Security statement

This page describes how the careers.embedpeople.com careers website is built and operated, and how to report a security issue. It covers the careers site only. The main EmbedPeople platform has its own controls.

Hosting and transport

The site is hosted on TransIP shared hosting in the Netherlands and fronted by Cloudflare. All traffic is served over HTTPS with HSTS. Plain HTTP and the www subdomain are redirected.

Application security

• All forms include CSRF tokens that are validated on the server.
• A Content Security Policy restricts which sources of script, style, font and media the browser will load.
• X-Content-Type-Options, X-Frame-Options, and Referrer-Policy are set.
• Admin passwords are stored as bcrypt hashes. Sessions use httponly, secure, strict cookies and are regenerated on login.
• Admin login is rate-limited per IP.
• The application form has a honeypot field, a minimum submit time, and optional Akismet checks for spam protection.

Data handling

• The SQLite database lives outside the public web root and is blocked by .htaccess.
• Uploaded CVs are stored outside the public web root with randomised filenames.
• Direct URLs to CV files are not exposed. CVs are accessible only through a token-protected route during the short window between submission and successful forwarding to Slack.
• Once an application has been forwarded to Slack, the application data and the CV are deleted from the careers website.

Reporting a vulnerability

If you find a security issue, please email [email protected]. Include a clear description and steps to reproduce. We will acknowledge within five working days.

Please do not run automated scans against the live site, and please do not access or download data that is not your own. We will not pursue legal action against good-faith security researchers who report issues responsibly.

Last updated 14 May 2026.