> ## Documentation Index
> Fetch the complete documentation index at: https://jobo.world/docs/llms.txt
> Use this file to discover all available pages before exploring further.

# Security

> How Jobo protects your outbound feed credentials and data in transit.

## Encryption

| Layer               | Standard |
| ------------------- | -------- |
| Credentials at rest | AES-256  |
| Data in transit     | TLS 1.3  |

All credentials are encrypted with AES-256 before storage. They are never stored in plain text or logged. All data transfers use TLS 1.3, and connections to your destination use the strongest available encryption.

***

## Minimal Permissions per Destination

Always create a **dedicated user** with the minimum permissions required:

| Destination   | Recommended Permissions                                     |
| ------------- | ----------------------------------------------------------- |
| PostgreSQL    | `CREATE TABLE`, `INSERT`, `UPDATE` on target schema         |
| MongoDB       | `readWrite` role on target database                         |
| Elasticsearch | Write access to target index (or index creation privileges) |
| Algolia       | Admin API Key with write access to target index             |
| Meilisearch   | Master key or admin key with write access                   |

<Warning>
  Never use root/superuser credentials for outbound feeds. Create a dedicated
  user with only the permissions listed above.
</Warning>

***

## IP Whitelisting

For maximum security, restrict inbound connections to your destination to only Jobo's IP addresses.

<Info>
  **Contact support** to get the current IP range for whitelisting. We recommend
  keeping your whitelist up to date and reviewing it periodically.
</Info>

This applies to:

* PostgreSQL `pg_hba.conf` or cloud firewall rules
* MongoDB Atlas Network Access list
* Elasticsearch cluster security groups
* Any self-hosted destination behind a firewall

***

## Best Practices

<Steps>
  <Step title="Use dedicated credentials">
    Create a separate database user with minimal permissions for the Jobo feed.
    Never share credentials with other applications.
  </Step>

  <Step title="Enable TLS">
    Always use encrypted connections (`ssl_mode: require` for PostgreSQL,
    `mongodb+srv://` for MongoDB, HTTPS for search engines).
  </Step>

  <Step title="Restrict network access">
    Whitelist only Jobo's IP addresses in your firewall rules. Contact support
    for the current IP range.
  </Step>

  <Step title="Rotate credentials regularly">
    Periodically rotate passwords and API keys, then update the feed
    configuration. This limits the blast radius of any credential leak.
  </Step>
</Steps>