Our Commitment

Security & Payment Processing

Your card details are protected by industry-standard cryptography, kept only as long as we need them, and deleted automatically the moment your account no longer requires them on file. Here's exactly how it works.

At a glance

  • • Cards are encrypted at rest with AES-256-GCM, the same family of algorithms used by banks and government systems.
  • • Every card record uses its own random initialization vector and authentication tag, so the same card never produces the same ciphertext twice.
  • • The encryption key lives in a server-side environment variable, never in the database, never in the source code.
  • • Card details are only decrypted at the exact moment a charge is being processed, then re-encrypted at rest.
  • • When you cancel your subscription or complete a one-time payment, the encrypted card record is permanently deleted within 3 days. No soft-delete, no archive — once purged, the data is gone for good.

Encryption

Every card stored on SourceHire is encrypted using AES-256-GCM, an authenticated encryption scheme that protects against both eavesdropping and tampering. AES-256-GCM is one of the algorithms approved by NIST for protecting U.S. government information classified up to TOP SECRET, and it's the same scheme used internally by major banks, cloud providers, and HTTPS itself.

Each card record is encrypted with a fresh random 16-byte initialization vector and stored alongside its authentication tag. The IV guarantees that the same card number encrypted twice produces two completely different ciphertexts, and the tag guarantees that any modification to the stored bytes will be detected the next time we try to decrypt them.

The 32-byte encryption key is held in a server-side environment variable on our hosting provider, isolated from the database itself. Even an attacker with read access to our database would not have the key needed to decrypt any card record.

Card lifecycle

We keep your card details only as long as we actually need them on file to do the job you signed up for.

  • One-time payments: the card is encrypted at submission, decrypted only when the charge is processed, and the encrypted record is permanently deleted within 3 days of the charge resolving (success or failure). The short retention window exists so we can re-process a declined card or handle an immediate dispute, then the data is gone.
  • Monthly subscriptions: the encrypted card stays on file for as long as the subscription is active, so we can re-charge it each month. When you cancel from your account page, the encrypted record is purged within 3 days, after which we lose the ability to charge that card again.
  • Failed charges: when a charge fails (declined, insufficient funds, etc.) on a one-time payment, the encrypted record is still purged. On a subscription, the subscription moves to a "past due" state so we can try the same card again, but you can cancel and erase it at any time from your account.

Who can see what

  • You can always see the last 4 digits, the cardholder name, and the expiry date on your account page. Full card numbers and CVVs are never re-displayed to anyone after submission, including you.
  • Recruiters never see card details at all. The Priority Review feature only tells the recruiter that you're a priority subscriber — never the means of payment.
  • The account owner can see decrypted card details on the admin processing page ONLY for the brief window between submission and the moment they record the outcome (processed / failed). After that, the card data is gone from the database.

How we process charges

Charges are processed manually through a payment terminal by the SourceHire account owner. There is no third-party API receiving your full card number on our behalf — it never leaves our infrastructure except to be entered into the terminal that runs the charge. This keeps the surface area small and the chain of custody short.

For monthly subscriptions, the same person processes the renewal charge each month using the encrypted record stored at signup. Your invoice will be available on your account page after the charge clears.

What we don't store

  • CVV / CVC codes — encrypted at rest only for the duration needed to process the charge, then purged with the rest of the record.
  • Card images / scans — we don't accept these.
  • Plaintext card numbers anywhere in our system — only encrypted blobs and the last 4 digits for display.

Questions?

Email support@sourcehire.app and we'll respond within one business day. If you believe your account or card has been compromised, mark the subject "urgent" and we'll prioritize it.

Security & Payment Processing — SourceHire · SourceHire