Security & Data Storage Policy

At TailorMeSwiftly.com, we treat your career data with the highest level of security. This page outlines exactly how your information is stored, encrypted, and protected.

1. Encryption in Transit

All data transmitted between your device and our servers is strictly encrypted in transit. We use industry-standard HTTPS (TLS/SSL encryption) for every single network request. This ensures that your resume text, job descriptions, and user profile information cannot be intercepted by third parties while traveling across the internet.

2. Encryption at Rest (Cloud Storage)

Our backend infrastructure is powered by Supabase (built on PostgreSQL). All database data is encrypted at rest by default using strong AES-256 encryption.

When you create an account, the following information is securely stored in this encrypted database:

• Your authentication records (managed by Supabase Auth).
• Basic profile details (such as your display name or avatar).
• Copies of your generated resumes and cover letters, ensuring you can access your application history from any device.
• Learning roadmaps, skill gap analyses, study guide progress, and XP scores from Tailor My Learning.
• Anonymous crash logs to help us improve the application's stability.
• Outcomes tracking data (self-reported career outcomes, salary data), community posts, peer review submissions, assessment answers, and credential records.
• Employer company profiles and job postings.
• Curation logs and source diversity metrics for algorithmic transparency.

3. Local Browser Storage (Your Device)

To provide a snappy user experience and allow certain tools to work immediately without requiring an account, we rely heavily on your browser's local storage (localStorage).

• Cached Inputs: The last resume you pasted or uploaded is cached locally on your device so you don't have to re-upload it on your next visit. When using the Resume Merger, all uploaded resume sources are stored in your browser's session storage until the session ends or you start over.
• Preferences: Your UI preferences (such as Light Mode vs. Dark Mode) and custom AI tailoring instructions are saved directly to your browser.
• Stateless Tools: Some tools store their tracking data exclusively on your device unless you choose to create an account to sync them.

Security Tip: Because this data lives directly within your web browser, it is only as secure as the device you are using. If you are on a public or shared computer, we recommend signing out or clearing your browsing data after use.

4. Client-Side Processing

• Real-Time ATS Scoring: The live scoring feature in the resume editor extracts keywords from the job description and scores your resume entirely in your browser. No data is sent to our servers for this feature.
• Phrase Library Caching: AI-generated resume phrases are cached in your browser's session storage after initial generation. Cached data is cleared when you close your browser tab.

5. News Briefing & Podcast Data

• Briefing content (text, interests, sources, story reactions, and story thread data) is stored in our encrypted Supabase database, associated with your user ID. Row-level security policies ensure you can only access your own reactions and story threads.
• Podcast audio files are stored in Supabase Storage with public access URLs for RSS feed delivery. We retain the last 10 audio files per user; older files are automatically purged.
• RSS podcast feeds are served at user-specific URLs. These feeds contain your briefing audio and metadata but do not expose your email or account information.

6. Hosting & Infrastructure

Our site is hosted on GitHub Pages, which provides automatic SSL certificate provisioning and serves static assets over HTTPS. Deployments are triggered automatically from the main branch.

Backend services (authentication, database, edge functions, file storage) are managed by Supabase, hosted on AWS infrastructure with SOC 2 Type II compliance.

7. Payment Processing

All payment processing is handled by Stripe. We never see, store, or transmit your credit card number, CVV, or billing details. Payment information is sent directly from your browser to Stripe's PCI DSS Level 1 certified servers. We only receive a confirmation of your subscription status.

8. Third-Party AI Processing

We use third-party APIs strictly to process text and generate content:

• Google Gemini API: Generates tailored documents, interview prep, and news briefing summaries. API Terms.
• Inworld AI: Generates text-to-speech narration for podcast briefings. Terms.
• GNews API: Fetches publicly available news articles. No personal data is sent beyond your interest keywords.
• Resend: Delivers email briefings. Your email address is shared only for delivery purposes.

We access AI services through paid API tiers whose terms state that data submitted is not used to train their models.

9. Credential Verification & Integrity

Micro-credentials issued by TailorMeSwiftly are protected with SHA-256 verification hashes to ensure credential integrity. Each credential includes a unique hash that can be validated through our public verification page, confirming that the credential has not been tampered with since issuance.

10. User-Generated Content Security

• Content Sanitization: All user-generated content (discussion posts, replies, peer reviews, employer descriptions) is sanitized with DOMPurify before rendering to prevent cross-site scripting (XSS) attacks.
• Peer Review Anonymization: Resume submissions for peer review are automatically stripped of personally identifiable information (names, email addresses, phone numbers, physical addresses) before being shared with reviewers.
• Employer Verification: Verified employer profiles undergo manual review before receiving verified status. Verification indicates that the employer identity has been confirmed but does not constitute endorsement.

11. Row-Level Security

All database tables, including tables for outcomes tracking, cohort management, assessments, credentials, employer profiles, job postings, community discussions, peer reviews, and curation logs, are protected with Supabase Row-Level Security (RLS) policies. RLS ensures that users can only access data they are authorized to view based on their role and relationship (e.g., cohort membership, organization membership, or content ownership).

12. Institutional Readiness & Compliance

TailorMeSwiftly is designed to support institutional FERPA obligations when deployed under an institutional license with a signed Data Processing Agreement. Our infrastructure provider (Supabase, hosted on AWS) maintains SOC 2 Type II certification. We have implemented controls aligned with the AICPA Trust Services Criteria across all five categories, though TailorMeSwiftly itself has not yet undergone a formal SOC 2 audit. For a detailed mapping of our controls to SOC 2 criteria and FERPA requirements, see our Compliance Center.

Institutional data isolation is enforced at the database level through Supabase Row-Level Security (RLS) policies. Each organization's data is scoped by organization ID, ensuring that administrators and staff can only access participant data within their own institution. Cross-organization data access is not possible, even at the API level.

Access within an organization is governed by role-based access control (RBAC) with three roles: admin (full organizational management), staff (read-only access to participant metrics and Career Readiness Scores), and participant (individual use only). All API requests are authenticated via Supabase JWT tokens, which encode the user's identity and are validated on every request.

When a participant consents to organizational data sharing, the consent event is recorded with a timestamp in a dedicated audit trail. This consent record is immutable and available for institutional compliance review.

Institutional customers operate under a Data Processing Agreement (DPA) that governs student data handling, breach notification, subprocessor disclosure, and audit rights. To request a DPA or begin an institutional security assessment, contact admin@tailormeswiftly.com.

13. Subprocessors

The following third-party services process user data on behalf of TailorMeSwiftly:

• Supabase, Inc. (AWS us-east-1) — Authentication, database, edge functions, file storage. SOC 2 Type II certified.
• Google LLC (Gemini API) (US) — AI text generation. Transient processing; API terms prohibit model training on submitted data.
• Inworld AI, Inc. (US) — Text-to-speech for podcast audio.
• GNews (EU) — News article retrieval. Only interest keywords sent; no PII.
• Resend, Inc. (US) — Email delivery for briefings and onboarding.
• Stripe, Inc. (US) — Payment processing. PCI DSS Level 1. No resume or career data shared.
• GitHub (Microsoft) (US) — Static site hosting. No PII processed.
• Google APIs (Google Drive) (US) — Optional cloud export. File upload only using the restricted drive.file scope, which limits our access to files users save through TailorMeSwiftly. OAuth token is session-scoped; no server-side storage of credentials.
• Google Identity Services (US) — Sign-in authentication via Google's client-side identity library (accounts.google.com/gsi/client). The library is loaded on our sign-in, signup, and homepage pages to render Google's branded sign-in button and to support One Tap. The flow returns a short-lived ID token to the browser only; we exchange that token with Supabase to create a session and do not store it. Google may set cookies on its own domain during this flow.

Institutional customers are notified 30 days in advance of subprocessor changes, per DPA terms.

14. Incident Response

We maintain a documented incident response procedure for security events affecting user data:

• Detection & classification: Incidents classified by severity (Critical, High, Medium, Low) with defined response timelines from 1 hour (Critical) to next review cycle (Low).
• Notification: Individual users notified within 72 hours of a confirmed breach. Institutional customers notified within 24 hours per DPA terms. Regulatory authorities notified as required by applicable law (NY SHIELD Act, FERPA).
• Remediation: Root cause analysis within 10 business days. Remediation verified and documented. Security audit program updated with regression checks.

To report a security vulnerability: email admin@tailormeswiftly.com with the subject line "Security Report."

15. Security Audits & Updates

We conduct quarterly security audits using STRIDE threat modeling and OWASP Top 10 methodology. Our most recent audit (March 2026) covered all edge functions, authentication flows, CORS policies, CSP headers, and dependency vulnerabilities. All critical and high-severity findings were remediated.

We regularly audit our dependencies via npm audit, update our Supabase client libraries, and monitor our edge functions to ensure we are protected against the latest security vulnerabilities. Content Security Policy headers are enforced on all pages to mitigate XSS and injection attacks.