Security posture

We treat candidate, employer and recruiter data as protected by default. Everything below is enforced — not aspirational.

TLS 1.2+ on every request. Database storage encrypted with AES-256. CVs and documents stored in isolated buckets.

Passwords hashed with bcrypt. Optional Google sign-in. Role-based access (candidate, recruiter, administrator).

Primary database and storage hosted in Zambian-controlled infrastructure. No raw PII leaves the region.

Every table enforces row-level policies scoped to the authenticated user — admins are the only exception, and we audit them.

Daily snapshots with point-in-time recovery for the last 7 days.

We disclose material incidents to affected accounts within 72 hours, with what happened, what data was touched, and what we did.

Report a vulnerability

Found something? Email security@fortresszm.com. We respond within one business day, and we don't pursue legal action against good-faith researchers.