Security
How we protect your data and credentials.
Ronin acts on your behalf across sensitive job platforms. We take security seriously and have built the system with a security-first architecture from the ground up.
OAuth-only platform connections
Ronin never asks for your job platform passwords. All connections (LinkedIn, Indeed, etc.) use OAuth authorization flows managed by Composio. You authorize access in the platform's own UI; we receive only a scoped access token. You can revoke access at any time from your account settings.
No credential storage
We store OAuth access tokens, not usernames or passwords. Tokens are stored encrypted at rest. Even in the event of a breach, raw platform credentials cannot be extracted from our systems.
Row-level security (RLS)
Our database uses Supabase with row-level security enforced at the database level on every table. This means queries from one user account are incapable of returning data belonging to another account - even if there were a bug in the application layer.
Encryption in transit
All communication between your browser, our servers, and our database uses TLS 1.2 or higher. We enforce HTTPS-only access with HSTS headers.
Encryption at rest
All data stored in Supabase is encrypted at rest using AES-256. Database backups are also encrypted.
Authentication via Supabase Auth
User authentication is managed by Supabase Auth. Passwords are hashed using bcrypt. We support email/password login with plans to add SSO. Session tokens are short-lived and rotated regularly.
Payment security
Payments are processed by Stripe. Ronin never sees or stores your card details. All billing data lives in Stripe's PCI-compliant infrastructure.
Data isolation
Each user account is a separate tenant. Data associated with your account - jobs, applications, resume content, outreach messages - is logically and cryptographically isolated from other accounts.
Data deletion
When you delete your account, all associated data is deleted immediately via cascading database deletes. Your Supabase auth record is also deleted, permanently revoking login access. Encrypted backups are purged on a rolling 30-day schedule.
Responsible Disclosure
If you discover a security vulnerability, please report it to security@ronin.work before disclosing publicly. We aim to respond within 24 hours and will work with you to resolve the issue quickly.