How we protect your data and your customers' data
Last updated: 1 March 2026
At Cavuno, we take the security of your data and your customers' data seriously. As a multi-tenant platform that hosts job boards for organizations of all sizes, we understand the responsibility that comes with managing sensitive information on your behalf. This page describes the measures we take to protect data across our platform.
Cavuno is built on industry-leading cloud infrastructure from providers with strong security track records.
We do not operate our own data centers. By building on established infrastructure providers, we benefit from their significant investments in physical security, redundancy, and compliance programs.
All primary infrastructure is located in the United States (US East). This includes our database (AWS us-east-1), application servers (Vercel us-east-1), vector search (Qdrant us-east-1), and analytics (Tinybird us-east-1).
Our database is backed up daily by Supabase, with backups retained for 7 days. Database logs are retained for 7 days. Backups are encrypted at rest. In the event of data loss or corruption, we can restore to any point within the backup retention window.
All data transmitted between your browser and Cavuno is encrypted using TLS 1.2 or higher. This applies to all pages, API endpoints, and webhook callbacks. We enforce HTTPS across all connections — HTTP requests are automatically redirected.
All data stored in our database is encrypted at rest using AES-256. This includes job listings, company profiles, account information, and any other data you store on the platform. Database backups are also encrypted.
User authentication is handled by Supabase Auth. Passwords are hashed using bcrypt and are never stored in plain text. We support multi-factor authentication (MFA) for additional account security.
Session tokens are securely managed using HTTP-only cookies with appropriate SameSite and Secure flags. CSRF protection is enforced on all form submissions.
Cavuno is a multi-tenant platform, meaning multiple customers share the same infrastructure. We enforce strict logical data isolation using PostgreSQL Row-Level Security (RLS) policies at the database level.
RLS ensures that database queries can only access data belonging to the authenticated account. This is enforced by the database engine itself, not application code, providing an additional layer of protection against data leakage between tenants.
All payment processing is handled by Stripe. Credit card numbers, CVVs, and other sensitive payment data are submitted directly to Stripe and never touch our servers. Stripe is a PCI DSS Level 1 certified service provider — the highest level of certification in the payments industry.
Database and infrastructure logs are retained by Supabase for 7 days. Security-relevant events are monitored and reviewed as part of our incident response process.
We set security headers on all responses, including Strict-Transport-Security (HSTS) with includeSubDomains, X-Content-Type-Options, and X-Frame-Options.
Access to production systems is restricted to authorized personnel and governed by the principle of least privilege. SSO and MFA are used when available.
If you believe you have discovered a vulnerability within Cavuno's application, please submit a report to us by emailing hi@cavuno.com. Cavuno does not participate in a bug bounty program at this time, nor do we provide monetary rewards for findings.
We ask that you give us reasonable time to investigate and address the issue before disclosing it publicly. We will acknowledge receipt of your report within 2 business days and aim to provide an initial assessment within 5 business days.
In the event of a security incident, we follow a structured incident response process that includes containment, investigation, remediation, and notification. In accordance with Australia's Notifiable Data Breaches scheme, we will notify affected users and the Office of the Australian Information Commissioner (OAIC) if a breach is likely to result in serious harm.
For a complete list of third-party subprocessors that may process data on our behalf, see our Subprocessors page.
We believe in being upfront about the boundaries of our security program. As a small team, there are areas we haven't addressed yet:
We are actively evaluating these areas and will update this page as our security program matures.
If you have questions about our security practices or would like to request additional information, please contact us at hi@cavuno.com.