Trust & Security Center
Your resume, our responsibility
Every technical, legal, and operational decision that protects your data — spelled out, no jargon.
SSL / TLS 1.3
AES-256 Encrypted
AWS-Hosted (us-east-1)
SOC 2 In Progress
GDPR + CCPA
Privacy
Data we collect
- Account: email address, optional phone number.
- Profile: résumé (PDF or text you upload), work history, skills, location, salary expectations, job preferences.
- Usage: which jobs you viewed, applied to, or dismissed. Crash reports and performance events.
- Device: OS version, device model, app version (no precise GPS).
Data we do not collect
- Social Security Number or any government ID.
- Bank account or payment card details (handled by Stripe, never stored by us).
- Biometric data of any kind.
- Real-time location or persistent GPS tracking.
- Contacts list or calendar data.
- Background check data — we do not run checks; employers do.
Retention
| Data type | Retention period | Notes |
|---|---|---|
| Account + profile | Until account deletion | One-tap delete in app settings |
| Applied-to job history | 24 months after application | Required for dispute resolution |
| Résumé files (S3) | Until account deletion | AES-256 at rest, presigned URL access only |
| Crash / error logs | 30 days (Sentry) | No PII in log payloads by policy |
| Analytics events | 14 months (GA4 default) | IP anonymized |
| Server request logs | 90 days (CloudWatch) | IPs redacted after 30 days |
One-tap account deletion
Open the app → Profile → Settings → Delete account. All data is purged within 30 days per our Privacy Policy.
For DSARs (data subject access requests), use our CCPA/GDPR rights portal.
Security architecture
Encryption
- At rest: AES-256-GCM for all DynamoDB tables and S3 objects. AWS-managed keys (SSE-S3) with plans to migrate to customer-managed KMS keys as part of SOC 2 readiness.
- In transit: TLS 1.3 enforced on all CloudFront distributions and API Gateway endpoints. TLS 1.0/1.1 explicitly disabled.
- LLM calls: Anthropic (primary) and OpenAI (fallback) are contractually bound to zero data retention. Your résumé text is never stored on provider infrastructure and is never used for model training.
Authentication
- AWS Cognito User Pools with email + password. Hosted UI is not used — auth flows are native to the app.
- JWT access tokens (15-minute TTL) and refresh tokens (30-day TTL), stored in device secure storage (not AsyncStorage).
- Password requirements: 12+ characters, complexity enforced by Cognito.
- Rate-limiting on auth endpoints at API Gateway + WAF (2,000 req/5 min/IP).
- Multi-factor authentication via TOTP — available, not yet enforced for all accounts.
Infrastructure
- All compute runs on AWS Lambda (no always-on servers to patch).
- API Gateway + CloudFront + AWS WAF with 4 managed rule groups: CRS, KnownBadInputs, IpReputation, BotControl.
- Single-table DynamoDB design with per-user partition keys — no cross-user data leakage risk from query design.
- S3 résumé buckets: private, no public ACLs, presigned URL access only (15-minute expiry).
- IAM: least-privilege roles for every Lambda function. No wildcard resource policies.
- Secrets: AWS Secrets Manager + Parameter Store. No secrets in environment variables or code.
Monitoring and audit
- CloudWatch Synthetics: 3 canaries checking API health, site availability, and job search every 5 minutes.
- CloudWatch RUM for real-user performance monitoring.
- Sentry for crash and error tracking (PII scrubbing rules active).
- PostHog for product analytics (self-hosted events, no third-party data sharing).
- Structured JSON logging via structlog on every Lambda invocation.
- All DynamoDB mutations include
actor_id+timestampfor audit trail reconstruction.
Compliance
| Framework | Status | Details |
|---|---|---|
| SOC 2 Type I | In progress — targeting Q3 2026 | Using Vanta for continuous control monitoring. Security, Availability, and Confidentiality trust service criteria. |
| GDPR | Compliant (self-assessed) | Access, portability, deletion, and restriction rights — all available via rights portal and one-tap in-app delete. DPA available on request. |
| CCPA / CPRA | Compliant (self-assessed) | No sale of personal data. Opt-out link in footer. DSAR portal at /legal/ccpa/. |
| ADA / Section 508 | In progress | WCAG 2.1 AA target for the marketing site. Mobile app accessibility audit scheduled Q2 2026. |
Data Processing Agreement (DPA)
Enterprise customers and B2B integrations can request a signed DPA.
View our standard DPA template at /trust/dpa/.
Email legal@jobeezy.com to execute.
Subprocessors
The following third-party services process personal data on our behalf. We notify customers of material changes via our changelog and email at least 30 days in advance.
| Provider | Service | Region | Purpose |
|---|---|---|---|
| AWS SES | Email infrastructure | us-east-1 | Transactional email delivery |
| AWS Cognito | Identity & access | us-east-1 | User authentication and token management |
| Resend | Email delivery | US | Product notifications and status updates |
| Anthropic | AI / LLM | US | Résumé tailoring and job matching (zero-retention contract) |
| OpenAI | AI / LLM (fallback) | US | Fallback LLM (zero-retention contract) |
| PostHog | Product analytics | US | Feature usage and funnel analytics |
| Sentry | Error monitoring | US | Crash reporting and performance monitoring |
| Google Analytics 4 | Web analytics | US / EU | Marketing site analytics (IP anonymized) |
| Microsoft Clarity | UX analytics | US | Session recordings and heatmaps (marketing site only) |
Your data rights
- Access: Download everything we have about you — in-app and via the rights portal.
- Portability: Export your profile and application history as JSON or CSV.
- Correction: Edit any profile field at any time in the app.
- Deletion: One-tap account + data deletion. All data purged within 30 days.
- Restriction: Email privacy@jobeezy.com to restrict processing while a dispute is pending.
- Opt-out of sale: We never sell your data. See our Privacy Policy.
For DSAR requests, use /legal/ccpa/ or email privacy@jobeezy.com. We respond within 30 days (15 days for CCPA).
Vulnerability disclosure
We operate a responsible disclosure program. If you discover a security vulnerability:
- Email security@jobeezy.com with a description and reproduction steps.
- Include your name/handle if you'd like credit in our disclosure.
- We acknowledge reports within 72 hours and aim to resolve critical issues within 7 days.
- We do not pursue legal action against good-faith researchers following this process.
Our security.txt is published at /.well-known/security.txt per RFC 9116.
For the full policy, see /about/security/.
Found a security issue?
We take every report seriously. Response within 72 hours. Responsible researchers always get credit.
Get Jobeezy
If you trust us with your data, we'll put your résumé to work.
Free to start. No résumé writing. No cover letters. We handle the search, the filter, and the apply — you just say yes to interviews.
Free on iPhone, Android, and web. You can delete your account in one tap.