Trust & Safety

Security

Last updated: 28 May 2026

Security is core to how we built ThoughtPilot. Your profile, CV, and posts are sensitive professional data — we treat them that way. Below is a plain-English overview of the measures we take.

🔒

Encryption in transit

All traffic between your browser and our servers is encrypted with TLS 1.2+. We enforce HTTPS across every domain — thoughtpilotai.com, app.thoughtpilotai.com, careers.thoughtpilotai.com, and api.thoughtpilotai.com.

🗄️

Encryption at rest

Your data is stored in a managed PostgreSQL database on Railway with encryption at rest enabled. Backups are also encrypted.

🪙

Authentication

Sessions use signed JWT tokens stored in a secure, HTTP-only cookie (tp_token). Tokens cannot be read by JavaScript, expire after 7 days, and are scoped to .thoughtpilotai.com.

🔑

Password storage

Passwords are hashed with bcrypt (cost factor 12) before storage. We never store plaintext passwords and cannot retrieve your password — only reset it.

💳

Payment security

We never handle or store card numbers. All payments are processed by Paddle, a PCI-DSS compliant payment provider. ThoughtPilot stores only your Paddle customer ID and subscription status.

🔐

API security

All authenticated API routes require a valid session token verified server-side on every request. External API keys (AI providers, email, payments) are stored as environment variables — never in code or the database.

🚦

Rate limiting

API endpoints are protected against brute-force and abuse through rate limiting. Failed login attempts are throttled. Usage limits are enforced per account at the server level.

📧

Password reset

Password reset links use single-use cryptographic tokens with a 30-minute expiry. Tokens are invalidated immediately after use and cannot be reused.

Infrastructure

ThoughtPilot runs on the following managed infrastructure providers, each with their own security certifications:

Railway — backend API and PostgreSQL database. SOC 2 compliant hosting.
Vercel — frontend hosting for app.thoughtpilotai.com and careers.thoughtpilotai.com. SOC 2 Type II certified.
Resend — transactional email delivery.
Paddle — payment processing. PCI-DSS Level 1 certified.

Data Isolation

All database queries are parameterised to prevent SQL injection. User data is isolated by user_id on every query — you cannot access another user's data. The main app and Career Suite share the same backend but maintain separate usage quotas and access controls.

What We Don't Do

We do not access your LinkedIn account or credentials.
We do not store your CV as a file — only as processed text within your profile.
We do not use your data to train shared AI models.
We do not use your data for advertising.

Incident Response

In the event of a security incident that affects your data, we will notify you by email within 72 hours of becoming aware of it, in accordance with applicable data protection laws. Notifications will be sent to the email address on your account.

Responsible Disclosure

If you discover a security vulnerability in ThoughtPilot, we ask that you report it to us privately before making it public. Please email security@thoughtpilotai.com with a description of the issue and steps to reproduce it.

We commit to: acknowledging your report within 48 hours, keeping you informed of our progress, and not taking legal action against researchers who report in good faith. We do not currently operate a paid bug bounty programme, but we will acknowledge your contribution publicly if you wish.

Contact

Security reports: security@thoughtpilotai.com
General enquiries: hello@thoughtpilotai.com