Enterprise-Grade Security for Your Career.
Your career data is among the most sensitive information you share online. We take that responsibility seriously — with bank-grade encryption, continuous monitoring, and zero-tolerance fraud prevention.
Security Architecture
Six layers of protection — from the infrastructure we run on to how individual user sessions are managed.
Data Encryption
- AES-256 encryption for all data at rest
- TLS 1.3 for all data in transit
- Database-level column encryption for PII fields
- End-to-end encryption for direct messages
- Encrypted backups with geo-redundancy
Authentication & Access
- Secure password hashing with bcrypt (cost factor 12)
- Multi-factor authentication (MFA) available
- Session tokens expire after 30 days of inactivity
- OAuth 2.0 for third-party sign-in (if used)
- Account lockout after 5 failed login attempts
Infrastructure Security
- Hosted on enterprise cloud with SOC 2 Type II infrastructure
- Network segmentation and private VPC configuration
- Automated vulnerability scanning on every deploy
- Web Application Firewall (WAF) in front of all endpoints
- DDoS protection at the network and application layer
Monitoring & Detection
- 24/7 automated anomaly detection and alerting
- Real-time intrusion detection system (IDS)
- Full audit logging for all admin and data access events
- Continuous uptime monitoring with 99.9% SLA target
- Security event correlation and SIEM integration
Employer Verification
- Company identity verified via Companies House API (UK)
- Domain email ownership verification required
- Manual review of all first listings from new employers
- Ongoing fraud signal monitoring on employer accounts
- Verified badge system with revocation capability
Data Management
- Data minimisation — only necessary data is collected
- Automated deletion pipelines for expired data
- User-controlled export and deletion at any time
- Separate data environments for staging and production
- No third-party data sale or broker agreements
Account Safety
Tools and controls available to every BaobabPact user.
Login Alerts
Receive an email notification every time your account is accessed from a new device or location.
Strong Password Requirements
We enforce minimum 12-character passwords with mixed case, numbers, and symbols. Pwned password detection via HaveIBeenPwned.
Session Management
Review and terminate active sessions at any time from your account settings. Sessions automatically expire after inactivity.
MFA Protection
Enable multi-factor authentication via authenticator app for an additional layer of login protection.
Incident Response Protocol
If something goes wrong, this is how we respond — with speed, transparency, and accountability.
Detection
Automated systems detect anomalous activity or a report is submitted.
Triage
Security team assesses severity, scope, and containment requirements.
Containment
Incident is contained. Affected systems isolated if necessary.
Resolution
Root cause identified and remediation deployed to production.
Notification
Affected users notified by email per GDPR Article 33 requirements.
Post-mortem
Public or private post-mortem published with lessons learned.
Responsible Disclosure
We believe in working collaboratively with the security community. If you discover a vulnerability in BaobabPact, please report it to us responsibly before public disclosure. We commit to:
- Acknowledge your report within 24 hours
- Keep you informed of investigation progress
- Credit you in our security changelog (with your permission)
- Not pursue legal action for good-faith security research
Security FAQ
Questions about security?
Our security team responds within 1 business hour for critical reports, 1 day for general queries.