Compliance Center
Compliance & Data Protection
Last Updated: March 2026
On this page
Overview
TailorMeSwiftly is operated by Tailored Services LLC. We build career technology used by individual job seekers and licensed by educational institutions. This page documents the specific technical and organizational controls we maintain, mapped to the compliance frameworks our institutional customers require.
We do not claim certifications we have not earned. Where we have implemented the underlying controls but have not yet undergone a third-party audit, we describe exactly what is in place so your security team can evaluate us directly.
SOC 2 Type II Alignment
TailorMeSwiftly has not yet completed a SOC 2 Type II audit. Our infrastructure provider, Supabase (hosted on AWS), maintains SOC 2 Type II certification for its platform. We have implemented controls aligned with the AICPA Trust Services Criteria across all five categories. The table below maps our controls to each criterion.
Security (CC6)
| Criterion | Control | Status |
|---|---|---|
| CC6.1 — Logical access | Authentication via Supabase Auth (OAuth 2.0 with Google/LinkedIn). JWT-based session tokens with automatic refresh. Admin access gated by app_metadata.role custom claim, verified server-side. |
Implemented |
| CC6.1 — Encryption at rest | All database data encrypted at rest using AES-256 (Supabase PostgreSQL default on AWS EBS). | Implemented |
| CC6.1 — Encryption in transit | TLS 1.2+ enforced on all connections. HTTPS required for all pages (GitHub Pages SSL). HSTS headers set. Supabase connections use TLS 1.3. | Implemented |
| CC6.2 — Access provisioning | Row-Level Security (RLS) enforced on all Supabase tables. Users can only read/write their own rows. Service role keys used only in server-side edge functions, never exposed to the client. | Implemented |
| CC6.3 — Access removal | Account deletion cascades across 25+ tables via the delete-account edge function. Stripe subscriptions cancelled. Podcast audio files purged from storage. Auth record removed from Supabase Auth. |
Implemented |
| CC6.6 — System boundaries | Content Security Policy (CSP) headers enforced on all pages. CORS whitelist restricted to tailormeswiftly.com and tailorthenews.com. Frame-ancestors restricted to 'self'. |
Implemented |
| CC6.7 — Input validation | DOMPurify sanitization on all rendered HTML output. Safe redirect validation (_isSafeRedirect()) on auth flows. Rate limiting on AI endpoints (5/hr free, 60/hr premium). |
Implemented |
Availability (CC7)
| Criterion | Control | Status |
|---|---|---|
| CC7.1 — Infrastructure monitoring | Supabase provides built-in monitoring for database, auth, and edge function health. Error logs stored in error_logs table for crash analysis. |
Implemented |
| CC7.2 — Incident detection | Admin audit log table (admin_audit_log) records administrative actions. Security audit program conducted quarterly (most recent: March 2026, STRIDE/OWASP methodology). |
Implemented |
| CC7.3 — Incident response | Documented incident response procedure. See Incident Response section below. | Implemented |
Processing Integrity (CC8)
| Criterion | Control | Status |
|---|---|---|
| CC8.1 — Processing accuracy | Client-side ATS keyword scoring processed locally (no server round-trip). AI-generated outputs clearly labeled as drafts requiring user review. Spaced repetition intervals calculated using the published SM-2 algorithm. | Implemented |
Confidentiality (CC9)
| Criterion | Control | Status |
|---|---|---|
| CC9.1 — Confidential data identification | Resume content, job descriptions, and learning progress classified as confidential user data. Processed transiently where possible (resume/JD text not permanently stored). Session storage cleared on tab close. | Implemented |
| CC9.2 — Confidential data disposal | Account deletion removes all user data across 25+ tables. Podcast audio purged from object storage. Supabase Auth record deleted. Stripe subscription records cancelled. | Implemented |
Privacy (P1-P8)
| Criterion | Control | Status |
|---|---|---|
| P1 — Privacy notice | Published Privacy Policy detailing all data collection, use, sharing, and retention practices. | Implemented |
| P2 — Consent | Cookie consent banner with granular opt-in for analytics and marketing cookies. Essential cookies (authentication) disclosed separately. | Implemented |
| P4 — Data minimization | Resume/JD text processed transiently. Client-side keyword scoring sends no data to servers. Chrome extension only activates on explicit user action. News interests are the only persistent preference data. | Implemented |
| P6 — Access and correction | Users can access, export, and delete their data from the Account page. Formal access request procedure available via admin@tailormeswiftly.com. See Data Access Requests. | Implemented |
| P8 — Third-party disclosure | Complete subprocessor list published on this page. Data Processing Agreement available for institutional customers. | Implemented |
FERPA Readiness
FERPA (Family Educational Rights and Privacy Act, 20 U.S.C. § 1232g) governs the privacy of student education records at institutions receiving federal funding. FERPA compliance is an obligation of the educational institution, not the technology vendor. However, when an institution licenses TailorMeSwiftly under an institutional agreement, we function as a "school official" with a "legitimate educational interest" under 34 CFR § 99.31(a)(1)(i)(B), and we implement the following controls to support the institution's FERPA obligations.
FERPA-Protected Data in TailorMeSwiftly
When used under an institutional license, the following data categories constitute education records under FERPA:
- Student identity: Name, email address, profile picture (from OAuth provider)
- Resume and career documents: Resume text, cover letters, and tailored documents generated through the platform
- Learning records: Learning path progress, skill assessments, mastery levels, XP scores, spaced repetition review history, knowledge check results
- Career activity: Job applications tracked, interview prep history, ATS simulation results
- News briefing preferences: Selected interests and briefing engagement data
Technical Controls Supporting FERPA
| FERPA Requirement | TailorMeSwiftly Control |
|---|---|
| Limit access to those with legitimate educational interest | Row-Level Security (RLS) on all database tables ensures students can only access their own records. Admin access requires app_metadata.role verified server-side. No student data is visible to other students (community resources display only URLs/titles, not user identity). |
| Maintain records of access and disclosure | Admin audit log records all administrative data access. Supabase access logs track API-level access. Edge function logs available for institutional review upon request. |
| Right to inspect and review records | Students can view all their data through the platform UI (Account page, learning dashboard, application tracker). Institutions can request a data export for any student via the institutional admin contact. |
| Right to request amendment of records | Students can edit or delete their own data at any time. Account deletion cascades across all 25+ tables. Institutions can request amendments on behalf of students through the DPA contact. |
| No re-disclosure to third parties | Student data is never shared with employers, recruiters, or advertisers. Third-party AI processing (Google Gemini) is transient and governed by API terms prohibiting model training on submitted data. Complete subprocessor list published below. |
| Encryption of records | AES-256 encryption at rest (Supabase/AWS). TLS 1.2+ in transit. No unencrypted PII stored in client-side storage for institutional deployments. |
| Data retention and disposal | Institutional data retention governed by DPA terms. Default: data retained while account is active. Student self-service deletion available at any time. Institutional bulk deletion available upon license termination. |
Institutional Data Processing Agreement
Educational institutions licensing TailorMeSwiftly must execute a Data Processing Agreement (DPA) before student data is processed on the platform. The DPA covers:
- Designation of TailorMeSwiftly as a "school official" under FERPA
- Permitted uses of student education records
- Prohibition on re-disclosure
- Data retention and deletion obligations upon license termination
- Breach notification timeline (72 hours)
- Subprocessor disclosure and approval requirements
- Right to audit
To request a DPA or begin institutional onboarding, contact admin@tailormeswiftly.com.
Subprocessor List
The following third-party services process user data on behalf of TailorMeSwiftly. Institutional customers are notified of subprocessor changes via the DPA contact email with 30 days advance notice.
| Subprocessor | Purpose | Data Processed | Location |
|---|---|---|---|
| Supabase (AWS) | Authentication, database, edge functions, file storage | All account and application data | US (AWS us-east-1) |
| Google Gemini API | AI text generation (resume tailoring, interview prep, learning paths, briefings) | Resume text, job descriptions, learning content (transient processing, not stored by Google under API terms) | US |
| Inworld AI | Text-to-speech for podcast briefings | Briefing text (converted to audio) | US |
| GNews API | News article retrieval | Interest keywords only (no PII) | EU |
| Resend | Email delivery (briefings and onboarding) | Email address, briefing content | US |
| Stripe | Payment processing | Payment card details (handled directly by Stripe, PCI DSS Level 1) | US |
| GitHub Pages | Static site hosting | No PII (static assets only) | US |
Incident Response
TailorMeSwiftly maintains the following incident response procedure for security events affecting user data.
Classification
- Severity 1 (Critical): Confirmed unauthorized access to user data, data exfiltration, or authentication bypass. Response: immediate investigation, affected systems isolated within 1 hour.
- Severity 2 (High): Vulnerability discovered that could lead to unauthorized access if exploited. Response: investigation within 4 hours, patch within 24 hours.
- Severity 3 (Medium): Security misconfiguration or policy violation without confirmed data exposure. Response: investigation within 24 hours, remediation within 72 hours.
- Severity 4 (Low): Informational finding or defense-in-depth improvement. Response: tracked and addressed in next security review cycle.
Notification Timeline
- Individual users: Notified within 72 hours of confirmed data breach via email.
- Institutional customers (institutional license): Notified within 24 hours of any Severity 1 or 2 incident affecting student data, per DPA terms. Institution's designated security contact receives initial notification with scope assessment, followed by a detailed incident report within 5 business days.
- Regulatory notification: State attorney general and/or HHS notified as required by applicable breach notification laws (NY SHIELD Act, FERPA, etc.).
Post-Incident
- Root cause analysis completed within 10 business days
- Remediation verified and documented
- Security audit program updated to include regression checks for the incident class
- Institutional customers receive a written post-incident report upon request
Security Contact
To report a security vulnerability or incident, contact admin@tailormeswiftly.com with the subject line "Security Report."
Data Retention Schedule
| Data Category | Retention Period | Deletion Method |
|---|---|---|
| Resume/JD text (input) | Transient (not permanently stored) | Cleared after AI processing completes |
| Generated outputs (tailored docs) | Browser session only | Cleared when browser tab closes (sessionStorage) |
| Account profile | Active account lifetime | Cascade deletion via delete-account function |
| News briefings | 90 days | Automatic database cleanup |
| Podcast audio files | Last 10 per user | Older files automatically purged from storage |
| Learning paths and progress | Active account lifetime | Cascade deletion via delete-account function |
| Application tracker data | Active account lifetime | Cascade deletion via delete-account function |
| Analytics events | Active account lifetime | Cascade deletion via delete-account function |
| Error/crash logs | Active account lifetime | Cascade deletion via delete-account function |
| Stripe payment records | Per Stripe's retention policy (7 years for tax/legal) | Managed by Stripe; TMS subscription record deleted on account deletion |
| Admin audit logs | 1 year minimum | Retained for compliance review; not deleted on individual account deletion |
Data Access Requests
Users and institutions may submit data access, correction, or deletion requests.
Individual Users
- Self-service access: View all your data through the Account page, learning dashboard, application tracker, and briefing history.
- Self-service deletion: Delete your entire account and all associated data from the Account page. Deletion is immediate and irreversible.
- Formal request: Email admin@tailormeswiftly.com with the subject line "Data Access Request." Include the email address associated with your account. We will respond within 30 days.
Institutional Requests (Institutional License)
- Student data export: Institutions may request a data export for students under their license. Contact the DPA-designated security contact.
- Bulk deletion on license termination: All student data associated with the institutional license is deleted within 30 days of license termination, per DPA terms.
- FERPA parent/guardian requests: Institutions should route parent/guardian record access requests through their own FERPA officer. We respond to the institution, not directly to parents/guardians.
Accessibility (Section 508 / WCAG 2.1 AA)
TailorMeSwiftly is designed to meet WCAG 2.1 Level AA standards. Federal grant recipients are required to comply with Section 508 of the Rehabilitation Act, and we build with this requirement in mind.
- Semantic HTML with ARIA landmarks and roles
- Skip-navigation links on all pages
- Keyboard-navigable interface
- Color contrast ratios meeting WCAG AA thresholds
- Form labels and error messages associated with inputs
- Alt text for meaningful images
If you encounter an accessibility barrier, contact admin@tailormeswiftly.com.
Compliance Documents
- Privacy Policy — Full data collection, use, and sharing disclosure
- Security Policy — Encryption, infrastructure, and technical security controls
- Terms & Conditions — Service agreement including institutional use terms
- Data Processing Agreement (DPA) — For institutional customers licensing TailorMeSwiftly under an institutional agreement
- HECVAT Lite — Higher Education Cloud Vendor Assessment Toolkit (Lite version)
- VPAT — WCAG 2.1 — Voluntary Product Accessibility Template documenting Section 508 / WCAG conformance