Your career moves are nobody else's business
A job search is sensitive — especially in medicine. Here is exactly how we protect your data, in plain English.
Encrypted in transit
Every connection to the platform uses HTTPS with 256-bit TLS. We enforce it with HTTP Strict Transport Security, so browsers refuse to connect insecurely.
Encrypted at rest
The database and file storage are encrypted at rest with AES-256 on managed cloud infrastructure.
Field-level encryption on top
Personal contact details and every document in the vault — CVs, licenses, certifications — get an additional layer of application-level AES-256-GCM encryption before they're stored. Even someone with raw storage access sees ciphertext.
Documents are private by default
Vault files live behind opaque storage keys with no public URLs. A recruiter can only ever download a document after the clinician explicitly shares it in that conversation — and the platform warns the clinician before any share that reveals their identity.
Anonymous until you say otherwise
Clinicians appear to employers under an anonymous label. Your real name is released per-conversation, only when you share your contact info, CV, or a document, or book a call — never automatically.
Passwords are never stored
We keep only salted scrypt hashes. Nobody at VitalPost can read your password, and sign-in with Google means we never see a password at all.
Card details never touch our servers
All payments run through Stripe Checkout. Card numbers go directly to Stripe — a PCI-DSS Level 1 provider — and are never transmitted to or stored on VitalPost systems.
No patient data, ever
VitalPost is a hiring platform. We never request, receive, or store patient records or any protected health information — there is no PHI here to breach.
Our data promises
- We never sell your personal information. Not to advertisers, not to data brokers, not to anyone.
- Sharing is always your explicit choice. Contact details, CVs, and documents are released only when you tap share — after a confirmation that spells out exactly what the other side will see.
- You can walk away. A clinician can end a conversation and its history is permanently deleted for both sides.
What we don't claim
We're a young company and we'd rather under-promise: VitalPost has not yet completed third-party certifications such as SOC 2 or ISO 27001. When we do, the reports will be published on this page. We don't display badges we haven't earned.
Found a vulnerability?
We welcome responsible disclosure. Email [email protected] with details and we'll respond as quickly as we can. Our machine-readable policy lives at /.well-known/security.txt.
Questions about your data? See the Privacy Policy or contact us.