HECVAT Lite

This document is a completed HECVAT Lite (Higher Education Cloud Vendor Assessment Toolkit) questionnaire for TailorMeSwiftly, an AI-powered career platform operated by Tailored Services LLC. It is intended for use by institutional procurement and information security teams evaluating our platform for campus deployment. For questions or to request supporting documentation, contact admin@tailormeswiftly.com.

1 Company Overview

Vendor legal name	Tailored Services LLC
DBA / product name	TailorMeSwiftly
Product URL	https://tailormeswiftly.com
Primary contact	admin@tailormeswiftly.com
Headquarters	United States
Year founded	2025
Number of employees	1 (solo founder)
Product description	AI career platform providing ATS resume optimization, adaptive learning pathways, personalized news briefings, interview preparation, and micro-credential issuance.
Does the product store, process, or transmit institutional data?	Yes. Under an institutional license, the platform stores user profiles, resume content, learning progress, assessment results, and career readiness metrics. All data is encrypted at rest and in transit.
Deployment model	Multi-tenant SaaS (cloud-hosted). No on-premises option.

2 Documentation

Is a privacy policy publicly available?	Yes. Privacy Policy
Is a security policy publicly available?	Yes. Security Policy
Is a terms of service document publicly available?	Yes. Terms & Conditions
Is a Data Processing Agreement (DPA) available?	Yes. A DPA template is available for institutional customers. View DPA
Is an acceptable use policy documented?	Yes, within the Terms & Conditions.
Is a subprocessor list maintained and available?	Yes. Published in the Security Policy and DPA. Institutional customers receive 30-day advance notice of changes.
Is an incident response plan documented?	Yes. Documented in the Security Policy with severity classifications and response timelines.
Is a business continuity / disaster recovery plan documented?	Partially. Supabase (our infrastructure provider) maintains BC/DR plans with automated backups and point-in-time recovery. A vendor-level BC/DR plan specific to TailorMeSwiftly is in development. Planned

3 IT / Infrastructure

Where is the application hosted?	Frontend: GitHub Pages (US). Backend: Supabase hosted on AWS (us-east-1, Virginia).
Is the hosting provider SOC 2 Type II certified?	Yes. Supabase maintains SOC 2 Type II certification. AWS maintains SOC 1/2/3 certifications.
Is data stored exclusively within the United States?	Yes. All primary data storage (Supabase/AWS us-east-1) and static hosting (GitHub Pages) are in the United States. Third-party API calls to Google Gemini and Inworld AI are processed in the US. GNews (EU) receives only interest keywords, not PII.
Describe the application architecture.	Static single-page application served via GitHub Pages. Backend services (authentication, PostgreSQL database, Edge Functions, file storage) provided by Supabase. AI features use Google Gemini API via Supabase Edge Functions. Payments processed client-side via Stripe.js.
Is multi-tenancy used? How is tenant data isolated?	Yes, multi-tenant. Tenant isolation is enforced at the database level through Supabase Row-Level Security (RLS) policies scoped by organization ID. Cross-organization data access is not possible, even at the API level.
What database technology is used?	PostgreSQL (managed by Supabase on AWS).
Are backups performed? What is the retention period?	Yes. Supabase performs daily automated backups with point-in-time recovery. Backup retention follows the Supabase plan tier (minimum 7 days).
Is there a CDN or WAF in front of the application?	GitHub Pages uses Fastly CDN. Supabase API endpoints are fronted by a Kong API gateway. A dedicated WAF is not currently deployed. Planned
List all subprocessors that handle institutional data.	Supabase, Inc. (AWS us-east-1) — Auth, database, edge functions, file storage. SOC 2 Type II. Google LLC (Gemini API) (US) — AI text generation. Transient; API terms prohibit training on submitted data. Inworld AI, Inc. (US) — Text-to-speech for podcast audio. GNews (EU) — News retrieval. Keywords only; no PII. Resend, Inc. (US) — Email delivery. Stripe, Inc. (US) — Payments. PCI DSS Level 1. No career data shared. GitHub (Microsoft) (US) — Static hosting. No PII processed.

4 Security Program

Does your organization have a formal information security program?	Yes. Security controls are aligned with the AICPA Trust Services Criteria (SOC 2 framework) across all five categories: Security, Availability, Processing Integrity, Confidentiality, and Privacy.
Do you have a SOC 2 Type II report?	Not yet. Controls are aligned with SOC 2 criteria, and our infrastructure provider (Supabase) holds SOC 2 Type II certification. A formal SOC 2 audit for TailorMeSwiftly is planned. Planned
Has a third-party penetration test been conducted?	Not yet. Quarterly internal security audits are conducted using STRIDE threat modeling and OWASP Top 10 methodology. A formal third-party penetration test is planned. Planned
How often are security assessments conducted?	Quarterly. The most recent audit (March 2026) covered all edge functions, authentication flows, CORS policies, CSP headers, and dependency vulnerabilities. All critical and high-severity findings were remediated.
Is there a risk management process?	Yes. Risks are identified during quarterly STRIDE/OWASP audits, classified by severity, tracked in an internal registry, and remediated within defined timelines (critical: 24 hours, high: 7 days).
Are security responsibilities assigned to a specific individual?	Yes. The founder serves as the designated security officer responsible for all security controls, audit remediation, and incident response.
Do you maintain security awareness training?	Not applicable at current scale (single-person organization). Will be implemented as the team grows.
Do you carry cyber liability insurance?	Not currently. Under evaluation. Planned

5 Data

What categories of data are collected?	Authentication records (email, OAuth tokens), user profile (display name, avatar), resume and cover letter content, learning progress and XP scores, assessment results, career readiness metrics, news briefing preferences and reactions, payment status (via Stripe; no card data stored), and anonymous crash logs.
How is data classified?	Data is classified as: Public (marketing content, published credentials), Internal (aggregated analytics), Confidential (user profiles, resume content, learning data), and Restricted (authentication secrets, API keys, student education records under FERPA).
Is data encrypted at rest?	Yes. AES-256 encryption via Supabase/AWS EBS volume encryption. All database storage, backups, and file storage are encrypted at rest.
Is data encrypted in transit?	Yes. TLS 1.2+ for all connections. Supabase enforces TLS 1.3 for database connections. All API endpoints and static assets are served over HTTPS.
What is the data retention policy?	Resume/JD processing: Transient (not persisted beyond the active session unless saved by the user). News briefing content: 90 days. Podcast audio files: Last 10 per user; older files automatically purged. User profiles and saved documents: Retained for the lifetime of the active account. Deleted accounts: Full cascade deletion across 25+ tables. Data is permanently removed, not soft-deleted.
Can data be exported by the institution or user?	Users can export their own data. Institutional data export capabilities for administrators are in development. Planned
What happens to data upon contract termination?	Upon termination of an institutional agreement, all organization-scoped data is deleted within 30 days per DPA terms. A data export is provided before deletion upon request.
Is data shared with or sold to third parties?	No. Data is never sold. Data is shared only with subprocessors listed in our Security Policy, strictly for service delivery purposes. AI API providers (Google Gemini) operate under terms that prohibit training on submitted data.

6 Access Control

What authentication methods are supported?	OAuth 2.0 via Google and LinkedIn. Email/password with email verification. JWT-based session management via Supabase Auth.
Is multi-factor authentication (MFA) supported?	MFA is inherited from the user's Google or LinkedIn identity provider. Native MFA within TailorMeSwiftly is not yet available. Planned
Is single sign-on (SSO) supported?	OAuth 2.0 SSO via Google and LinkedIn is supported.
Is role-based access control (RBAC) implemented?	Yes. Three roles: Admin (full organizational management), Staff (read-only access to participant metrics and Career Readiness Scores), and Participant (individual use). Roles are enforced at both the API and database (RLS) levels.
How is database access controlled?	Row-Level Security (RLS) policies on all database tables. Users can only access data they are authorized to view based on their role, organization membership, and content ownership. All API requests are authenticated via Supabase JWT tokens validated on every request.
Is there administrative audit logging?	Yes. Admin actions, consent events, and data access operations are logged with timestamps in dedicated audit tables.
How is vendor administrative access to production data controlled?	Production database access is limited to the founder via authenticated Supabase dashboard and CLI with MFA-protected credentials. There are no shared admin accounts. Access is logged.

7 Vulnerability Management

Is there a vulnerability management program?	Yes. Quarterly security audits using STRIDE threat modeling and OWASP Top 10 methodology. Dependency scanning via npm audit. CSP headers enforced on all pages.
How quickly are critical vulnerabilities remediated?	Critical: within 24 hours. High: within 7 days. Medium: within 30 days. Low: next quarterly review cycle.
Are dependencies regularly updated?	Yes. Supabase client libraries, AI SDK versions, and all npm dependencies are regularly audited and updated. Automated alerts via GitHub Dependabot.
What input validation is performed?	All user-generated content is sanitized with DOMPurify before rendering. Server-side input validation on Edge Functions. Rate limiting on API endpoints. CORS whitelist restricts origins.
Are Content Security Policy (CSP) headers enforced?	Yes. CSP headers are enforced on all pages, restricting script sources, style sources, connection endpoints, and frame sources to an explicit allowlist.
Has a penetration test been performed?	A formal third-party penetration test has not yet been conducted. Internal STRIDE/OWASP audits are performed quarterly. Planned

8 Incident Response

Is there a documented incident response plan?	Yes. Documented in the Security Policy with severity classifications and response timelines.
What are the incident severity levels and response times?	Critical (active data breach, auth bypass): 1 hour initial response. High (vulnerability with exploit potential): 4 hour initial response. Medium (non-exploitable vulnerability): 24 hour initial response. Low (informational finding): next review cycle.
What is the breach notification timeline?	Individual users: within 72 hours of confirmed breach. Institutional customers: within 24 hours per DPA terms. Regulatory authorities: as required by applicable law (NY SHIELD Act, FERPA).
Is root cause analysis performed after incidents?	Yes. Root cause analysis is completed within 10 business days. Remediation is verified and documented. The security audit program is updated with regression checks.
How can security vulnerabilities be reported?	Email admin@tailormeswiftly.com with the subject line "Security Report."

9 Privacy

Is a privacy policy published?	Yes. Privacy Policy
Can users delete their accounts and all associated data?	Yes. Account deletion triggers a cascade delete across 25+ database tables. All user data is permanently removed, not soft-deleted.
Is user consent obtained before data collection?	Yes. Consent is obtained at account creation. Institutional data sharing requires an additional explicit consent event, which is recorded with a timestamp in an immutable audit trail.
Are cookies or tracking technologies used?	Google Analytics (with cookie consent banner) and LinkedIn Insight Tag for conversion tracking. Analytics are loaded only after user consent. Local storage is used for UI preferences and session caching.
Is data used for AI model training?	No. AI services (Google Gemini, Inworld AI) are accessed through paid API tiers whose terms explicitly prohibit using submitted data for model training.
Is peer review content anonymized?	Yes. Resume submissions for peer review are automatically stripped of personally identifiable information (names, emails, phone numbers, physical addresses) before being shared with reviewers.
Does the platform comply with GDPR?	The platform implements data subject rights (access, deletion, portability) consistent with GDPR principles. A formal GDPR compliance audit has not been conducted, as primary operations and data storage are US-based. Planned

10 Compliance

Is the platform FERPA-compliant?	Yes, FERPA-ready. Under an institutional license with a signed DPA, TailorMeSwiftly acts as a school official with a legitimate educational interest. Controls include: RLS-enforced data isolation by organization, administrative audit logging, student data rights (access, correction, deletion), and 24-hour institutional breach notification.
How is FERPA compliance enforced technically?	Row-Level Security policies scope all data queries by organization ID. Role-based access control restricts staff to read-only metrics. Consent events are logged immutably. Account deletion cascades across all tables. No student data is shared with third parties beyond contracted subprocessors.
Is a Data Processing Agreement available for institutional customers?	Yes. The DPA covers student data handling, breach notification timelines, subprocessor disclosure, audit rights, and data return/deletion upon termination.
Is there a SOC 2 Type II report available?	Not yet for TailorMeSwiftly directly. Our infrastructure provider Supabase holds SOC 2 Type II. TailorMeSwiftly has implemented controls aligned with all five SOC 2 Trust Services Criteria. A formal audit is planned. Planned
Does the platform meet accessibility standards?	The platform targets Section 508 and WCAG 2.1 AA compliance. Features include skip navigation, ARIA labels, semantic HTML, keyboard navigation, and screen reader support. A formal VPAT is in development. Planned
What legal jurisdiction governs the service?	State of New York, United States. The platform complies with the NY SHIELD Act for data breach notification.
Is PCI DSS compliance maintained for payment processing?	Payment processing is fully delegated to Stripe, which maintains PCI DSS Level 1 certification. TailorMeSwiftly never stores, processes, or transmits cardholder data. Payment information is sent directly from the user's browser to Stripe's servers.
Can the vendor provide references from higher education institutions?	The platform is currently in pre-institutional-deployment phase. References will be available as institutional pilots begin. Contact admin@tailormeswiftly.com for current status.