Your resume, our responsibility

• Encrypted at rest: AES-256 across every database we run. All customer data encrypted before storage.
• Encrypted in transit: TLS 1.3 on every request. HSTS preload for all connections.
• Isolated per user: Your data is scoped to you via user-scoped partition keys. Cross-user reads are structurally impossible.
• AI providers: Anthropic (primary) and OpenAI (fallback), both under zero-retention agreements. Your resume is never used to train any model.
• Minimum data: We send employers only what they need for the application—nothing more.
• EEOC isolation: Voluntary self-identification data is never sent to AI providers and remains in isolated, secure storage.

• Sell your resume or email to data brokers.
• Sell your resume or email to recruiters.
• Let a third-party model train on your data.
• Use browser bots to submit applications.
• Share your data with third parties beyond what's necessary for the service.
• Retain your data longer than necessary for the service or legal requirements.

• SOC 2 Type I: Planned for Q3 2026. We are preparing for independent audit to cover security, availability, and confidentiality.
• GDPR: Data subject access, portability, and deletion—all one click. Data Protection Officer at dpo@jobeezy.com.
• CCPA/CPRA: Request portal at /legal/ccpa/. We do not sell personal information.
• DPA for B2B: Data Processing Addendum available at /legal/dpa/ for enterprise customers.
• EEOC: Voluntary self-identification data handled in compliance with EEOC regulations. 7-year audit trail maintained.
• AWS certifications: Our cloud provider maintains ISO 27001, SOC 1/2/3, PCI DSS Level 1, and HIPAA certifications.

We use the following subprocessors to provide our service:

• Amazon Web Services (AWS): Cloud infrastructure, databases, storage, authentication (us-east-1 region)
• Anthropic: AI/ML services for resume tailoring and job matching (zero-retention agreement)
• OpenAI: Fallback AI/ML services (no-training API tier, zero-retention)
• Google Cloud Vertex AI: Additional AI/ML services for job matching
• Resend: Email delivery service
• Firebase: Push notification service
• AWS SNS: SMS notification service
• Sentry: Error monitoring and crash reporting
• Google Analytics 4: Website analytics
• PostHog: Product analytics
• Microsoft Clarity: Session recordings and heatmaps

All subprocessors are contractually bound to protect your data and use it only for the purposes specified. We notify customers of material changes to subprocessors at least 30 days in advance.

• Primary region: AWS us-east-1 (Northern Virginia, USA)
• Data transfers: Data may be transferred to and processed in countries other than your country of residence, including the United States and European Union.
• Safeguards: We ensure appropriate safeguards are in place for international data transfers, including Standard Contractual Clauses (SCCs) approved by the European Commission and compliance with the EU-U.S. Data Privacy Framework (if applicable).
• Enterprise options: Data residency options available for enterprise customers upon request.

Enterprise customers with a signed Data Processing Addendum (DPA) have the right to audit our compliance with the DPA, subject to reasonable notice and during business hours. Audits must be conducted by an independent third-party auditor agreed upon by both parties. We maintain documentation to demonstrate our compliance with applicable data protection laws.

No security incidents disclosed to date. If that ever changes, you'll see the disclosure here within 72 hours of detection in accordance with our incident response policy.

We run a private disclosure program for security researchers. Email security@jobeezy.com with details (PGP-encrypted preferred). We acknowledge within 24 hours and fix critical issues within 7 days. Public disclosure welcome after a fix ships.

PGP Key: Available on request at security@jobeezy.com