTPS destinations. Requests to localhost, loopback addresses, private IP ranges (including RFC 1918 ranges), link-local addresses, and cloud metadata service endpoints are blocked before any request is made. URL fetches apply content-type restrictions and size limits to prevent unbounded imports of unexpected content.

AI-generated changes to your career records are shown to you as proposals for review before anything is saved. When you confirm a proposal, the system rechecks the current saved state of the relevant record — if the record has changed since the proposal was generated, the stale apply action is rejected and you are asked to regenerate the suggestion. This prevents AI writes from inadvertently overwriting more recent manual edits.

In the event of a personal data breach that is likely to result in a risk to your rights and freedoms, we will notify affected users and report to the UK Information Commissioner's Office within 72 hours of becoming aware of the breach, as required by UK GDPR. We will provide you with a clear description of the breach, the data affected, and the steps we are taking to address it.

If you discover a security vulnerability in the Service, please report it to security@alynd.net. Include the affected route or feature, browser and account context where it is safe to share, steps to reproduce the issue, and the potential impact. You do not need to include unnecessary personal data in your report.

We will acknowledge your report within 48 hours and work to resolve confirmed issues promptly. Please do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and address it. We appreciate responsible disclosure and will keep you informed of progress on confirmed issues.

Security is a shared responsibility. To protect your Account and data, you should:

• Use a strong, unique password that is not reused across other services.
• Keep your email account secure — it controls password reset access to your Alynd Account.
• Review all AI-generated content before sending it to employers or other third parties.
• Revoke sessions from Settings if you believe your Account has been accessed from an unrecognised device.
• Avoid uploading documents that contain unnecessary sensitive personal data about other individuals.
• Report suspicious activity or security concerns to info@alynd.net promptly.