Job Easy logoJob Easy

Security

Effective Date: 25 August 2025

ABN: 49595724389 — Trading as Job Easy

Job Easy protects your data with layered controls across infrastructure, application and process. This page provides an overview of our current practices and roadmap. For questions, reach our security team at security@jobeasy.com.au.

1. Infrastructure & Data Residency

  • Hosting: Vercel (Sydney), Neon PostgreSQL (Sydney), Fly.io (Sydney).
  • AI processing: OpenAI (used to provide responses from “Joe”).
  • Residency: We target Sydney-only hosting for platform services. Sub‑processors may process limited metadata as per their policies.
  • Isolation: Multi‑tenant architecture with authentication required to access user data (chats, users, messages).

2. Data Protection

  • In transit: TLS (via Fly.io and upstream providers) for all client ↔ server and service‑to‑service traffic where supported.
  • At rest: AES‑256 encryption on database storage for private data. Passwords are hashed and salted using industry‑standard algorithms; we never store plaintext passwords.
  • Secrets management: Managed via Vercel & Fly.io encrypted secrets.
  • Rate limiting: 10 requests per second baseline, with additional adaptive protections against abuse.

3. Access Controls & Identity

  • RBAC: Business owners can invite/remove users and manage roles to control access.
  • Authentication: Local email/password (with optional 2FA) and OAuth via Facebook, Google, Microsoft and Apple.
  • Least privilege: Internal access to production systems is restricted and audited.

4. Application Security

  • Secure development lifecycle with code review and dependency monitoring.
  • Secrets are not committed to source control and are rotated when required.
  • Abuse protections: rate‑limits, input validation, session management and anomaly detection.

5. Backups & Disaster Recovery

We design for resilience with clear recovery objectives:

  • RPO (Recovery Point Objective)
    • Database (Neon): ≤ 1 hour via Point‑in‑Time Recovery (PITR) and hourly snapshots.
    • File storage (R2): 24 hours via daily snapshots with versioning.
  • RTO (Recovery Time Objective)
    • Application (Vercel / Fly.io): ≤ 2 hours (redeployable via CI).
    • Database restore: ≤ 1 hour.
    • File restore: ≤ 4 hours.

Backups

  • Database (Neon PostgreSQL): PITR enabled; keep hourly snapshots for 7 days and daily snapshots for 30 days.
  • File storage (R2): Versioning enabled; daily snapshots retained for 30 days.
  • Infrastructure (Vercel, Fly.io): Redeployable via GitHub/CI for rapid recovery.

6. Logging & Monitoring

Operational and security events are logged to support auditability and incident response:

  1. Authentication & Access: Sign‑ins/outs (success/failure), password resets, token lifecycle, role/permission changes.
  2. API & Requests: Path, method, status, latency; user/business IDs where applicable; rate‑limit rejections; error traces (secrets masked); Stripe webhook activity.
  3. Business Operations: CRUD for jobs, invoices, quotes, clients, products/services; exports/downloads; shared links (with expiry).
  4. Data Security: File uploads/downloads; chat sessions created/cleared/deleted; admin actions; suspicious activity (e.g., failed logins).
  5. System Health: Server errors, DB failures/slow queries, background job queues, and third‑party API failures (Stripe, Fly.io, Neon, Vercel, Google Analytics).

7. Incident Response & Status

We maintain an incident response process to triage, mitigate and communicate issues. We notify affected customers promptly in line with legal obligations and the nature of the incident, and publish updates at status.jobeasy.com.au.

8. Vulnerability Management

  • Continuous dependency monitoring and patching cadence for security updates.
  • Formal external penetration testing is planned; summary reports will be available under NDA when complete.

9. Compliance

Job Easy aligns its controls with recognised frameworks and leverages certified sub‑processors. Our hosting and payment providers maintain certifications and/or compliance programs (e.g., SOC 2, ISO 27001, PCI DSS, GDPR, Data Privacy Framework). Stripe handles card data under PCI DSS. We will provide additional details or reports (where available) under NDA upon request.

10. Sub‑processors

  • Vercel — hosting & edge network
  • Neon — managed PostgreSQL
  • Fly.io — networking/TLS & services
  • OpenAI — AI model processing
  • Stripe — payments
  • Google Analytics — analytics
  • Cloudflare R2 — file storage & backups

11. Responsible Disclosure

We welcome reports from security researchers and the community. If you believe you've found a vulnerability, please email security@jobeasy.com.au with details and steps to reproduce. We operate a good‑faith, no‑penalty approach to vulnerability disclosure ("safe harbor"). Please avoid data exfiltration or service disruption, and allow reasonable time for remediation before public disclosure.

A formal bug bounty program is planned; details will be published on this page when available.

12. Contact

This page is for informational purposes and may be updated as our security program evolves.