Security & Data Protection
Last updated: July 3, 2026
Our commitment
A resume is one of the most personal documents a person owns — it is a career, in full, on one page. We treat every resume on Resume Annex accordingly. This page describes, in plain language, how your data is protected, who processes it, and the rights you have over it.
Encryption
- At rest: resume files are stored in Amazon S3 with AES-256 server-side encryption.
- In transit: all traffic between your browser, our services, and our providers is encrypted with TLS.
- Payments: handled entirely by Stripe. Card numbers never touch Resume Annex servers.
Access control
- Authentication is handled by Supabase Auth, with Google and LinkedIn OAuth sign-in. Multi-factor authentication is available in account settings.
- Customer data tables are protected with row-level security: your records are readable by you, not by other users.
- Resume files are served through short-lived pre-signed URLs — there are no public file links.
How your resume data is used
- Your resume is processed to deliver the service you asked for — diagnosis, optimization, job matching, and the related reports. That is the job; there is no side business in your individual data.
- We never share or expose an individual’s resume data. Aggregate workforce insights are only ever built from anonymized data, and only from users who explicitly opted in. Opt-out is available in settings at any time.
- AI processing is performed by Anthropic’s Claude under commercial API terms — API inputs are not used to train Anthropic’s models.
Your rights (GDPR & CCPA)
- Deletion: you can delete your account and data. Deletion is functional today — not a support ticket that goes into a queue.
- Export: you can request a copy of your data.
- Correction and access: your profile and documents are editable and downloadable in-app.
For any data request, email support@resumeannex.ai.
Subprocessors
We use a small set of well-established providers to run the service. Each processes data only for the purpose listed.
| Provider | Purpose | Location |
|---|---|---|
| Amazon Web Services (S3) | Encrypted resume file storage | United States |
| Supabase | Database and authentication | United States |
| Anthropic | AI analysis and optimization (Claude) | United States |
| Stripe | Payment processing | United States |
| Vercel | Web application hosting | United States |
| Railway | API hosting | United States |
| Resend | Transactional email delivery | United States |
| Cloudflare | DNS, CDN, and email routing | Global edge network |
| PostHog | Product analytics | United States |
| Sentry | Error monitoring | United States |
For employers & teams
- A Data Processing Agreement (DPA) is available on request for team and outplacement engagements.
- Employer reporting is aggregate-only: organizations see seats activated and overall usage — never an individual employee’s resume, diagnosis, or job search activity.
Evaluating Resume Annex for your organization? See Outplacement and Teams, or email support@resumeannex.ai with your security questionnaire.
Reporting a vulnerability
If you believe you’ve found a security issue, email support@resumeannex.ai with the details. Reports go directly to the founder and are acknowledged within one business day. We ask for reasonable disclosure time and will credit good-faith researchers who want it.
A note on certifications: Resume Annex is an early-stage product and we would rather tell you exactly what we do than rent a badge. This page is the honest, current state of our security posture. If your procurement process requires specific attestations, email us — we’ll give you a straight answer on what we have and what we’d need to add.