Security & Privacy Overview
Learn about PassTheScan's comprehensive security practices, data handling procedures, and privacy protections designed for professional resume data.
Our Security Commitment
At PassTheScan, we understand the sensitive nature of resume data and career information. Our security practices align with SOC 2 Type II controls, and we are working toward formal certification to provide enterprise-grade protection for your professional data.
We implement multiple layers of security to protect your information throughout the entire optimization process, from upload to deletion.
Data Security
Encryption at Rest
All resume files and personal data are encrypted using AES-256 encryption when stored in our database systems. Only authorized systems can decrypt your information.
Encryption in Transit
All data transmission uses TLS 1.3 encryption, ensuring your resume and personal information are protected during upload, processing, and download.
Access Controls
Strict role-based access controls ensure only authorized personnel can access systems. All access is logged and monitored for security compliance.
Security Monitoring
Continuous monitoring systems track all data access, system changes, and potential security threats with real-time alerting.
Privacy Practices
Data Collection & Usage
- What We Collect: Resume files, job descriptions, email addresses, and payment information
- Why We Collect: To provide AI-powered resume optimization and deliver results
- How We Use: Only for analysis, optimization, and service delivery - never for marketing or sales
Automatic Data Deletion
Your resume and personal data are automatically cleaned up based on your service tier access period.This includes all uploaded files, analysis results, and processed data.
You can also request immediate deletion by contacting our support team at any time.
Compliance & Standards
SOC 2 Type II Alignment
Our security practices align with SOC 2 Type II controls for security, availability, processing integrity, confidentiality, and privacy. We are pursuing formal certification.
GDPR Compliance
We follow GDPR principles for EU users, including data minimization, purpose limitation, and user rights for access, correction, and deletion.
CCPA Compliance
California users have rights to know, delete, and opt-out of personal information sales (though we never sell personal information).
Third-Party Vendors
We carefully select security-conscious vendors who meet our data protection standards:
| Vendor | Purpose | Data Access | Certification |
|---|---|---|---|
| Anthropic | AI Analysis | Resume content, job descriptions | SOC 2 Type II |
| Supabase | Database | User accounts, resume metadata | SOC 2 Type II |
| Stripe | Payment Processing | Billing information | PCI DSS Level 1 |
| Vercel | Hosting | Application logs, performance data | SOC 2 Type II |
| Resend | Email Delivery | Email addresses, notifications | SOC 2 Type II |
Contact & Transparency
Security Questions & Reporting
Contact support for immediate data deletion, or data is automatically removed based on your service tier access period.
Last updated: August 27, 2025
This page provides an overview of our security practices. For complete legal terms, see our Privacy Policy and Terms of Service.