Security

Built like the data matters.

Your resume is a long, honest record of your career. We treat it that way. This page details the controls we use; the privacy policy covers the rights you have.

Contact security Vulnerability disclosure

Encryption

AES-256

At rest, with TLS 1.3 in transit

SOC 2

In progress

Audit complete Q3 2026

Disclosure program

Open

Responsible disclosure

Incident response

Sub-hour

MTTR target for critical incidents

Six pillars

Security isn't a feature; it's the order in which we make decisions. Here's what that looks like in practice.

Encryption

TLS 1.3 in transit, AES-256-GCM at rest, on every layer of the stack.
Per-tenant encryption keys for resume content, rotated quarterly.
Database-level row encryption for personally-identifying fields.

Access control

Production access is MFA-only, role-scoped, and short-lived (90-day max session).
All admin actions logged immutably. Audit trail searchable by support, reviewed weekly.
Engineers cannot read user resume content in production without break-glass approval and user consent.

AI processing

Inference via Anthropic and OpenAI under zero-retention agreements — your prompts and outputs are not stored on their side beyond the API call.
Your content is never used to train any model — ours, theirs, or anyone else's.
Optional EU-only inference path on Ultimate (Frankfurt region, no cross-Atlantic transit).

Infrastructure

AWS, multi-AZ in eu-central-1 (primary) and us-east-1 (replica).
Daily encrypted backups, 30-day retention, geographically separated.
Tested DR plan — quarterly recovery drills documented in our SOC 2 program.

Application security

OWASP Top 10 covered by code review, automated SAST (Semgrep), dependency scanning (Snyk), and quarterly external pentests.
Responsible disclosure is open to security researchers, with clear acknowledgement and triage windows.
Strict CSP, HSTS, SRI, and signed cookies. No third-party trackers on logged-in surfaces.

People & process

All staff sign a confidentiality agreement and complete annual security training.
Background checks for everyone with production access.
Incident response runbook with 15-minute paging, public postmortem within 5 business days for any user-affecting incident.

Compliance

Where we stand, plainly

No marketing-speak. If we're done, we say done. If we're working on it, we say what month.

SOC 2 Type II

In progress · audit complete Q3 2026

GDPR

Compliant — DPA available on request

UK GDPR

Compliant

CCPA / CPRA

Compliant

ISO 27001

Pre-assessment underway, certification target 2027

HIPAA

Out of scope — Apply Edge does not process health data

Disclosure

Found a vulnerability? Tell us.

Found a vulnerability? Tell us. We run a responsible disclosure program — no money, but we'll thank you publicly, fast. We acknowledge within 24h and triage valid reports within 5 days. Researchers who help us improve are listed at apply-edge.com/security/researchers.

Acknowledge

< 24h

Median 4h on weekdays.

Triage

< 5 days

For valid reports.

PGP

PGP key coming soon — for now, send sensitive disclosures to security@apply-edge.com and we'll respond with a key on first contact.

For sensitive disclosures, use email for now. We will respond with a key on first contact.

Request PGP key

Enterprise

Need a DPA, SOC 2 report, or custom data residency?

For employer accounts and bulk-seat plans. We also ship custom retention windows, SAML SSO, and audit log export.

enterprise@apply-edge.com Request SOC 2 letter →