Trust & Security
Encryption & data protection
OppZen treats your career data as some of the most sensitive information you own. This page explains, in plain terms, how we protect it at every layer.
Last updated: January 2026
01Encryption at rest
Sensitive personal data is encrypted before it is written to disk. Encryption keys are managed by our cloud provider's key management service and are never stored alongside the data they protect.
- Authenticated encryption for personally identifiable information (PII)
- A unique initialization vector per encryption operation
- Provider-managed keys with restricted, audited access
02Isolated PII vault
Your most sensitive identity fields — government identifiers, phone numbers, and similar data — live in a dedicated, isolated store, separated from your everyday career data. This prevents accidental joins and limits the blast radius of any single issue.
03Per-user storage isolation
Every row of your data is scoped to your account through PostgreSQL Row-Level Security (RLS). Database policies enforce that a signed-in user can only read or write their own data — the rule is applied by the database itself, not just the application.
04Encryption in transit
All traffic between your device and OppZen is protected with TLS. Data is encrypted on the wire whether you use the web app or a future native app — both hit the same secured backend.
05Access auditing
Reads and writes to sensitive data append an immutable record to an access audit log. This gives a complete, tamper-resistant history of who accessed what and when.
06Authentication & sessions
Authentication is handled by a dedicated, hardened identity service. Passwords are salted and hashed; session tokens are stored in hashed form. Optional two-factor authentication (TOTP) adds a second step at sign-in.
