Security & Compliance
Resume Tailor is built with enterprise security requirements in mind. We are actively pursuing SOC 2 Type II certification and follow industry best practices for data protection, access control, and incident response.
Last updated: May 2026
Audit started Q2 2026, est. completion Q4 2026
TLS 1.3 enforced on all connections
AES-256 via Upstash Redis at-rest encryption
max-age=31536000; includeSubDomains
Clerk auth, RBAC, API key gating
90-day privileged access audit trail
Scheduled Q3 2026
Data Processing Agreement on request
Data Infrastructure
Hosting: Resume Tailor runs on Vercel (US East region). All compute is serverless and ephemeral — no persistent application servers retain user data between requests.
Database: All persistent data is stored in Upstash Redis (US East 1 region). Upstash provides AES-256 at-rest encryption and TLS in transit. Data residency is US-only; no data is replicated to other regions without explicit configuration.
AI processing: Resume text is processed by the Anthropic Claude API. Anthropic's enterprise API does not train on customer data. Data is transmitted over TLS and not persisted beyond the request.
Authentication: Identity management is handled by Clerk. Passwords are never stored by Resume Tailor. OAuth tokens are managed by Clerk and not accessible to our application.
Payments: All payment processing is handled by Stripe. No payment card data touches Resume Tailor servers.
Access Controls
- ✓Multi-factor authentication available via Clerk for all accounts
- ✓Role-based access control (RBAC): users, org admins, site admins are strictly separated
- ✓API keys use SHA-256 hashing — plaintext keys are never stored
- ✓Admin routes require verified email match against a hardcoded allowlist
- ✓Organization members can only access their own org's data
- ✓All API endpoints enforce authentication before data access
- ✓Session tokens are short-lived (Clerk-managed) with automatic rotation
Security Headers
All responses from Resume Tailor include the following HTTP security headers:
Strict-Transport-Securitymax-age=31536000; includeSubDomainsX-Frame-OptionsDENYX-Content-Type-OptionsnosniffX-XSS-Protection1; mode=blockReferrer-Policystrict-origin-when-cross-originPermissions-Policycamera=(), microphone=(), geolocation=()Content-Security-Policydefault-src 'self'; frame-ancestors 'none'; …Audit Logging
Resume Tailor maintains a server-side audit trail for all privileged data access events. Logs are retained for 90 days and include actor ID, IP address, user agent, action type, and timestamp.
Logged events include: admin data access, API key creation/rotation/revocation, org member data access, resume exports, and account deletion.
Site administrators can query the audit log via a dedicated admin interface restricted to verified admin accounts.
Data Retention
Incident Response
In the event of a confirmed data breach affecting personal information, Resume Tailor will:
- Notify affected users within 72 hours of discovery
- Provide a clear description of what data was affected
- Describe the steps taken to contain and remediate the incident
- Notify relevant authorities as required by applicable law (GDPR, CCPA)
Responsible Disclosure
If you have discovered a security vulnerability in Resume Tailor, please report it responsibly. Send a detailed report to security@resumetailor.ai. We will acknowledge your report within 48 hours and aim to resolve confirmed vulnerabilities within 30 days. We do not pursue legal action against researchers acting in good faith.
Enterprise & Compliance Requests
For enterprise customers requiring additional documentation — Data Processing Agreements, security questionnaires, custom DPA terms, or vendor assessment forms — please contact us.