Security at RecastCV

Infrastructure: Supabase on PostgreSQL

All RecastCV data — your account, master CV, project library, tailored CV outputs, and application history — is stored in Supabase, a managed PostgreSQL platform. We run in Supabase’s EU region (Frankfurt, Germany). Your data never leaves the EU except when it is temporarily processed by Anthropic for CV tailoring (see the AI processing section below).

Supabase is built on top of AWS infrastructure. AWS Frankfurt (eu-central-1) is ISO 27001, SOC 2 Type II, and PCI DSS Level 1 certified. Supabase itself holds SOC 2 Type II compliance.

Data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. All connections between the RecastCV application and Supabase use encrypted channels. Your browser connection to RecastCV is enforced over HTTPS.

Row-level security

One of the most important security properties of our database architecture is row-level security (RLS), enforced at the PostgreSQL layer. This means that even if a bug existed in RecastCV’s application code, your data would still be protected at the database level — queries can only return rows that belong to the authenticated user making the request.

RLS policies are defined on every table that contains user data. They use Supabase’s JWT-based authentication to verify identity at the database level — not just at the API level. This approach means your CVs, applications, and project entries are structurally isolated from every other user’s data, not just logically.

Administrative operations that require elevated access — such as crediting accounts after a successful payment — use a service role key that is never exposed to the client or to any public-facing endpoint. The service role key lives only in server-side environment variables.

Authentication

RecastCV uses Supabase Auth for identity management. We support two sign-in methods: magic-link (a one-time sign-in link sent to your email) and email/password. We do not support OAuth sign-in with third-party providers at this time.

Sessions are managed using cookie-based, server-side session tokensvia Supabase’s SSR adapter. This approach is more secure than storing JWTs in local storage (the common alternative), because session cookies are not accessible to JavaScript running on the page. We use HttpOnly and Secure attributes on session cookies, which means they cannot be read or modified by client-side scripts and are only transmitted over HTTPS.

Session tokens are refreshed automatically on every request via a Next.js middleware layer. If a session has expired or been invalidated, unauthenticated users are redirected to the login page. Authenticated routes are not reachable without a valid session.

Payments: Stripe PCI handling

Payment processing for credit purchases is handled entirely by Stripe. RecastCV never receives, sees, or stores your card number, expiry date, CVV, or billing address. That data goes directly from your browser to Stripe’s servers and never passes through RecastCV infrastructure.

Stripe is certified to PCI DSS Level 1, the highest level of payment card industry compliance. After a successful checkout, Stripe sends a webhook to RecastCV containing only the transaction amount, a session identifier, and a customer reference. We use this to credit your account.

Webhooks are verified using a Stripe-signed HMAC signature. We reject any webhook that does not carry a valid signature for our registered webhook secret. This prevents replay attacks and spoofed credit events.

AI processing: Anthropic API

When you request a tailored CV, RecastCV sends your master CV content and the job description text to Anthropic’s Claude API. This is the core AI processing step that generates the tailored output.

Anthropic’s API usage policies specify that inputs and outputs from the API are not used to train Anthropic’s models by default. Your CV content is sent to Anthropic for inference only and is not retained by Anthropic beyond the request lifecycle under standard API terms. We recommend reviewing Anthropic’s privacy policy directly for the latest details.

We do not send your data to any other AI provider. We do not use your CV content to train our own models.

Credit ledger: append-only audit trail

Every credit transaction — whether from a sign-up bonus, a purchased credit pack, or a CV tailoring operation that consumed a credit — is recorded in an append-only credit ledger table in the database. This table can only have rows inserted; no rows can be updated or deleted.

The credit balance visible in your account is derived from the sum of ledger entries, not from a single mutable field that could be manipulated. This architecture means there is always a complete, auditable record of how every credit was acquired and spent.

Stripe event IDs are stored alongside each purchase ledger entry and are unique-constrained, which prevents duplicate credit grants from replayed webhook events.

Application security practices

Beyond the infrastructure controls above, we apply standard application security practices throughout the RecastCV codebase:

• Secret management. Secret keys (Stripe secret key, Supabase service role key, Anthropic API key) are stored only in server-side environment variables. They are never included in client-side bundles, never logged, and never exposed in API responses.
• Server Components by default. The RecastCV web app uses Next.js App Router with Server Components as the default. Data fetching happens on the server, which means sensitive Supabase queries never run in the browser. Only components that require user interaction are marked as Client Components.
• Dependency hygiene. We keep the dependency tree small and intentionally limited. Fewer dependencies means fewer supply-chain attack vectors. Dependencies are pinned at known-good versions.
• Input validation. User-supplied inputs (job description URLs, CV text) are validated before being processed. We do not evaluate or execute user-supplied content.
• Content Security Policy. HTTP security headers including Content-Security-Policy are configured to limit the origins from which scripts and styles can be loaded.

Responsible disclosure

If you discover a security vulnerability in RecastCV, please disclose it responsibly by contacting us at ai@sumletter.com with details of the issue. We will acknowledge receipt within 48 hours and aim to resolve confirmed vulnerabilities promptly.

We ask that you do not publicly disclose a vulnerability until we have had a reasonable opportunity to investigate and address it. We will credit researchers who report valid vulnerabilities if they wish to be acknowledged.

Questions

If you have security-related questions that are not covered here, contact us at ai@sumletter.com. For privacy questions, see our privacy policy.