Skip to main content

Security

Last reviewed: 7 May 2026

In short

Arden stores your data in a UK / EU-region Postgres database with row-level access control, encrypts secrets at rest with authenticated AES-256-GCM, ships every request over TLS, and lets you delete or export your full profile at any time from /profile. Mail received through linked Gmail / Outlook / IMAP accounts is governed by the Limited Use commitment in our Privacy Policy — no advertising, no resale, no AI training, no human reading without your say-so.

Encryption

In transit

Every request to applywitharden.com is served over TLS 1.3 (HTTPS). HTTP Strict Transport Security is set with a two-year max-age and preload eligibility, so once a browser has talked to us it will refuse plain-HTTP requests until the TTL expires. Connections from Arden to our sub-processors (Supabase, Anthropic, Stripe, Google, Microsoft, IMAP servers) likewise use TLS.

At rest

Account, profile, and document data is stored in Postgres. Disk encryption is provided by the database provider. Sensitive fields with a higher blast radius — OAuth refresh tokens for connected Gmail and Outlook accounts, IMAP / SMTP passwords — are additionally encrypted at the application layer with AES-256-GCM using a per-row random 96-bit nonce and a 128-bit authentication tag. The encryption key lives in a server-side environment variable that the database does not have access to, so an unauthorised database read does not yield credentials.

Personal access tokens

Long-lived personal access tokens (used by the Gmail Add-on) are stored as SHA-256 hashes only. The raw token is shown to you exactly once at generation time and is not recoverable afterwards.

Access control

Postgres row-level security policies scope every read and write to the authenticated user's id. Server routes that need to bypass RLS (e.g. webhook receivers, background jobs) use a separate service-role credential that lives only in the server environment.

User authentication uses Supabase's GoTrue with JWT-signed access tokens and refresh tokens stored in first-party cookies. We rate-limit signup, login, and password-reset attempts by hashed email + hashed IP to slow credential-stuffing and signup-farming attacks.

Administrative access is gated by a tri-layer admin resolver: a hardcoded root admin email (immortal, unrevokable), a database-managed admin allow-list (added only with the service-role credential), and an environment variable allow-list for emergency rotation. There is no "is_admin" column on the user profile table — preventing self-promotion via the profile-update endpoint.

Network and HTTP hardening

  • HTTP Strict Transport Security (max-age=63072000, includeSubDomains, preload-eligible)
  • Content Security Policy with frame-ancestors 'none' and an explicit allowlist for Google Fonts, Supabase realtime, and Stripe checkout
  • X-Frame-Options: DENY — clickjacking protection for legacy browsers
  • X-Content-Type-Options: nosniff — stops MIME-sniff bypasses
  • Referrer-Policy: strict-origin-when-cross-origin — cross-site referrer header is stripped to the origin only
  • Permissions-Policy denies camera, microphone, geolocation, USB, MIDI, and other powerful APIs by default; only the surfaces that need them (voice and video interview practice) are opted in
  • Cross-Origin-Opener-Policy: same-origin-allow-popups — isolates browsing context while keeping OAuth popups working

Sub-processors

We run on a small, deliberately chosen set of third parties under written data processing agreements. None receives more than what they need to perform their function.

  • Supabase — Postgres database and authentication. EU region.
  • Vercel — application hosting and CDN. Multi-region edge.
  • Anthropic — Claude AI inference for CV, cover-letter, and reply drafting. US region; enterprise no-retain / no-train terms.
  • Stripe — subscription billing and card processing. We never see card numbers.
  • Resend / SendGrid — transactional email (verification, password resets, weekly digests) for the Arden mailbox path.
  • Google — when you opt in to a connected Gmail inbox; data flows are governed by the Limited Use disclosure in our Privacy Policy.
  • Microsoft — when you opt in to a connected Outlook / 365 inbox.

Your rights

  • Delete your full account and data from /profile (Account settings → Delete my account). Deletion is permanent and cascades to applications, documents, email aliases, linked accounts, and email messages.
  • Export a JSON copy of your user-keyed data from the same page. GDPR Art. 20 portability.
  • Disconnect any linked email account from /account/inboxes. Stored credentials are wiped on disconnect; revoking the OAuth grant on Google or Microsoft's side immediately invalidates them.
  • Revoke personal access tokens (Gmail Add-on) at /account/addon-token.
  • See the full enumeration of UK GDPR rights in section 8 of the Privacy Policy.

Vulnerability disclosure

Please report security issues directly — not through public channels — to:

security@applywitharden.com

We commit to:

  • Acknowledging receipt within two business days.
  • Triaging the report and proposing a remediation timeline within seven business days.
  • Crediting the reporter (where they wish) once the issue is closed.

We do not currently run a paid bug bounty programme. We will not pursue legal action against good-faith researchers who follow this disclosure path, refrain from exfiltrating user data beyond what is necessary to demonstrate the issue, and give us a reasonable window to fix before publishing.

Machine-readable contact at /.well-known/security.txt (RFC 9116).

Incident response

If we discover a personal-data breach likely to cause a material risk to user rights, we will notify the UK Information Commissioner's Office within 72 hours per UK GDPR Art. 33 and notify affected users without undue delay per Art. 34.

Arden uses only strictly-necessary cookies to keep you signed in and process payments. We don't use analytics or advertising cookies. See our cookie policy.