NugWorkNugWork

Security

Last updated: March 24, 2026

1. Payment Security & PCI DSS

NugWork processes payments via PaymentCloud, a PCI-DSS certified payment processor. We target SAQ-A compliance — the level applicable to merchants whose customers enter card data exclusively on the payment processor’s hosted page, not on the merchant’s own servers.

When you pay for a job listing, you are redirected to PaymentCloud’s hosted payment page. Card data is entered directly on PaymentCloud’s servers. NugWork’s servers never receive, process, or store your raw card data.

What NugWork stores after payment

  • Last four digits of the card (display only)
  • Transaction amount and status
  • PaymentCloud transaction ID

Full card numbers, CVV codes, and card expiry dates are never stored on NugWork systems.

2. Data Hosting & Infrastructure

  • Database & authentication: Supabase — SOC 2 Type II certified, data stored in US regions
  • Application hosting & CDN: Vercel — HTTPS/TLS enforced on all pages and API routes at the edge
  • File storage (resumes, logos): Supabase Storage — private bucket with signed, time-limited access URLs
  • Transactional email: Resend

3. Authentication Security

  • Session cookies are HttpOnly and Secure — inaccessible to JavaScript
  • Admin sessions use a secondary HMAC-signed cookie for double-lock protection
  • Passwords are hashed by Supabase Auth using bcrypt
  • Email verification is required for email-based account activation
  • Rate limiting is applied to selected authentication endpoints

4. Data We Do Not Collect

  • Full payment card numbers, CVV codes, or card expiry dates
  • Cannabis consumption history, medical records, or health data
  • Social Security Numbers or government-issued ID numbers
  • Precise device geolocation

5. Responsible Disclosure

If you discover a security vulnerability in NugWork, we ask that you disclose it responsibly. Please contact us at hello@nugwork.net with the subject line “Security Vulnerability Report” before making any public disclosure. Please allow us reasonable time to investigate and remediate before disclosing publicly.

We do not currently operate a formal bug bounty program, but we genuinely appreciate responsible security research and will acknowledge your contribution if you wish.

6. Questions

For general security or privacy questions, contact us at privacy@nugwork.net.