Security at Nurcareer
We treat your data the way we would want ours treated — encrypted, monitored, and accessible to as few people as the business demands. Last updated 5 May 2026.
How we protect your data
Encryption everywhere
TLS 1.2+ for data in transit. AES-256 at rest. Sensitive fields encrypted with envelope keys managed by AWS KMS.
Authentication
Bcrypt password hashing (12 rounds). Optional 2FA. SSO via Google. Refresh-token rotation with revocation.
Infrastructure
Hosted on AWS with isolated VPCs, least-privilege IAM, signed audit logs and 24/7 alerting.
Monitoring
Continuous logging, anomaly detection and structured incident response. We test our runbook quarterly.
Compliance
NDPR-aligned. GDPR-ready. SOC 2 Type II audit in progress (target Q3 2026). DPA available on request.
Access controls
Employee access is need-to-know, MFA-required, and reviewed quarterly. Production access is logged and time-bound.
Sub-processors
We rely on a small set of vetted vendors to deliver the Service. Each is bound by a data-processing agreement and reviewed annually.
| Vendor | Purpose | Region |
|---|---|---|
| Amazon Web Services | Hosting, database, file storage | eu-west-1 |
| Stripe / Paystack | Payment processing | Global |
| Postmark | Transactional email | United States |
| Cloudflare | DNS, edge security, DDoS | Global |
| Sentry | Error monitoring | United States |
| Google Workspace | Internal collaboration | Global |
Found a vulnerability?
We welcome responsible disclosure. Please email security@nurcareer.com with details and proof-of-concept. We acknowledge within 24 hours and aim to triage within 3 business days.
- Do not access more data than necessary to demonstrate the issue.
- Do not share or publish the issue before we have remediated it.
- We commit not to pursue legal action against good-faith researchers.
Compliance & contracts
For DPA, security questionnaires (SIG, CAIQ), penetration test summaries or SOC 2 progress reports, contact trust@nurcareer.com.
Enterprise customers receive a dedicated security review during onboarding and quarterly compliance reviews thereafter.
Trust is a feature.
We treat security as a product surface — owned, measured and continuously improved.