Security

Your professional record is a career-critical asset. Memoa treats it with the same rigor as a financial institution treats a ledger: every layer is auditable, encrypted, and access-controlled.

Encryption at Rest & in Transit

All data is encrypted with AES-256 at the storage layer (Supabase) and TLS 1.3 in transit (Vercel). Secrets like OAuth tokens are additionally encrypted at the application layer before storage.

Row-Level Security

Every database query is isolated by user identity using PostgreSQL Row-Level Security policies. No API misconfiguration can leak another user's data.

Immutable Audit Trail

Every mutation is automatically logged with timestamps, actor identity, and request metadata. Confirmed artifacts are versioned and immutable — edits create new versions, never overwrite.

Privacy by Default

Your data is only visible to you unless you explicitly share it. Recruiter views enforce candidate-controlled visibility scope.

No Raw Text in Telemetry

Our telemetry pipeline is structurally incapable of capturing raw user text. Analytics use aggregate counts and anonymized hashes only.

SOC 2 Aligned Infrastructure

Hosted on SOC 2 certified infrastructure with automated vulnerability scanning, dependency auditing, and continuous deployment integrity checks.

Infrastructure

Memoa runs on Supabase (PostgreSQL) with Vercel Edge Functions for API routing. Both platforms maintain SOC 2 Type II compliance. Our infrastructure is deployed in US regions with automatic failover.

Database: Supabase PostgreSQL with daily automated backups and point-in-time recovery.
API: Vercel Edge Network with automatic DDoS mitigation and traffic isolation.
Authentication: Supabase Auth with PKCE flow, magic links, and optional multi-factor authentication.
CDN: Vercel Edge Network with automatic certificate management (TLS 1.3).

Access Control

Memoa enforces a zero-trust access model. Every API request is authenticated and authorized against the user's session and entitlement tier.

Server-authoritative entitlements — the UI reflects permissions but never enforces them alone.
Row-Level Security (RLS) on every table ensures database-level tenant isolation.
Service role keys are restricted to server-side operations and never exposed to client code.
Admin operations require explicit role grants and are logged in an immutable audit table.

Data Handling

Your professional data flows through a structured pipeline with strict boundaries at every stage.

Raw capture text is preserved verbatim and reviewable at any time.
AI extraction runs in isolated contexts — no cross-user data leakage is architecturally possible.
Confirmed artifacts are immutable by version; edits create new versions, never overwrite.
Resume source references remain pinned to specific artifact versions until explicit user action.

AI & Extraction Security

Memoa uses AI to structure your notes into career artifacts. We apply strict guardrails to the extraction pipeline:

No user data is used to train third-party models. We use the OpenAI API with data-use opt-out.
Extraction results are never promoted to confirmed status without explicit user approval.
AI-generated content is always labeled and distinguishable from user-authored content.
The extraction pipeline can run in heuristic-only mode (no external API calls) as a fallback.

Vulnerability Management

We continuously monitor for vulnerabilities across our dependency tree and application surface.

Automated dependency scanning via GitHub Dependabot and npm audit on every deploy.
Static analysis with ESLint security rule packs and TypeScript strict mode across the codebase.
Penetration testing scope includes all tRPC endpoints, authentication flows, and RLS policies.
If you discover a security vulnerability, contact security@memoa.app for responsible disclosure.

Questions about security?

We welcome security inquiries from enterprise teams and individual professionals. Contact security@memoa.app for detailed security documentation, compliance artifacts, or to report a vulnerability.