Skip to content
ATSPal
Sign in Start free trial
Security & Data Privacy

Resumes are sensitive. We treat them that way.

Three commitments that don't move: your data is isolated, resumes are never shared, and you can delete everything on request. No marketing footnotes, no asterisks.

Three commitments

The promises that don't move.

Your data is isolated

Each organization's data lives in its own encrypted partition. Only your account can read it, nobody else's account, no operations team browsing in the background.

Resumes are never shared

Not with third parties, not for any kind of model training, not for analytics, not for benchmarking. The only place a resume goes is your analysis.

You can delete everything

On request, all of your data, resumes, analyses, scores, account record, is permanently deleted. We confirm in writing within five business days.

The details

What "secure" means in practice.

No vague language. Just what we do.

Encryption at rest
All resumes and analysis records are stored on encrypted Google Cloud Storage with AES-256. Encryption is managed by Google Cloud and applied to every file by default.
Encryption in transit
All traffic between your browser, our service, and storage is over TLS 1.2+. We don't allow plain-HTTP connections.
Tenant isolation
Multi-tenant by design, isolated by tenant ID at the access-control layer. Your queries can only return your records, enforced server-side, not just hidden in the UI.
Authentication
Email + password with strong password requirements, plus optional SSO (SAML 2.0 / OIDC) on Enterprise. All access requires re-authentication on session expiry.
Data residency
Default region is US (Google Cloud us-central1). Enterprise customers can request EU or Canada residency under their DPA.
Backups
Encrypted daily backups with point-in-time recovery for 30 days. Backups are kept inside the same residency region as your live data.
Retention & deletion
Resumes are retained as long as you keep the analysis. Deleting an analysis purges the resumes immediately; backups roll off within 30 days. Account-level deletion on request is permanent.
No training, no sharing
We do not use customer resumes to train any model. We do not share resumes, analyses, or any candidate data with third parties for marketing or benchmarking, ever.
Subprocessors
We use a small set of vetted infrastructure providers (Google Cloud for storage and compute; Stripe for billing on paid plans; an email provider for transactional mail). The current list is available on request and will be published before any change.
Access controls (internal)
Production data access requires named approval, is logged, and is granted only for explicit support cases you've opened. There is no "just-browsing" path to your data.
Incident response
If a security incident affects your data, we notify you in writing within 72 hours with a description, scope, and remediation plan.
Compliance posture
We follow GDPR principles for data minimization, access, and deletion. Enterprise contracts can include a Data Processing Addendum (DPA). Formal SOC 2 / ISO 27001 attestations are on our roadmap; reach out for our current security questionnaire.

One honest line: we're a young company. We don't claim certifications we don't have. What we do have is a clear policy, a clean architecture, and the willingness to put it in writing for you.

Need a security review or DPA?

Send your questionnaire, your DPA template, or just a list of questions. We'll respond within two business days.

Email [email protected]