DevCard Concepts

Key terms you'll see throughout DevCard.

Fit Score
How well a candidate's skills, experience, and cognitive strengths align with a job's requirements. Uses structured ontology mapping, not keyword matching.
Confidence Score
How much verified evidence supports a fit score. More project details, linked accounts, and peer verification increase confidence.
Transferability
The ability for skills in one technology to apply to related technologies. For example, React experience transfers to Vue because they share component architecture patterns.
Cognitive Archetype
A developer's dominant problem-solving style, derived from patterns in their work history. Not a personality test — it reflects how they approach technical challenges.
Ontology
DevCard's structured knowledge graph of technologies, skills, and their relationships. It enables matching beyond keywords by understanding how skills connect and transfer.

Security

Security posture, stated honestly.

DevCard is in pre-launch closed beta. The controls below describe what is in place today. Where we are not yet certified, we say so.

Last updated: 2026-05-07.

SOC 2 Type II — planned for v50.0 GA

SOC 2 Type II audit is scoped for the v50.0 General Availability milestone. Pre-launch operates under best-practice controls described below — the gap is auditor attestation, not the controls themselves. Procurement teams who require SOC 2 today should treat DevCard as not-yet-eligible and revisit at GA.

Authentication

  • Laravel session-based authentication. Sessions are server-side and tied to a signed, HTTP-only cookie.
  • Passwords are stored as bcrypt hashes. We never see your plaintext password and cannot retrieve it.
  • Two-factor authentication (TOTP) is available for every account. Enrollment lives at /settings/two-factor.
  • Login attempts are logged and reviewable by admins for incident triage.

Encryption

  • In transit — TLS on every public surface. Production deployments require TLS for the application, MySQL connection, and Redis connection.
  • At rest — MySQL native encryption on the storage volume. Sensitive credentials (API keys, tokens) are encrypted with the application key before persistence.
  • Application secrets are kept out of the repository and rotated on a defined schedule.

Application controls

  • CSRF — every state-changing endpoint requires a Laravel CSRF token. Cross-site request forgery is enforced at the framework layer.
  • XSS — Blade escapes by default. User-controlled inputs surfaced through specialized renderers (e.g., the bio-rewrite hedge highlighter) are escaped before any markup substitution. One historical exception in that highlighter was hardened post-audit.
  • Rate limits — login throttled to 5 attempts per minute per IP. The recruiter waitlist is throttled to 5 submissions per hour. Public Pulse and Score endpoints are throttled to 60 requests per minute. The Score tool also operates under a daily LLM-budget kill switch.
  • Privilege escalation defense — admin-only reflective routes are gated behind the admin middleware on top of the dev-environment check, defense in depth so a misconfigured staging environment cannot expose them to non-admin sessions.
  • Shell-safe arguments — operational helpers that invoke shell commands escape every interpolated value with escapeshellarg, eliminating shell-injection vectors on internal tooling.
  • Bot abuse — Cloudflare Turnstile gates anonymous public tools (Score) before any LLM call is made.

Observability and incident response

  • Errors flow to Sentry. A PII scrubber filters opted-out users at the source so their identifiers never reach the error sink.
  • Telemetry events flow to PostHog only when the user has explicitly opted in via /settings/privacy. Default is opt-out.
  • Production runbooks cover incident response, on-call coverage, and operational diagnostics. They are reviewed before each milestone keystone.

Dependencies and supply chain

  • Composer and npm dependencies are pinned and reviewed before upgrade.
  • LLM access is brokered through a single internal service that enforces rate limits, caching, and circuit breakers. Providers are never called directly from feature code.
  • LLMs are used only for translating unstructured input into structured ontology data. Candidate-job comparisons are deterministic and computed from stored structured data — there is no LLM in the matching loop.

Vulnerability disclosure

Report security issues to security@devcard.com. Pre-launch SLA targets:

  • Acknowledgement within 2 business days.
  • Triage and severity assessment within 5 business days.
  • Critical issues resolved or mitigated within 7 days; high-severity issues within 30 days.

We act in good faith with researchers who follow responsible disclosure: do not exfiltrate data beyond what is needed to demonstrate the issue, do not degrade service for other users, and give us reasonable time to remediate before publishing.

Where we are not yet

Pre-launch posture excludes the following — each is scoped for v50.0 GA or later:

  • SOC 2 Type II auditor attestation.
  • External penetration test report (a structured first-party security review has been conducted; third-party pen test scoped for GA).
  • Formal Bug Bounty program. Disclosure email above is in place; structured bounty rewards arrive at GA.
  • Regional data residency commitments and signed Data Processing Agreements.

See also: Privacy · Terms · Methodology