Security

• Contact information is architecturally separated from company profile data
• Contact details are only surfaced when bilateral consent has been confirmed
• Passwords are hashed using industry-standard algorithms; plain-text passwords are never stored
• Database connections use TLS in transit
• Production databases use encryption at rest

• Authentication via NextAuth v5 with session token rotation
• CSRF protection on all mutating endpoints
• SQL injection prevention via parameterized queries (Prisma ORM)
• XSS prevention via React's default output encoding
• Role-based access control: participants cannot access admin endpoints
• Rate limiting on authentication and API endpoints (production)
• Content-Security-Policy headers (in configuration)

• Platform staff access to participant data is limited to support and operational necessity
• AI providers receive only the curated context packet, not raw profile data
• AI providers' data processing agreements are reviewed for compliance
• Account deletion requests will result in anonymization or deletion of personal data within 30 days
• Audit logs are maintained for admin actions

If you discover a security vulnerability in the CHECKPOINT platform, please report it responsibly to support@checkpoint.ai with subject line "Security Vulnerability Report". Please do not publicly disclose the vulnerability until we have had a reasonable opportunity to investigate and remediate. We will acknowledge receipt within 48 hours.

Pre-launch security checklist