Security

Your password is never stored in plain text. We use bcrypt hashing with a high work factor — even our team cannot see your password. If you forget it, it cannot be retrieved — only reset.

Every new account requires email verification via a one-time password (OTP) sent to your inbox. OTPs expire after a short window and can only be used once, preventing replay attacks.

Sessions are managed using signed JWT tokens. Tokens are short-lived and stateless — they cannot be forged without our secret key. We do not store sessions in the database.

All uploaded files — including resumes — are stored in Cloudflare R2, which provides encryption at rest and secure access controls. Files are accessed via signed, time-limited URLs and are never publicly browsable.

All communication between your browser and IntroSpace is encrypted using TLS (HTTPS). We do not serve any content over unencrypted HTTP.

Resumes are processed using Google Gemini AI for profile generation. Data sent to Gemini is used solely for processing your resume — it is not used to train AI models. Processed data is stored securely in our database and is not shared with third parties.

After repeated failed login attempts, accounts are temporarily locked to prevent brute-force attacks. You will be notified by email when this occurs.

We do not sell, rent, or trade your personal data to any third party for advertising or commercial purposes. Period.

If you discover a security vulnerability in IntroSpace, please report it responsibly before making it public. Email us at admin@nexaur-ai.com with details of the issue. We will respond within 48 hours and work to resolve confirmed vulnerabilities promptly.

We appreciate responsible researchers and will credit those who report valid issues.

For security concerns or questions:

Thomji Group LLC
State of Delaware, USA
admin@nexaur-ai.com