This page describes the controls Upplio operates today. It's app-owner content, not an independent audit. If you need our SOC 2 report or a DPA, email security@upplio.ai.
All traffic uses TLS 1.2+. Career content is stored encrypted at rest by our managed database provider.
Every data table is protected by row-level policies — users can only access their own resumes, stories, and sessions.
Email + Google sign-in via Supabase Auth. Sessions are short-lived JWTs with refresh rotation.
Hosted on a SOC 2-compliant cloud platform. We use the principle of least privilege for internal access.
We never sell your data, and our AI providers are contractually prohibited from training foundation models on your content.
Material security incidents are disclosed to affected users within 72 hours of confirmation.
Found a security issue? Email security@upplio.ai with the steps to reproduce. We acknowledge within 2 business days and credit researchers in our hall of fame on request.
From Settings → Account → Delete account, your data is permanently removed within 30 days.