Credora runs on Google Cloud (Firebase) with data stored in Firestore, a fully-managed NoSQL database with encryption at rest and in transit. All data is stored in the US (us-central1). Cloud Functions enforce server-side permission checks on every operation — no client can bypass our security rules.
User authentication is handled by Firebase Authentication. Passwords are never stored in plaintext. Role-based access is enforced via signed JWT claims — your role (referrer, company admin, hiring manager) is cryptographically bound to your session and cannot be self-elevated.
Firestore security rules ensure that users can only read and write their own data. Critical collections — audit logs, CredScore™ records, reward documents — are write-protected at the database level. Every privileged administrative action is logged to an immutable audit trail.
Credora uses Stripe for payment processing. Card data never touches our servers. Stripe is PCI DSS Level 1 certified. Referrer payout amounts are computed server-side and locked at hire confirmation — they cannot be altered retroactively.
LinkedIn URL verification is performed by a serverless scraping pipeline with Claude AI analysis. Verification results are stored with expiry timestamps and cannot be self-certified — they require an independent verification pass.
If you discover a security vulnerability, please report it responsibly to hello@credorahire.com. We ask that you do not publicly disclose issues until we have had 90 days to investigate and remediate. We do not currently offer a bug bounty programme but will acknowledge responsible disclosure.