Skip to main content
OpenRole

Trust Centre

Security at OpenRole

You're trusting us with your employer brand data. We take that seriously. Here's exactly how we protect it.

Infrastructure

Built on providers with independently verified security certifications.

Vercel

Application hosting & edge network

  • SOC 2 Type II certified
  • ISO 27001 certified
  • GDPR compliant
  • Automatic DDoS protection

Supabase

Database & authentication

  • SOC 2 Type II certified
  • HIPAA available
  • EU data residency (London region)
  • Row Level Security enforced

Encryption

Your data is encrypted everywhere — in transit and at rest.

In transit

All connections use TLS 1.3. We enforce HSTS with a one-year max-age across all subdomains.

At rest

Database encrypted with AES-256. Backups encrypted with separate keys. Point-in-time recovery enabled.

API keys

Hashed with SHA-256 before storage. Only the key prefix is stored in plaintext for identification. Keys are never logged or exposed in responses.

The OpenRole Pixel

When you add our pixel to your careers page, here's exactly what it does — and what it doesn't.

What the pixel does

  • Serves structured employer data (JSON-LD) to AI crawlers
  • Communicates only with OpenRole API endpoints
  • Includes Subresource Integrity (SRI) hash for tamper detection
  • Loads asynchronously — zero impact on page performance
  • Source code is fully inspectable

What the pixel never does

  • Sets cookies or uses local storage
  • Tracks visitors or collects personal data
  • Makes requests to third-party domains
  • Modifies your visible page content or layout
  • Loads external dependencies

Verify it yourself. Every version of the pixel includes an SRI hash. You can verify the script hasn't been modified by checking the integrity attribute in your embed code against our integrity endpoint.

Technical Details

For security teams reviewing the pixel's DOM interactions:

JSON-LD injection

The pixel fetches structured employer data from the OpenRole API and inserts a single <script type="application/ld+json"> element into the page head. JSON-LD is inert data — it cannot execute code. Content is serialised with JSON.stringify to prevent injection.

History API wrapping

On single-page applications, the pixel wraps history.pushState and history.replaceState to detect client-side navigation events. This ensures the JSON-LD data is re-injected after SPA route changes. The original History API methods are preserved and called transparently.

MutationObserver

A MutationObserver watches for DOM changes that might remove the injected JSON-LD element (e.g. framework re-renders). If the element is removed, the pixel re-injects it. The observer only monitors the document head, not the page body.

Polling fallback

For browsers that do not support MutationObserver, a setInterval fallback checks periodically (every 5 seconds) whether the JSON-LD element is still present. This is the only timer the pixel sets.

Access Control

Strict boundaries on who can access what.

Row Level Security

Every database query is filtered at the database level. API key holders can only access their own company data. No application-level bypass possible.

API key management

Keys support rotation with a 24-hour grace period. Old keys expire automatically. Key usage is logged for audit trails.

Request signing

Pixel-to-API communication uses HMAC-SHA256 request signing with timestamp validation, preventing replay attacks and request tampering.

Rate limiting

All API endpoints enforce per-IP rate limits. Audit endpoints have stricter limits to prevent abuse. Exceeding limits returns 429 with Retry-After headers.

Compliance

Meeting the standards your legal and procurement teams require.

GDPR

EU data protection compliant. Data Processing Agreement available on request.

SOC 2

Built on SOC 2 Type II certified infrastructure. Own certification in progress.

UK DPA

UK Data Protection Act 2018 compliant. EU-adequate data handling standards.

Data Handling

Clear rules on what we collect, where it lives, and how long we keep it.

Data typePurposeRetention
Company name & domainAudit identificationWhile account active
Audit results & scoresReport generation12 months from audit
Work email addressAudit delivery & accountUntil deletion requested
Pixel analyticsAI visibility metrics90-day rolling window
API logsSecurity & debugging30 days

We never sell your data. We never share it with third parties for marketing. Full deletion available within 48 hours of request.

Responsible Disclosure

Found a security issue? We want to hear about it.

Email security@openrole.co.uk with details of the vulnerability. We commit to acknowledging reports within 24 hours, providing an initial assessment within 72 hours, and keeping you informed of our remediation progress. We will not take legal action against researchers acting in good faith.

Questions about security?

We're happy to discuss our security practices, provide additional documentation, or arrange a call with our team.

Get in touch