Security & data
Where your data lives, who can see it, and what we promise never to do with it.
What we hold
- Your account: email, name, language preference
- Your master CV materials and past letter samples (the source of every draft)
- Your applications: postings, scores, drafts, sent versions, replies
- Your diary: a per-user log of what you’ve tried
- Your calendar events, if you connect a calendar
That’s the list. We don’t ingest anything beyond it.
Where it lives
Three hosts in the EEA, forming a single distributed YugabyteDB cluster with replication factor 3 (RF=3 quorum):
- Norway #1 — primary (gigahost.no AS, host
notrf01dmz01). Active during normal operation. - Norway #2 — primary (gigahost.no AS, host
notrf01dmz02). Active during normal operation. - Netherlands — Leiden DMZ witness (operator-managed infrastructure, host
nllei01dmz01). Quorum witness in the cluster.
Your data is replicated synchronously across the three hosts so we can survive a single-host outage without losing anything.
Storage path is EEA-only. No user data is persisted on US-based hosting or in US-based data warehouses. The application database, vector store, audit log, and backups all live within the EEA (gigahost.no Norway + operator-managed Leiden NL).
Edge / network-routing path is EEA + Switzerland only. TLS termination is performed by HAProxy on a two-VPS anycast pool — Switzerland (Zürich, iFog GmbH) and Norway (Trondheim, gigahost.no AS). These nodes see in-flight customer traffic for the duration of a single TLS connection only; they persist no data. The Norway leg is intra-EEA; the Swiss leg relies on the Switzerland adequacy decision (Commission Decision 2000/518/EC). No SCCs are required.
We do not route customer traffic through any US POP. There is no US storage or processing of any data, including LinkedIn-imported fields.
Sub-processors (companies whose code touches your data)
- Anthropic — runs the Claude models that produce drafts. Configured for EU residency where available. Trained-on-data prohibition contractually in place.
- Stripe — runs the payment processor. Ireland-based; only sees billing-related data, never your CVs or applications.
- Cloudflare — handles the redirect-only domains (omoikane.nl, omoikane.tech, omoikane.careers, omoikane.gr) and DNS. The customer surface (omoikane.coach) bypasses Cloudflare’s proxy and resolves directly.
- gigahost.no AS (Norway) — application-server hosting (
notrf01dmz0{1,2}) AND the Norway edge anycast VPS (Trondheim). - iFog GmbH (Switzerland) — Switzerland edge anycast VPS (Zürich); TLS termination only, no data at rest.
- The Leiden YugabyteDB witness host (
nllei01dmz01) runs on operator-managed first-party infrastructure — not a sub-processor. - No analytics. No advertising platforms. No “AI training partners”. No third-party JavaScript on omoikane.coach.
The full register, with current status of each, is at Sub-processors.
What we promise never to do
- Train any model — ours or anyone else’s — on your data
- Sell, share, or expose your data to recruiters
- Run third-party trackers, analytics, or advertising on the customer surface
- Use your data for marketing personalisation
- Use your data to evaluate other users
- Store your data outside the EEA
These commitments are in our Terms and our Privacy Policy and they’re load-bearing — if any of them ever changed, we’d lose every reason this product is worth using.
Data export and deletion
Two endpoints, accessible from your account settings:
- Export — produces a zip of everything we hold about you (JSON + uploaded files + generated PDFs + diary). Emailed to your registered address. Sent within 24 hours.
- Delete — wipes your account, with cascade through every backing system (database + vector store + LLM trace store + object storage + audit log). Irreversible. Sent within 7 days, per GDPR.
You don’t need to ask permission, write to us, or wait for review. Settings → Account → Export / Delete.
Encryption
- At rest: full-disk encryption on every storage volume. Backups encrypted with
age+sops, keys held by the operator and the operator’s password manager — not by any third party. - In transit: TLS 1.3 with modern ciphers. HSTS enabled.
- App-to-database: TLS to our distributed SQL cluster (YugabyteDB, 3-replica RF=3 across two Norway hosts and a Leiden witness). Replication traffic between cluster nodes runs inside an IPsec mesh.
- Backups to off-site mirror: encrypted with
agebefore transit; the off-site mirror cannot decrypt them on its own.
Audit and access
Every access to your data — by you, by the operator, by any sub-processor — is logged. The audit log is retained for 90 days hot in the database, and archived (encrypted) for 12 months in off-site backup before deletion.
The operator (the human running this) does not access your applications or drafts unless you explicitly ask for support. Doing so generates a typed audit event you can see in your settings.
Reporting a vulnerability
If you find a security issue, please email security@omoikane.coach before disclosing publicly. We respond within 48 hours and credit responsible disclosure in the changelog.