Security
Security at ApplyAI
Your resume and application data is sensitive. We take that responsibility seriously — with concrete technical controls, not marketing promises.
Security practices
How we protect your data
Transport encryption
All data in transit is encrypted with TLS 1.3. We enforce HTTPS across every surface — API endpoints, webhooks, and the dashboard.
Row Level Security
Supabase Row Level Security (RLS) is enabled on every table. Database policies ensure no user can read another user's data — even at the infrastructure level.
AI processing transparency
We disclose which AI providers process your content (resume text, job descriptions) and under what data processing agreements. Your data is not used to train third-party models.
Infrastructure security
Hosted on Vercel (edge CDN) and Supabase (SOC 2 Type II certified). Environment secrets are managed via platform vaults, never committed to source code.
Compliance
Regulatory standards
Personal Information Protection Law (China)
Full compliance with China's PIPL for users in mainland China. Explicit consent for AI processing, right to erasure, data minimization, and cross-border transfer notices.
General Data Protection Regulation (EU)
GDPR compliance for EU residents: lawful basis for processing, data subject rights, DPA agreements with all processors, and 72-hour breach notification.
SOC 2 Type II — in progress
We are working toward SOC 2 Type II certification. Current infrastructure partners (Supabase, Vercel) are SOC 2 Type II certified.
Data retention
Your data, your call
90 days after account deletion
After deleting your account, your data is fully purged from our systems within 90 days to guard against accidental deletion.
Immediate deletion on request
If you want your data deleted immediately without the 90-day window, email support@applyai.me and we'll process it within 24 hours.
support@applyai.me →Data is never sold
Our business model is subscriptions. Your data is not our product. No data is sold to third parties — for advertising, recruiting, or any other purpose.
Responsible disclosure
Found a vulnerability?
We appreciate security researchers who responsibly disclose vulnerabilities. If you've found one, please report it directly to us — do not publicly disclose or exploit access to user data.
Security email
security@applyai.meReport privately
Email security@applyai.me with a clear description, reproduction steps, and impact assessment. PGP encryption available on request.
We acknowledge within 48h
We will confirm receipt, assess severity, and keep you updated on remediation progress.
90-day disclosure window
We ask for 90 days to investigate and patch before public disclosure. We will coordinate timing with you.
Third-party processors
Full processor disclosure
The following third-party vendors process user data. All vendors have signed Data Processing Agreements (DPAs).
| Vendor | Purpose | Region | Cert |
|---|---|---|---|
| Supabase | Database & authentication | US / EU | SOC 2 Type II |
| Vercel | Web hosting & edge delivery | Global CDN | ISO 27001 |
| OpenAI / Anthropic | AI content processing (resume & JD analysis) | US | SOC 2 Type II |
| Resend | Transactional email delivery | US | SOC 2 Type II |