Security

Your career data, locked down.

This page describes the controls Upplio operates today. It's app-owner content, not an independent audit. If you need our SOC 2 report or a DPA, email security@upplio.ai.

Encryption in transit & at rest

All traffic uses TLS 1.2+. Career content is stored encrypted at rest by our managed database provider.

Row-Level Security

Every data table is protected by row-level policies — users can only access their own resumes, stories, and sessions.

Auth & sessions

Email + Google sign-in via Supabase Auth. Sessions are short-lived JWTs with refresh rotation.

Managed infra

Hosted on a SOC 2-compliant cloud platform. We use the principle of least privilege for internal access.

No resale, no model training

We never sell your data, and our AI providers are contractually prohibited from training foundation models on your content.

Incident response

Material security incidents are disclosed to affected users within 72 hours of confirmation.

Vulnerability reporting

Found a security issue? Email security@upplio.ai with the steps to reproduce. We acknowledge within 2 business days and credit researchers in our hall of fame on request.

Delete your data anytime

From Settings → Account → Delete account, your data is permanently removed within 30 days.