What is CareerLift.ai?

CareerLift.ai is a smart interview practice platform that helps software engineers prepare for technical, behavioral, coding, and system design interviews with real-time feedback.

Is CareerLift.ai free to use?

Yes, CareerLift.ai offers a free plan with up to 5 interview sessions per month. Pro and Enterprise plans unlock unlimited sessions, cover letters, ATS scoring, and resume tailoring.

What types of interviews does CareerLift.ai support?

CareerLift.ai supports technical interviews, behavioral interviews (STAR format), coding interviews with live code execution, system design interviews, and company-specific interview preparation for FAANG and top tech companies.

Does CareerLift.ai have a Chrome extension?

Yes, the CareerLift.ai Chrome extension lets you extract job descriptions from LinkedIn, Indeed, Glassdoor, and other job boards, check your ATS resume score, generate cover letters, and start mock interviews directly from any job listing.

Security

Security at CareerLift.ai

Your resume, interview responses, and career data are sensitive. Here is exactly how we protect them — the infrastructure we run on, the controls we apply, and how to reach us if you find a vulnerability.

Last reviewed: May 2026

Infrastructure & Certifications

CareerLift runs entirely on cloud infrastructure that independently holds SOC 2 Type II certification. We do not operate our own data centres.

Vercel— Hosting & Edge Network

SOC 2 Type IIISO 27001

All web traffic is served through Vercel's global edge network. TLS 1.2/1.3 enforced on every request.

Supabase— Database & Authentication

SOC 2 Type II

User data, sessions, and interview records are stored in Supabase Postgres with row-level security (RLS) policies. Every user can only access their own data.

Stripe— Payment Processing

PCI DSS Level 1

No card numbers are stored on CareerLift servers. All payment data is tokenised and handled exclusively by Stripe — the highest payment security certification in the industry.

OpenAI / Anthropic— AI Generation

SOC 2 Type II

Interview questions, evaluations, and resume analysis are generated via API. Prompts and responses are not used to train third-party models per enterprise API agreements.

Transport Security & HTTP Headers

All traffic is encrypted in transit with TLS 1.2/1.3. The following security headers are enforced on every response.

Strict-Transport-Securitymax-age=63072000; includeSubDomains; preload

Forces HTTPS for 2 years, submitted to browser preload lists

Content-Security-PolicyStrict allowlist

Blocks inline scripts and unauthorised third-party sources

X-Frame-OptionsDENY

Prevents clickjacking attacks

X-Content-Type-Optionsnosniff

Prevents MIME-type sniffing

Referrer-Policystrict-origin-when-cross-origin

Limits referrer data sent to third parties

Permissions-Policycamera=(self), microphone=(self), geolocation=()

Restricts browser API access to our own origin only

What We Store & How Long

We collect only what is necessary to provide the service. We do not sell your data to third parties — ever.

Data	Stored	Encrypted	Retention
Account info (email, name)	Yes	Yes	Until account deletion
Resume text	Yes	Yes	Until deleted by user
Interview responses (text)	Yes	Yes	Until deleted by user
Voice recordings	No	Yes	Processed in real time, not persisted
Payment details	No	Yes	Stripe only — never reaches our servers
Chrome Extension job data	Yes	Yes	Until deleted by user

You can delete your account and all associated data at any time from Settings → Delete Account. Full details in our Privacy Policy.

Authentication & Access Control

→Authentication is handled by Supabase Auth using industry-standard JWT tokens with short-lived access tokens and rotating refresh tokens.
→Row-level security (RLS) is enforced at the database layer — every query is scoped to the authenticated user. No server-side code can return another user's data.
→API routes require a valid session token on every request. Unauthenticated requests are rejected before any data access occurs.
→Google OAuth is supported as a login option. We receive only your email and name — we never access your Google account data, Drive, Gmail, or other scopes.
→Rate limiting is applied to all API routes to prevent brute-force and credential-stuffing attacks.

Payment Security

All payments are processed by Stripe, a PCI DSS Level 1 certified provider — the highest level of payment security certification. CareerLift servers never see, transmit, or store card numbers, CVV codes, or full payment details.

Stripe's security documentation is available at stripe.com/docs/security.

Compliance

GDPR

We process EU personal data in accordance with GDPR. You have the right to access, correct, export, and delete your data.

CCPA / CPRA

California residents have the right to know what data is collected, request deletion, and opt out of data sales (we do not sell data).

HTTPS / HSTS

Enforced on every request. Submitted to browser HSTS preload lists for permanent enforcement.

SOC 2 (Roadmap)

Our infrastructure providers (Vercel, Supabase) are SOC 2 Type II certified. We are evaluating a direct CareerLift SOC 2 audit.

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you believe you have found a security issue in CareerLift.ai, please contact us before publishing or sharing the details publicly.

Contactsecurity@careerlift.ai

PolicyWe will acknowledge within 2 business days and aim to resolve critical issues within 14 days.

Scopecareerlift.ai and all subdomains, the Chrome Extension, and our iOS app.

Out of scopeSocial engineering, physical attacks, denial-of-service, and vulnerabilities in third-party dependencies we do not control.

A machine-readable version of this policy is available at /.well-known/security.txt.

Security questions? security@careerlift.ai · Privacy Policy · Contact