Security statement
This page describes how we protect the EmbedPeople careers website and the applications submitted through it. It covers the careers site only. The main EmbedPeople platform has its own controls.
How traffic is protected
All traffic is encrypted in transit. Plain HTTP and alternative subdomains redirect to the primary HTTPS endpoint. The site is served from infrastructure inside the European Economic Area.
Application security
- Forms are protected against cross-site forgery, automated submission, and common spam patterns.
- Modern browser security headers are enforced, including a strict content security policy, frame and content-type protections, and a conservative referrer policy.
- Administrative access is gated behind multiple independent checks and is not publicly discoverable. Failed sign-in attempts are throttled.
- Administrator credentials are stored using modern password hashing. Sessions use secure, http-only, strict cookies and are rotated on sign-in.
- Secrets such as integration tokens are encrypted at rest and never displayed in full once stored.
How we handle your data
- Application data and CVs are processed by our applicant-tracking workflow and removed from the careers website once the hiring team has received them. Only an anonymous internal record remains, used purely to count applications per role.
- Databases and uploaded files live outside the public web root and are not directly accessible by URL.
- CVs are not exposed as static files. They are reachable only by the hiring team through a short-lived, authenticated path while the application is being processed.
- If forwarding to our tracking workflow fails for any reason, the application is held briefly so the team can retry, and then automatically removed.
Reporting a vulnerability
If you find a security issue, please email [email protected]. Include a clear description and steps to reproduce. We acknowledge reports within five working days.
Please do not run automated scans against the live site, and please do not access or download data that is not your own. We will not pursue legal action against good-faith researchers who report issues responsibly.
Last updated 3 July 2026.