Security

Authentication

Unlisted uses passwordless magic link authentication. We never store passwords. Each sign-in generates a unique, time-limited token (expires in 15 minutes) sent to your email. Sessions last up to 30 days, expire automatically, and can be cleared on the current device by signing out.

Data encryption

All data is encrypted in transit using TLS 1.2+. Data at rest is encrypted by our infrastructure provider (Convex) using AES-256 encryption. Magic link tokens are generated using cryptographically secure random bytes with one-time-use enforcement.

Resume handling

When you upload a resume, it is parsed by AI to extract structured data (skills, experience, education, preferences). The parsed data is stored to power your job matches. Your original PDF is processed in memory and is not permanently stored after parsing is complete.

Infrastructure

• Convex - our backend runs on Convex's managed infrastructure with automatic backups, point-in-time recovery, and SOC 2 compliance.
• Railway - our frontend is deployed on Railway with automatic TLS certificates and isolated build environments.
• Resend - email delivery uses Resend's infrastructure with DKIM, SPF, and DMARC authentication.

Access control

All API endpoints that access user data require a valid session token. Internal functions are isolated and cannot be called from the client. Email unsubscribe uses unique per-user tokens that only grant write access to email preferences.

Third-party data sharing

Your resume data is sent to Google Gemini for AI parsing and job ranking. Your search queries (not your resume) are sent to Firecrawl for job discovery. We do not sell or share your data with advertisers or data brokers.

Reporting vulnerabilities

If you discover a security issue, please report it to [email protected]. We take all reports seriously and will respond within 48 hours.