Back to overview

Trust & Security

Encryption & data protection

OppZen treats your career data as some of the most sensitive information you own. This page explains, in plain terms, how we protect it at every layer.

Last updated: January 2026

01Encryption at rest

Sensitive personal data is encrypted before it is written to disk. Encryption keys are managed by our cloud provider's key management service and are never stored alongside the data they protect.

  • Authenticated encryption for personally identifiable information (PII)
  • A unique initialization vector per encryption operation
  • Provider-managed keys with restricted, audited access

02Isolated PII vault

Your most sensitive identity fields — government identifiers, phone numbers, and similar data — live in a dedicated, isolated store, separated from your everyday career data. This prevents accidental joins and limits the blast radius of any single issue.

03Per-user storage isolation

Every row of your data is scoped to your account through PostgreSQL Row-Level Security (RLS). Database policies enforce that a signed-in user can only read or write their own data — the rule is applied by the database itself, not just the application.

04Encryption in transit

All traffic between your device and OppZen is protected with TLS. Data is encrypted on the wire whether you use the web app or a future native app — both hit the same secured backend.

05Access auditing

Reads and writes to sensitive data append an immutable record to an access audit log. This gives a complete, tamper-resistant history of who accessed what and when.

06Authentication & sessions

Authentication is handled by a dedicated, hardened identity service. Passwords are salted and hashed; session tokens are stored in hashed form. Optional two-factor authentication (TOTP) adds a second step at sign-in.

This page is maintained by OppZen and is provided for transparency. It is not legal advice and does not assert any third-party certification we have not earned. For questions, reach us at our contact page.