Security and data processing
Last reviewed 18 July 2026This page explains the controls currently present in JOBE Recruit and the main data-processing relationships. It is written to help a recruiter assess the service without suggesting that risk can be eliminated.
Security summary
- HTTPS on the production domain, security headers and same-origin frame restrictions.
- Google/Supabase authentication and server verification of authenticated API requests.
- Supabase row-level access policies for individual workspaces and server-side membership/role checks for shared Business workspaces.
- AI, transcription, Stripe and SMTP credentials remain on the server and are not placed in browser storage.
- Request-size limits, input checks and per-address rate limits on sensitive or cost-bearing endpoints.
- Call-audio bytes are transmitted for requested transcription and are not persisted by the JOBE application.
- Public shortlists expire after 30 days, can be revoked, and support an optional six-digit PIN stored as a one-way hash with a per-link failed-attempt lockout. Existing four-digit protected links remain compatible.
- Client shortlist feedback is limited per link and stores one current decision per candidate, so replayed submissions do not inflate response counts.
Where information is held
- User browser: a synchronised local copy, drafts and settings used for responsive operation. Account-scoped data is cleared on sign-out.
- Supabase: authenticated account identity, individual workspace state and client-shortlist records. Database policies restrict individual workspace operations to the authorised account.
- Railway-hosted application database: subscription entitlements, Business team and seat records, shared Business workspace state, team recycle and redacted activity records, lead-credit balance and ledger, marketplace source snapshots and unlock records, support tickets, product feedback, limited audit information and a 30-day AI-output cache. The production database is kept on a mounted persistent volume with restricted filesystem permissions. Shared-workspace requests require a verified session and server-side membership and role checks. Member credit spending and deletion are owner-controlled, permanent deletion from the team recycle bin is owner-only, and recoverable deleted copies are automatically purged after 30 days.
- Task-specific providers: selected content is sent to the provider needed to complete an AI, transcription, authentication, payment, analytics or support-email request.
Current providers and processing roles
| Provider | Purpose | Information involved | When used |
|---|---|---|---|
| Supabase | Authentication, individual cloud workspaces, synchronisation, shortlist and feedback database | Account identifiers, individual customer workspace records and shortlist records | Signed-in service use |
| Railway | Web application, API hosting and protected Business shared-workspace storage | Requests, operational logs, shared Business records and the other application-database categories described above | All production service use; shared records when Business team functionality is used |
| Stripe | Checkout, subscription status and customer billing portal | Email, selected plan, transaction and entitlement references; card details go directly to Stripe | Trial, purchase and billing management |
| Anthropic | Requested extraction, structuring, summarisation, coaching, recruitment analysis and marketplace scoring or sales preparation | The text, image or corporate prospect fields needed for the requested function | Only when an AI action is requested or a marketplace insight is prepared |
| OpenAI | Requested audio transcription and, when configured, support assistance | Audio for transcription or support question text | Only when the relevant function is requested |
| Account sign-in and optional Google Analytics | Authentication identity; approved screen labels and ordinary analytics request information after consent | At sign-in; analytics only after consent | |
| Resend | Deliver support-ticket notifications and team invitations | Support contact, subject and message; or invited email address, owner email and team name | When a support report or team invitation is submitted and email delivery is configured |
| Companies House | UK corporate identity and status lookup for marketplace research | Company search terms, company number and public corporate data; not candidate records | When corporate prospect research is requested |
This list is updated when a material provider changes. Provider processing locations and safeguards can change; customers needing a particular residency commitment should obtain written confirmation before use.
Marketplace data boundaries
- Marketplace research is designed around incorporated companies and public corporate facts. A verified marker applies only to the identified source fact; AI-derived scores, employee bands, hiring signals and sales wording remain estimates requiring customer review.
- Public contact routes are limited to company-owned contact or careers pages, switchboards and generic role mailboxes. Named people, personal or direct email addresses, mobile numbers, inferred email patterns and Companies House officer or person-with-significant-control details are outside the marketplace dataset.
- Source and retrieval context is retained where needed to evidence an unlock or investigate accuracy. An unlocked corporate prospect remains in the customer workspace until deletion or loss of account access; source verification and premium AI insight should be refreshed or rechecked after 14 days. The underlying audit may remain while needed for disputes, abuse prevention, legal obligations or suppression.
- Sole traders, unincorporated partnerships and uncertain subscriber types must not be treated as corporate subscribers for electronic marketing. Objections are respected through durable suppression records; one-way hashes of normalised company identifiers are checked before a marketplace unlock so an ordinary Do not contact record cannot silently consume credits.
Controller and processor responsibilities
For candidate, client and customer-added recruitment records, the subscribing recruiter or recruitment business normally decides why and how the information is used and is the controller. JOBE acts as its processor when it stores, synchronises or sends those records to a provider to perform the user’s requested function. JOBE is separately an independent controller for account administration, billing, service security, support, consent-based analytics and corporate prospect research that JOBE sources or creates for the lead marketplace. When a customer saves, supplements or uses a marketplace record for outreach, the customer is a separate controller for that use.
Customer responsibilities
- Establish and document a lawful basis, provide required privacy information and respect data-subject rights.
- Upload only what is necessary, configure retention, control team invitations and obtain any required call-recording or transcription consent.
- Use secure devices, protect login sessions, verify recipient details before sharing a shortlist and revoke access that is no longer needed.
- Assess whether its use requires a data protection impact assessment, additional safeguards or a signed data processing agreement.
JOBE processing commitments
- Process workspace information to deliver the service and documented user actions, or as legally required.
- Restrict access to authorised persons and providers that need it for their contracted purpose.
- Maintain proportionate technical and organisational controls, investigate reported incidents and remediate confirmed weaknesses.
- Assist reasonably with data-subject requests, security incidents, deletion/export and information needed for a customer’s compliance assessment.
- Notify the affected customer without undue delay after confirming a personal-data breach where notification is required, using available account or support contact details.
- Delete or return customer workspace information at the end of service on request, subject to backup cycles and records JOBE must retain by law or for a live dispute.
The standard Data processing addendum identifies Christopher John Howitt, trading as JOBE Recruit, as Processor and provides contractual processor clauses, assistance, sub-processor, deletion and audit terms. It becomes commercially complete only when the postal or service address flagged in the Terms is supplied. Customers requiring bespoke or separately signed terms should email chrisjhowitt@gmail.com before uploading personal information.
Current assurance limits
JOBE does not currently claim ISO 27001, SOC 2, Cyber Essentials or another independent security certification, and this page is not a penetration-test report or uptime SLA. Storage encryption, physical security and provider personnel controls depend partly on the named infrastructure providers. Customers that require certification, fixed data residency, customer-managed encryption keys, SSO, a bespoke retention schedule or formal audit rights should confirm suitability before purchase.
Report a security concern
Email chrisjhowitt@gmail.com with “JOBE Recruit security report” in the subject. Include the affected page, time, browser and safe reproduction steps. Do not access another user’s data, disrupt the service, send malware or include live candidate records, passwords, tokens or full database extracts in the initial report.