Data Processing Agreement

Last Updated: March 2026

This is a reference version. Institutional customers execute this DPA as part of their institutional license agreement. To request a countersigned copy, contact admin@tailormeswiftly.com.

1. Parties and Scope

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller ("Institution"): The educational institution executing an institutional license agreement for TailorMeSwiftly.
  • Data Processor ("Processor" or "TMS"): Tailored Services LLC, operating TailorMeSwiftly.com.

This DPA applies to all processing of Student Data (as defined below) performed by TMS on behalf of the Institution under the institutional license agreement ("Agreement"). This DPA is incorporated into and forms part of the Agreement.

2. Definitions

  • "Student Data" means personally identifiable information from education records as defined under FERPA (20 U.S.C. § 1232g), including but not limited to: student name, email address, profile information, resume content, learning progress, skill assessments, application tracking data, and any other information directly related to a student that is maintained by or on behalf of the Institution through the Service.
  • "Education Records" has the meaning given in FERPA and its implementing regulations at 34 CFR Part 99.
  • "Service" means the TailorMeSwiftly platform as described in the Agreement.
  • "Security Incident" means any unauthorized access to, or acquisition of, Student Data that compromises the security, confidentiality, or integrity of the data.

3. FERPA Designation

The Institution designates TMS as a "school official" with a "legitimate educational interest" in Student Data, as permitted under 34 CFR § 99.31(a)(1)(i)(B). TMS is under the direct control of the Institution with respect to the use and maintenance of Education Records, and is subject to the requirements of 34 CFR § 99.33(a) governing the use and re-disclosure of personally identifiable information from Education Records.

4. Purpose and Permitted Use

TMS shall process Student Data solely to:

  1. Provide the Service as described in the Agreement (resume tailoring, interview preparation, learning paths, news briefings, and application tracking)
  2. Maintain and improve the technical infrastructure supporting the Service
  3. Comply with applicable law or valid legal process

TMS shall not:

  • Use Student Data for any purpose other than providing the Service
  • Sell, rent, or trade Student Data to any third party
  • Use Student Data for targeted advertising, marketing profiling, or behavioral analytics unrelated to the Service
  • Use Student Data to train machine learning models (third-party AI APIs are accessed under terms prohibiting training on submitted data)
  • Disclose Student Data to any third party except subprocessors listed in this DPA, or as required by law

5. Data Categories Processed

Category Examples Retention
IdentityName, email, profile photo (from OAuth)Account lifetime
Career documentsResume text, cover letters, tailored outputsTransient (session only)
Learning recordsSkill assessments, mastery levels, XP, review historyAccount lifetime
Career activityTracked applications, interview prep resultsAccount lifetime
Briefing dataNews interests, reactions, podcast audio90 days / last 10 audio files

6. Security Measures

TMS implements the following technical and organizational measures to protect Student Data:

  • Encryption at rest: AES-256 encryption on all database storage (Supabase PostgreSQL on AWS EBS)
  • Encryption in transit: TLS 1.2+ on all connections; TLS 1.3 for database connections
  • Access control: Row-Level Security (RLS) on all database tables. Students access only their own records. Admin access requires server-verified role claims.
  • Authentication: OAuth 2.0 via Supabase Auth (Google/LinkedIn). JWT tokens with automatic refresh and expiration.
  • Input validation: DOMPurify HTML sanitization. Content Security Policy headers on all pages. CORS restricted to whitelisted origins.
  • Audit logging: Administrative actions logged to admin_audit_log table with timestamp, actor, and action details.
  • Vulnerability management: Quarterly security audits using STRIDE/OWASP methodology. Dependency scanning via npm audit. Most recent audit: March 2026.
  • Data deletion: Cascade deletion across 25+ tables. Stripe subscriptions cancelled. Storage objects purged. Auth records removed.

7. Subprocessors

The Institution authorizes TMS to engage the following subprocessors. TMS will notify the Institution at least 30 days before engaging a new subprocessor or materially changing the scope of an existing subprocessor's access to Student Data.

  • Supabase, Inc. (AWS us-east-1) — Authentication, database, edge functions, file storage
  • Google LLC (Gemini API) (US) — AI text generation; transient processing under API terms prohibiting model training
  • Inworld AI, Inc. (US) — Text-to-speech for podcast briefings
  • Resend, Inc. (US) — Email delivery for briefings and onboarding
  • Stripe, Inc. (US) — Payment processing (PCI DSS Level 1; no Student Data beyond subscription status)

If the Institution objects to a new subprocessor, the Institution may terminate the Agreement within 30 days of notification.

8. Security Incident Notification

TMS shall notify the Institution within 24 hours of becoming aware of a confirmed Security Incident affecting Student Data. The initial notification shall include:

  1. Nature and scope of the incident (data categories and approximate number of students affected)
  2. Measures taken or proposed to address the incident
  3. Contact information for follow-up

A detailed written incident report shall be provided within 5 business days of the initial notification, including root cause analysis and remediation plan. TMS shall cooperate with the Institution's incident response procedures and regulatory notification obligations.

9. Data Return and Deletion

Upon termination or expiration of the Agreement:

  1. TMS shall, at the Institution's election, return or delete all Student Data within 30 days.
  2. If the Institution requests data return, TMS shall provide Student Data in a standard machine-readable format (JSON or CSV).
  3. After return or deletion, TMS shall certify in writing that all Student Data has been destroyed, except as required by law or for legitimate audit purposes (e.g., admin audit logs retained for 1 year).
  4. Individual students retain the ability to self-delete their accounts at any time during the license term.

10. Right to Audit

The Institution may, upon 30 days written notice, audit TMS's compliance with this DPA. Audits shall be conducted during normal business hours, no more than once per 12-month period (unless a Security Incident has occurred), and at the Institution's expense. TMS shall provide reasonable access to relevant systems, documentation, and personnel.

In lieu of an on-site audit, TMS may provide:

  • A copy of its most recent security audit report
  • Responses to a standardized security questionnaire (HECVAT, CAIQ, or equivalent)
  • Evidence of subprocessor compliance (e.g., Supabase SOC 2 Type II report)

11. Student Rights Under FERPA

TMS acknowledges that eligible students (or parents, if the student is a minor) have the following rights under FERPA, and TMS shall support the Institution in fulfilling these rights:

  • Right to inspect and review: Students can access all their data through the platform UI. The Institution may request a data export on behalf of a student.
  • Right to request amendment: Students can edit or delete their own records. Amendment requests that cannot be resolved through the UI should be directed to the Institution's FERPA officer, who may contact TMS for technical assistance.
  • Right to consent to disclosure: TMS does not disclose Student Data to third parties without the Institution's authorization, except to subprocessors listed in Section 7 and as required by law.

12. Prohibition on Re-Disclosure

TMS shall not disclose Student Data to any party other than the subprocessors listed in Section 7, except:

  • As directed by the Institution in writing
  • As required by a lawful court order or subpoena (TMS shall notify the Institution before disclosure unless prohibited by law)

TMS shall not permit its employees or contractors to access Student Data except as necessary to perform services under the Agreement. All personnel with access to Student Data are bound by confidentiality obligations.

13. Data Residency

Student Data is stored and processed in the United States (AWS us-east-1 region via Supabase). TMS does not transfer Student Data outside the United States without the Institution's prior written consent.

14. Term and Survival

This DPA remains in effect for the duration of the Agreement and survives termination with respect to obligations relating to data deletion (Section 9), incident notification (Section 8), and audit rights (Section 10), which survive for 1 year after termination.

15. Amendments

This DPA may be amended only by written agreement of both parties. TMS shall update this reference DPA on its website as compliance controls evolve, but material changes to executed DPAs require the Institution's written consent.

16. Contact

For DPA execution, security assessments, or data handling questions:

Tailored Services LLC
Attn: Data Protection
Email: admin@tailormeswiftly.com

← Back to Compliance Center   |   ← Return to TailorMeSwiftly.com