Security

LadderStar uses Firebase Authentication for supported sign-in paths. Users are responsible for protecting their email, identity provider accounts, devices, and active sessions.

Firestore rules and server routes separate client-owned data from server-owned operational records. Admin and owner authorization must be verified server-side. Pricing configuration, wallet balances, wallet transactions, role changes, status changes, and audit logs are designed to be server-owned.

Employer and Mentor interview invitations store hashed magic-link tokens. Gemini credentials remain in a dedicated server-side relay. Consented recordings are stored outside the public web root in private Firebase Storage paths, and playback requires authenticated sender or platform-operator authorization.

Production secrets belong in deployment environment settings and must not be committed. Firebase private keys require runtime newline handling. Vercel hosts the application and may provide analytics and performance tooling.

Report suspected vulnerabilities, unauthorized access, exposed secrets, account takeover risk, or platform abuse to legal@ladderstar.com. Include steps to reproduce, affected URLs, screenshots or logs where safe, and your contact information.

This page describes current practices at a high level. It does not claim a particular certification, audit, compliance framework, uptime guarantee, or complete immunity from security incidents.