What we do to keep your data safe.

A practice interview captures something personal — your work history, how you tell your story, what makes you nervous. We treat it that way. Here is the actual state of our security posture as of April 2026. When we reach a new milestone (formal audit, pen test, SOC 2), this page gets updated.

Transport encryption

Every request between your browser, our servers, and our vendors runs over HTTPS with modern TLS. The browser-to-edge leg uses Vercel's managed certificates; the edge-to-origin and origin-to-vendor legs are all TLS 1.2+. Plain HTTP is redirected.

Encryption at rest

• Neon Postgres — where we store accounts, transcripts, feedback, and subscription state — encrypts storage at rest with AES-256.
• Cloudflare R2 — where we store uploaded resumes and optional audio recordings — encrypts objects at rest by default.
• Secrets (API keys, session signing keys, DB URLs) live in Vercel and Railway environment variables, not in source control.

Authentication

• No plaintext passwords, ever. Passwords are hashed with bcrypt (cost factor 10) before they hit the database. We can't recover your password — if you forget it, we issue a reset link.
• Session tokens are signed JWTs stored in HTTP-only, Secure, SameSite=Lax cookies. They expire and rotate.
• Voice sessions use short-lived LiveKit tokens issued per-session; they can't be reused.

Access control

Production database and infrastructure access is restricted to the founder. Every server-side route checks the session on every request before returning your data. API endpoints that touch a specific user's session explicitly verify ownership — you can't enumerate someone else's feedback by guessing an ID.

We don't train on your data

Your transcripts, resumes, and audio are never used to train any public AI model — not ours, not our vendors'. Our inference vendors (Anthropic via OpenRouter, Deepgram, ElevenLabs) are on commercial terms that explicitly prohibit training on customer data. We do not sell any data to anyone.

Data retention & deletion SLA

• Session transcripts default to 90-day retention. Audio recordings default to 30 days (if you opted in).
• You can delete any individual session from your dashboard at any time.
• If you request full account deletion — support@instantinterviewer.com — we purge your transcripts, resumes, recordings, and profile within 30 days. The only thing that may persist is billing records required by tax law, for up to 7 years.
• Server logs are retained 30 days then rotated out.

Backups

Neon handles database backups automatically with point-in-time recovery. Backups are encrypted at rest and fall under the same deletion schedule — when you delete your account, your data is scrubbed from live DB immediately and ages out of backups within the backup-window window.

Vendor posture

We chose our vendors in part because they've already been audited:

• Vercel — SOC 2 Type II, ISO 27001.
• Neon — SOC 2 Type II.
• Cloudflare R2 — SOC 2 Type II, ISO 27001.
• Stripe — PCI DSS Level 1.
• Deepgram, ElevenLabs, LiveKit, Anthropic — enterprise SOC 2 or equivalent. Links on request.

Incident response

If we discover a security issue that may have exposed user data, we will notify affected users by email within 72 hours of confirming the scope, along with what was exposed and what we're doing. If you think you've found a vulnerability, please email security@instantinterviewer.com. We read every report, respond within 3 business days, and don't take legal action against good-faith researchers.

What we don't have yet

Honest inventory of things we haven't done — so you know where the limits are:

• No formal SOC 2 audit yet (planned post-product-market-fit).
• No formal penetration test yet.
• No customer-managed encryption keys (BYOK).
• No SSO / SAML.

If any of those are deal-breakers for your use case, tell us and we'll sequence accordingly.

Contact

Security reports: security@instantinterviewer.com. Everything else: support@instantinterviewer.com.