Security & Technical Overview

Infrastructure & Stack

Runtime

Node.js 18 (LTS) on Alpine Linux

Containerised via Docker; orchestrated with Docker Compose in the current production deployment.

API framework

Express 4

All routes are plain REST JSON. No GraphQL.

Database

PostgreSQL 15

Runs in a separate container with a named volume for persistence.

Video / file storage

MinIO (S3-compatible)

Self-hosted object store in the same deployment. No third-party CDN or cloud storage bucket.

Cache

Redis 7 (Alpine)

Used for session/rate-limit coordination.

Frontend

Plain HTML + vanilla JS

No React, no Next.js, no build pipeline. Served as static files by nginx.

Reverse proxy

nginx

Proxies /api/* to Express (port 3001); serves static files directly.

Payments

Stripe

No card data touches our servers. All billing is handled by Stripe's hosted elements and webhooks.

Account passwords are hashed with bcrypt (cost factor 10) before storage. Plain-text passwords are never written to the database.
Account sessions use a JWT (HS256) stored in an HttpOnly cookie — not accessible to JavaScript. 30-day expiry. JWT_SECRET must be set as an env var in production; the server refuses to start if it is missing or set to the dev default.
Reviewer & candidate tokens are 48-character nanoid strings (URL-safe random). Only the SHA-256 hash is stored in the database — the raw token is never persisted.
Admin API key is compared using crypto.timingSafeEqual to prevent timing-based enumeration attacks.
No OAuth / SSO is implemented at this time. Authentication is email + password only for account holders. Reviewers and candidates authenticate via single-use token links — no password or account required.

Video files are stored in a self-hosted MinIO bucket within the same deployment. They do not leave to a third-party storage provider.
The bucket is not publicly accessible. All video access — both upload and playback — is gated behind short-lived pre-signed URLs generated by the backend. Upload URLs expire after 15 minutes; playback URLs expire after 1 hour.
Playback is authenticated: reviewers must present a valid reviewer token, and account owners must have an active session JWT, before a pre-signed URL is issued.
Video recorded on the lp-try demo page is handled entirely in the browser via the MediaRecorder API. It is never uploaded to any server and is discarded when the tab closes.

When a hiring manager closes an interview set, all candidate responses are marked with a 30-day expires_at timestamp. Deletion of the video file and response record is intended to occur at or after that date.
Response records and video files can be deleted manually by the account owner at any time from the dashboard.
There is no automated background purge job running at this time — the 30-day deletion is a policy commitment, not yet a scheduled process. We note this clearly so IT teams can factor it in.
Meet invite tokens carry a 14-day expiry set in the database. Expired invites are refused at the API layer.
Funnel analytics (page_events table) store a SHA-256 hash of the visitor's IP address. No raw IP addresses are persisted.

Strict-Transport-Security (HSTS, 1-year, includeSubDomains) is set in production.
X-Frame-Options: DENY — page cannot be embedded in an iframe.
X-Content-Type-Options: nosniff — prevents MIME-type sniffing.
Content-Security-Policy is set on all responses. frame-ancestors 'none' is enforced.

Rate limiting is applied globally to all API routes via express-rate-limit. Specific thresholds are available on request to IT teams.
JSON body size is capped at 10 MB for API requests.
CORS is restricted to CORS_ORIGIN env var in production. The server refuses to start without it.
nginx is configured to accept video uploads up to 600 MB with extended proxy timeouts.

Stripe — billing only. Card data never touches BafGo servers. Stripe webhook events update subscription status in our database.
Google Fonts — loaded on public-facing pages for typography (Sora, Plus Jakarta Sans). This results in a DNS request to Google's CDN from the visitor's browser. No personal data is sent alongside it.
Groq / OpenAI SDKs are present as dependencies for optional AI features. These are not active in the core interview flow — candidate video responses are not processed by any AI or LLM.
No third-party analytics (e.g. Google Analytics, Mixpanel, Segment, HubSpot) are loaded. All funnel event tracking goes to a self-hosted page_events table in our own database.
Email (SMTP) — transactional emails (reviewer invites, candidate notifications) are sent via a configurable SMTP server using Nodemailer. Email is skipped gracefully if SMTP is not configured.
No data is sold to third parties. Candidate video responses are not used for AI model training.

Production is deployed via Docker Compose on self-hosted infrastructure. A Helm chart for Kubernetes is maintained in the repository but is not the active production deployment at this stage.
The backend container runs as node:18-alpine with only production dependencies installed (npm install --omit=dev).
All critical environment variables (JWT_SECRET, DB_PASSWORD, CORS_ORIGIN) are required in production — the server process exits immediately on startup if any are missing.
There is currently no formal penetration test or SOC 2 audit. BafGo is an early-stage SaaS. If your organisation requires certifications, please contact us to discuss a timeline or custom arrangement.