Security, Compliance & Documentation

All data stored in Neon PostgreSQL with AES-256 encryption at rest. Database connections use TLS 1.3.

All traffic served over HTTPS with TLS 1.3. HSTS enforced. API communications encrypted end-to-end.

Primary data stored in US-East (AWS us-east-1 via Neon). Vercel edge network for global CDN delivery.

We collect only data necessary for professional identity verification. No biometric data stored on our servers — identity verification handled by our certified third-party KYC/KYB verification partner (SOC 2 Type II certified).

Active account data retained indefinitely while account is active. Deleted accounts purged within 30 days. Audit logs retained for 7 years per compliance requirements.

Members can request complete data deletion via account settings. Institutional data deletion follows the institutional agreement terms.

WorkPair operates as a school official with legitimate educational interest under FERPA. Student education records are protected and only shared with explicit consent.

All third-party access to member data requires prior explicit consent from the member. No data is shared without opt-in approval recorded in our consent management system.

Parents/guardians of students under 18 can manage their child's account through the Family Accounts system. Full visibility and control over their child's verified data.

Institutions control which information is designated as directory information. Non-directory information is never disclosed without consent.

Every data access, verification, and modification is logged with timestamp, actor identity, and action type. Compliance reports available for institutional administrators.

NextAuth.js with secure session management. API access via cryptographically generated Bearer tokens (wp_* format, 256-bit entropy).

Role-based access control (RBAC) with five institutional roles: Owner, HR Admin, Campus Admin, Department Head, Viewer. Each role has granular permissions.

All public-facing endpoints rate-limited via Upstash Redis. API keys limited to 100 calls/day. Authentication endpoints have stricter limits.

All user input validated and sanitized at the API layer. Prisma ORM provides parameterized queries preventing SQL injection.

X-Frame-Options: DENY, X-Content-Type-Options: nosniff, Referrer-Policy: strict-origin-when-cross-origin, Permissions-Policy restricting camera/microphone/geolocation.

Automated dependency scanning. Production dependencies minimized. No client-side secrets — all sensitive operations server-side.

Vercel Edge Network — globally distributed, automatic scaling, zero-downtime deployments. SOC 2 Type II certified infrastructure.

Neon PostgreSQL — serverless, auto-scaling, with point-in-time recovery. SOC 2 Type II certified. Automatic failover and connection pooling.

Vercel Blob Storage for uploaded files — encrypted, CDN-distributed, with access controls.

Stripe — PCI DSS Level 1 certified. No card data touches WorkPair servers. All payment flows handled via Stripe Elements.

SOC 2 Type II certified third-party KYC/KYB verification provider. Government ID verification with liveness detection across 200+ countries. WorkPair never stores raw ID documents.

Resend — transactional email delivery with SPF, DKIM, and DMARC authentication.

Every member receives a unique, immutable WorkPair ID — a persistent verified identifier that follows them across institutions and career transitions.

Members are verified by institutions (employers, universities, government agencies) — not self-reported. Verification status is cryptographically linked to the issuing institution.

Credentials are posted by institutions directly to member profiles. Each credential carries a verification status, issuing institution, and timestamp. Exported credentials include a SHA-256 integrity hash.

Skill endorsements are exclusively from verified institutions — never from peers. This ensures endorsement integrity that LinkedIn fundamentally cannot provide.

Background checks and API data access require explicit member consent per organization. Consent can be granted and revoked at any time.

All API calls authenticated via Bearer tokens. API keys are 256-bit cryptographically generated strings with wp_ prefix.

Every data-returning API call checks the member's consent record for the requesting organization. No consent = 403 Forbidden.

100 calls per day per API key. Background check endpoints additionally rate-limited per subject.

API responses never expose internal identifiers (accountTier, trustScore). Tiered access controls what data is returned (Basic/Standard/Premium).

Every API call logged with: API key ID, subject user ID, tier requested, cost, HTTP response code, and timestamp.

Maximum 5 keys per account. Keys can be deactivated instantly. Admin dashboard provides full visibility into all API usage.

Members can export their complete verified profile as a branded PDF document with QR code verification link and SHA-256 integrity hash.

Each exported document contains a QR code linking to the member's live WorkPair profile, enabling instant verification of any printed credential.

Exported documents include a cryptographic hash computed from the member's credential data. Any modification to the underlying data changes the hash, detecting tampering.

All member data accessible programmatically via the WorkPair API, enabling integration with existing HR systems, ATS platforms, and background check providers.