Built like the data matters.
Your resume is a long, honest record of your career. We treat it that way. This page details the controls we use; the privacy policy covers the rights you have.
Six pillars
Security isn't a feature; it's the order in which we make decisions. Here's what that looks like in practice.
Encryption
- TLS 1.3 in transit, AES-256-GCM at rest, on every layer of the stack.
- Per-tenant encryption keys for resume content, rotated quarterly.
- Database-level row encryption for personally-identifying fields.
Access control
- Production access is MFA-only, role-scoped, and short-lived (90-day max session).
- All admin actions logged immutably. Audit trail searchable by support, reviewed weekly.
- Engineers cannot read user resume content in production without break-glass approval and user consent.
AI processing
- Inference via Anthropic and OpenAI under zero-retention agreements — your prompts and outputs are not stored on their side beyond the API call.
- Your content is never used to train any model — ours, theirs, or anyone else's.
- Optional EU-only inference path on Ultimate (Frankfurt region, no cross-Atlantic transit).
Infrastructure
- AWS, multi-AZ in eu-central-1 (primary) and us-east-1 (replica).
- Daily encrypted backups, 30-day retention, geographically separated.
- Tested DR plan — quarterly recovery drills documented in our SOC 2 program.
Application security
- OWASP Top 10 covered by code review, automated SAST (Semgrep), dependency scanning (Snyk), and quarterly external pentests.
- Responsible disclosure is open to security researchers, with clear acknowledgement and triage windows.
- Strict CSP, HSTS, SRI, and signed cookies. No third-party trackers on logged-in surfaces.
People & process
- All staff sign a confidentiality agreement and complete annual security training.
- Background checks for everyone with production access.
- Incident response runbook with 15-minute paging, public postmortem within 5 business days for any user-affecting incident.
Where we stand, plainly
No marketing-speak. If we're done, we say done. If we're working on it, we say what month.
Found a vulnerability? Tell us.
Found a vulnerability? Tell us. We run a responsible disclosure program — no money, but we'll thank you publicly, fast. We acknowledge within 24h and triage valid reports within 5 days. Researchers who help us improve are listed at apply-edge.com/security/researchers.
Median 4h on weekdays.
For valid reports.
PGP key coming soon — for now, send sensitive disclosures to security@apply-edge.com and we'll respond with a key on first contact.
For sensitive disclosures, use email for now. We will respond with a key on first contact.
Request PGP keyNeed a DPA, SOC 2 report, or custom data residency?
For employer accounts and bulk-seat plans. We also ship custom retention windows, SAML SSO, and audit log export.