Built so you can trust it. Not just because we say so.
TruJob handles email content. That requires earning trust, not asking for it. This page documents what TruJob does and does not have access to, what we do with what we have, and how you can verify these claims yourself.
TruJob requests exactly 3 Chrome permissions. Here is why each one is necessary.
Chrome will list every permission TruJob requests at install time. There are three. No more.
Allows TruJob to read content from the Gmail or LinkedIn tab you are actively viewing when you initiate a scan. Does not grant access to any other tab, your browsing history, or any background process.
Allows TruJob to store your settings (language preference, notification preferences, account session) on your device. Does not grant access to any data that is not yours.
Restricts TruJob to operating only on Gmail and LinkedIn pages. TruJob cannot read, modify, or interact with any other website.
What TruJob cannot do
These are technical impossibilities given the permissions TruJob requests. Even if we wanted to do these things, we cannot.
TruJob has no access to anything outside the Gmail or LinkedIn tab you are actively viewing. Banking sites, healthcare portals, social media, email from other providers, all invisible.
Email body and metadata are processed in memory on your device. Only abstract signal data, scores and pattern flags, is transmitted to TruJob's servers. The email content itself never leaves your machine.
TruJob does not have access to your bank accounts, your other email accounts, your social media, or any other service. Sign-in credentials for any other service are completely outside TruJob's reach.
TruJob does not run unless you are actively viewing Gmail or LinkedIn. There is no background process, no continuous monitoring, no idle data collection.
TruJob is a read-only scanner. It cannot send messages, edit drafts, change recipients, or alter anything in your accounts.
What TruJob does to protect you
All data transmitted between your device and TruJob's servers is encrypted using TLS 1.3. All data stored at rest in our database is encrypted using AES-256. Database backups are encrypted with separate keys.
TruJob does not include Google Analytics, Facebook Pixel, Mixpanel, Segment, or any third-party analytics or advertising tracker in the extension. Any analytics on our website is privacy-respecting and disclosed in the cookie banner.
Code, dependencies, and access controls are reviewed quarterly by the founder and an independent security advisor. Changes ship monthly via Chrome Web Store auto-updates.
Researchers who find security issues can report them to security@trujob.io. We respond within 24 hours and publicly credit researchers who follow responsible disclosure.
GitHub Dependabot monitors all dependencies daily. Security patches ship within 48 hours of disclosure for critical severity, 7 days for high, 30 days for medium.
How to verify this yourself
Trust is verifiable. Here is how to check our claims directly, without relying on what we say.
Visit chrome://extensions, find TruJob, and click Details. Chrome lists every permission the extension actually has, separately from what we say. The list will match the three permissions described above.
Open Chrome DevTools (F12), go to the Network tab, and use TruJob in Gmail. You can see every request TruJob makes. Email body content will not be in any request payload.
Chrome Web Store listings include the extension's permission requests, developer information, and privacy practices declaration. TruJob's listing matches the documentation here.
TruJob's privacy policy and terms of service are publicly accessible from our footer. They are written in plain language and describe what we do, not what we are legally allowed to do.
TruJob's security commitments
If TruJob suffers a security breach affecting user data, every affected user will receive an email notification within 72 hours of confirmation. The notification will explain what happened, what data was involved, and what steps users should take.
Significant security incidents are publicly documented in a post-incident review on our website. We name what failed, what we changed, and what we learned. We do not hide failures.
When a security improvement and a new feature compete for engineering time, security wins. This is a written commitment.
Before TruJob launches the Chrome extension publicly, our code and infrastructure are being reviewed by an independent security advisor with experience in browser extension and consumer SaaS security. The review is not a formal SOC 2 audit, but it functions similarly: an outside professional reviews our claims and the implementation behind them.
Found a security concern?
Email security@trujob.io with details. We respond within 24 hours, follow responsible disclosure timelines, and credit researchers publicly when issues are resolved.
Report security concern