OpenRole

Trust Centre

Security at OpenRole

You're trusting us with your employer brand data. We take that seriously. Here's exactly how we protect it.

Infrastructure

Built on providers with independently verified security certifications.

Vercel

Application hosting & edge network

  • SOC 2 Type II certified
  • ISO 27001 certified
  • GDPR compliant
  • Automatic DDoS protection

Supabase

Database & authentication

  • SOC 2 Type II certified
  • HIPAA available
  • EU data residency (London region)
  • Row Level Security enforced

Encryption

Your data is encrypted everywhere — in transit and at rest.

In transit

All connections use TLS 1.3. We enforce HSTS with a one-year max-age across all subdomains.

At rest

Database encrypted with AES-256. Backups encrypted with separate keys. Point-in-time recovery enabled.

API keys

Hashed with bcrypt before storage. Only the key prefix is stored in plaintext for identification. Keys are never logged or exposed in responses.

The OpenRole Pixel

When you add our pixel to your careers page, here's exactly what it does — and what it doesn't.

What the pixel does

  • Serves structured employer data (JSON-LD) to AI crawlers
  • Communicates only with OpenRole API endpoints
  • Includes Subresource Integrity (SRI) hash for tamper detection
  • Loads asynchronously — zero impact on page performance
  • Source code is fully inspectable

What the pixel never does

  • Sets cookies or uses local storage
  • Tracks visitors or collects personal data
  • Makes requests to third-party domains
  • Modifies your page content or DOM
  • Loads external dependencies

Verify it yourself. Every version of the pixel includes an SRI hash. You can verify the script hasn't been modified by checking the integrity attribute in your embed code against our integrity endpoint.

Access Control

Strict boundaries on who can access what.

Row Level Security

Every database query is filtered at the database level. API key holders can only access their own company data. No application-level bypass possible.

API key management

Keys support rotation with a 24-hour grace period. Old keys expire automatically. Key usage is logged for audit trails.

Request signing

Pixel-to-API communication uses HMAC-SHA256 request signing with timestamp validation, preventing replay attacks and request tampering.

Rate limiting

All API endpoints enforce per-IP rate limits. Audit endpoints have stricter limits to prevent abuse. Exceeding limits returns 429 with Retry-After headers.

Compliance

Meeting the standards your legal and procurement teams require.

GDPR

EU data protection compliant. Data Processing Agreement available on request.

SOC 2

Built on SOC 2 Type II certified infrastructure. Own certification in progress.

UK DPA

UK Data Protection Act 2018 compliant. EU-adequate data handling standards.

Data Handling

Clear rules on what we collect, where it lives, and how long we keep it.

Data typePurposeRetention
Company name & domainAudit identificationWhile account active
Audit results & scoresReport generation12 months from audit
Work email addressAudit delivery & accountUntil deletion requested
Pixel analyticsAI visibility metrics90-day rolling window
API logsSecurity & debugging30 days

We never sell your data. We never share it with third parties for marketing. Full deletion available within 48 hours of request.

Responsible Disclosure

Found a security issue? We want to hear about it.

Email security@openrole.co.uk with details of the vulnerability. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and keeping you informed of our remediation progress. We will not take legal action against researchers acting in good faith.

Questions about security?

We're happy to discuss our security practices, provide additional documentation, or arrange a call with our team.

Get in touch