KCVKrokanti CV Builder
Security first

Your Data,
Protected

Your resume contains your personal information, employment history, and career details — sensitive data that deserves serious protection. Here is exactly how we keep it safe.

TLS 1.3 encryption
GDPR compliant
2FA / TOTP support
SHA-256 API tokens
No passwords for OAuth users
Full audit logging

Security in depth

Security is not a single feature — it is a stack of overlapping controls. Here is every layer of protection Krokanti CV Builder applies to your data.

Encryption In Transit and At Rest

All data transmitted between your browser and Krokanti servers is protected by TLS 1.3. Your resume content, personal information, and account data are encrypted at rest in our Neon Postgres database hosted on secure cloud infrastructure. We never store sensitive data in plain text.

  • TLS 1.3 for all HTTP connections
  • Encrypted database storage via Neon Postgres
  • HTTPS enforced — HTTP connections are automatically redirected
  • Cloudflare R2 for encrypted file storage (profile images, attachments)

Two-Factor Authentication (2FA)

Protect your account with time-based one-time passwords (TOTP). Once enabled, logging in requires both your password and a 6-digit code from an authenticator app such as Google Authenticator, Authy, or 1Password. Backup codes are generated on setup and can be used if you lose access to your device.

  • TOTP-based 2FA (RFC 6238 compliant)
  • Compatible with any TOTP app (Google Authenticator, Authy, 1Password, Bitwarden)
  • 8 one-time backup codes generated on enrollment
  • Account recovery flow for lost devices

OAuth — No Passwords Stored for Social Login

Sign in with Google or GitHub and Krokanti never receives or stores your password. OAuth authentication delegates credential handling entirely to Google and GitHub — we only receive a verified identity token. If you use social login, there is no Krokanti-held password to compromise.

  • Google OAuth 2.0 and GitHub OAuth supported
  • Zero passwords stored for OAuth users
  • JWT session tokens (7-day expiry, HTTP-only cookies)
  • Credentials-based accounts use bcrypt hashing (12 rounds)

GDPR Compliance

Krokanti is fully compliant with the EU General Data Protection Regulation (GDPR). You have the right to access all data we hold about you, export it in a machine-readable format, and request complete deletion of your account and all associated data. We never sell your personal data to third parties.

  • Data export: download all your account data and resumes as JSON
  • Right to erasure: delete your account and all data instantly from Settings > Data
  • Data minimization: we only collect what is necessary to provide the service
  • No data sold to third parties — ever
  • Cookie consent management on first visit

Security Audit Logging

Every security-relevant action in your account is logged — logins, password changes, 2FA enrollment, API token creation, and data exports. The audit log is available in your account settings so you can review recent activity and detect unauthorized access immediately.

  • Login attempts (successful and failed) logged with IP and timestamp
  • Password changes, 2FA enable/disable, and recovery code use logged
  • API token creation and revocation logged
  • Data export and deletion requests logged
  • Accessible from Settings > Security > Audit Log

API Token Security

Developer API tokens use the `kcv_` prefix for easy identification and are stored as SHA-256 hashes — we never store the raw token value. Tokens are only shown once at creation time. If compromised, revoke instantly from the API Tokens section in Settings. Each token can be scoped to specific permissions.

  • SHA-256 hashing — raw token values are never stored
  • Tokens displayed only once at creation; cannot be retrieved later
  • Instant revocation from Settings > API Tokens
  • Rate limiting: 100 requests/minute per token
  • `kcv_` prefix for easy identification in logs and code reviews

Infrastructure Security

Krokanti runs on Vercel's edge network with automatic DDoS protection and global CDN distribution. The database runs on Neon Postgres — a serverless, autoscaling PostgreSQL provider with automatic backups and point-in-time recovery. No single point of failure.

  • Vercel edge network with DDoS protection
  • Neon Postgres with daily automated backups
  • Point-in-time recovery (PITR) available
  • Environment secrets managed via Vercel encrypted environment variables
  • Zero-trust access: production DB credentials never exposed in code

Privacy Controls

Every resume you create is private by default. You control which resumes are publicly accessible via a shareable URL and which remain visible only to you. Public resumes can be toggled to private at any time, which immediately removes them from the public viewer.

  • All resumes private by default
  • Toggle public/private per resume in Settings
  • Public resumes accessible only at the specific URL — not indexed unless you choose
  • Analytics for public resumes are privacy-friendly (no PII stored for viewers)
  • Delete a public resume to immediately revoke all access

Our principles

Beyond technical controls, these are the values that guide every decision we make about your data.

Minimal data collection

We collect only what is necessary to provide the service. Your resume content is yours — we do not analyze it for advertising or sell it to anyone.

No third-party tracking

We use Vercel Analytics (privacy-friendly, no cookies) and Google Analytics (opt-in). No Facebook Pixel, no LinkedIn Insight Tag, no ad networks.

Responsible disclosure

Found a security issue? Email security@krokanti.com. We aim to respond within 24 hours and patch critical issues within 72 hours.

Your GDPR rights

If you are in the European Union or European Economic Area, you have specific rights under GDPR regarding your personal data. We have built tools directly into your account to exercise these rights without contacting support.

Read our GDPR documentation

Right to access

Settings > Data > Export your data

Right to erasure

Settings > Data > Delete account

Right to portability

Export all data as JSON from Settings

Right to rectification

Edit any information directly in the app

Right to object to processing

Contact privacy@krokanti.com

Responsible disclosure

Found a security vulnerability? We take all reports seriously and aim to respond within 24 hours. security@krokanti.com

Build your resume with confidence

Your career data is in safe hands. Start building your professional resume today — free, secure, and without compromise.

Get started for free

Questions about security? Contact us