SECURITY
Security Without Compromise
Your resume contains your career history, contact information, and employment details. We protect it with enterprise-grade encryption, SOC 2 infrastructure, and strict data isolation.
DEFENSE IN DEPTH
Protection across every layer
Multiple overlapping security controls ensure no single point of failure.
Encryption
All data encrypted in transit (TLS 1.3) and at rest (AES-256). Database connections use SSL certificates. Encryption keys are rotated regularly and managed through secure key management services.
Authentication
Secure authentication via Supabase Auth with bcrypt password hashing, JWT session tokens with short expiry, and support for OAuth providers. Sessions are invalidated on password change.
Access Controls
Row Level Security (RLS) enforced at the database layer ensures users can only access their own data. API routes validate session tokens and enforce authorization on every request.
Data Isolation
Each user's data is logically isolated through row-level policies. Resume content, enhancement history, and personal data are never accessible across accounts — even in the event of an application-level vulnerability.
Network Security
Application deployed on Vercel's edge network with automatic DDoS protection, WAF rules, and TLS termination. Database hosted on Supabase with network-level isolation and connection pooling via PgBouncer.
Infrastructure
Built on SOC 2 compliant infrastructure (Vercel + Supabase). Automated deployments with immutable builds. No SSH access to production. All secrets managed through encrypted environment variables.
Secure Development
Parameterized queries prevent SQL injection. Input sanitization on all user-facing endpoints. Content Security Policy headers. Dependencies audited regularly for known vulnerabilities.
Vulnerability Management
Automated dependency scanning for CVEs. Security patches applied within 48 hours of disclosure. Responsible disclosure program for external researchers. Regular security review of authentication and authorization flows.
DATA LIFECYCLE
What happens to your data
Full transparency into how your resume data is handled at every stage.
Upload
Your resume is transmitted over TLS 1.3. The original file is stored in encrypted cloud storage with per-user isolation. Text is extracted and structured data is persisted to the database for processing.
Processing
Resume content is sent to Anthropic's Claude API over an encrypted connection. Anthropic does not store or train on data sent through their API. Processing results are returned to our server and saved to your account.
Storage
Original files are stored in encrypted cloud storage with per-user isolation. Enhanced resumes, scores, and metadata are stored in a Supabase PostgreSQL database with AES-256 encryption at rest. Row Level Security ensures only your authenticated session can access your data.
Deletion
One-click account deletion in Settings permanently removes all your data — resumes, uploaded files, enhancements, diagnostics, and personal information — within 30 days. Deletion is irreversible.
AI INTEGRITY
Responsible AI, by design
Your resume is too important for hallucinations. Here's how we ensure AI accuracy.
No Fabrication Guarantee
Swiff It never invents credentials, job titles, employment dates, companies, or metrics. The AI enhances how your real experience is presented — it does not create fictional experience.
Confidence Flagging
Every AI change is tagged with a confidence level: High (safe to accept), Medium (minor review recommended), or Verify (AI inferred something you should confirm). You always know what changed and why.
No Training on Your Data
Your resume content is never used to train AI models — not by us, and not by our AI provider. Anthropic's API terms explicitly prohibit training on customer data sent through their API.
YOUR RIGHTS
You own your data. Period.
Export all your data at any time from Settings
One-click permanent deletion — no retention, no questions
We never sell, share, or monetize your data in any way
We never claim ownership over content you upload or generate
Enhancement history retained only as long as your account exists
GDPR-compliant data handling for all users, regardless of location
RESPONSIBLE DISCLOSURE
Report a vulnerability
We take security vulnerabilities seriously. If you believe you've found a security issue in Swiff It, please report it responsibly. We ask that you:
- Email your findings to security@swiff.it
- Include steps to reproduce the vulnerability
- Allow reasonable time for us to investigate and patch before public disclosure
- Do not access or modify other users' data during testing
Contact us at security@swiff.it — we aim to acknowledge reports within 24 hours and resolve critical issues within 72 hours.