SOC 2 Type II · Penetration tested annually

The résumé is yours. We act like it.

Encrypted at rest and in transit, locked behind hardware-key MFA, and audited yearly by an external firm. Here's the receipts.

SOC 2
SOC 2 Type II
A-LIGN · TYPE II
RECERTIFIED MAR 2026
GDPR
GDPR compliant
EU + UK · ICO-aligned
DPA AVAILABLE
CCPA
CCPA / CPRA
California residents
RIGHTS HONORED
PEN
Pen-tested yearly
NCC Group · CREST
LAST AUDIT FEB 2026
What we do

The practices, in plain English.

🔒

Encryption everywhere.

Everything you type into BeauCV is encrypted with AES-256 at rest in our databases and TLS 1.3 in transit. Our database backups are also encrypted with separate keys, rotated quarterly.

at-rest AES-256-GCM (AWS KMS)
in-transit TLS 1.3, HSTS, HPKP
backups Encrypted, separate keys, 7-day RPO

Access by hardware key.

No password alone gets near production. Every BeauCV engineer authenticates with a hardware security key. Access is gated by role, logged, and reviewed monthly.

mfa Hardware (YubiKey FIDO2)
access SSO + role-based, reviewed monthly
audit Every prod query logged
🚫

Your résumé doesn't train external systems.

Your text is sent to a rewrite provider with a zero-retention configuration: deleted within 30 days, never used for training.

providers Provider One, Provider Two
retention Zero (provider-side)
training Forbidden by contract

Data residency you choose.

At signup, you pick the region your data lives in: eu-west-1 (Ireland) or us-east-1 (Virginia). It never leaves.

eu region Ireland (Dublin)
us region N. Virginia (Ashburn)
transit No cross-region replication
🧯

Recover from anything.

Real disaster recovery drills, every quarter. We restore a full production database into a staging region, then run the test suite end-to-end. Our last RTO measurement was 38 minutes.

backups Continuous, point-in-time, 35 days
rpo ≤ 5 minutes
rto ≤ 1 hour (last measured: 38 min)

Delete means delete.

When you delete a résumé or your account, it's gone from active databases immediately and from every backup within 30 days. We keep only the bare minimum required for tax records.

primary Immediate purge
backups Within 30 days
tax data 7 yr · logically isolated
Sub-processors

Every vendor that touches your data, listed.

We give 30 days' notice before adding any new sub-processor. You may object before it takes effect.

Vendor
Purpose
Region
DPA
AWS
Hosting, storage, backups
eu-west-1, us-east-1
✓ signed
Stripe
Payment processing
EU + US
✓ signed
Provider One
Rewrite processing (zero retention)
US
✓ signed
Provider Two
Rewrite processing (zero retention)
US, EU mirror
✓ signed
Postmark
Transactional email
US
✓ signed
Plain
Customer support
EU (Ireland)
✓ signed
Plausible
Cookieless analytics
EU (Germany)
✓ signed
Bug bounty

Find something? We pay.

Responsible disclosure to security@beaucv.fr. We respond within 48 hours and publish researcher credit (with permission) in our security log.

CRITICAL
$10,000+
RCE, auth bypass, mass data exposure.
HIGH
$2,500
SQLi, stored XSS in editor, privilege escalation.
MEDIUM
$750
Reflected XSS, CSRF on sensitive endpoints.
LOW
$150
Info disclosure, missing headers.
Responsible disclosure

Report a vulnerability.

Send a detailed report to security@beaucv.fr. PGP encryption available. We acknowledge within 24h, triage within 48h, and pay within 14 days of validation.

$ gpg --recv-keys 0xA4F31D87
gpg: key A4F31D87 imported
gpg: fingerprint: F8 3A 22 91 0C BD 9E 5C
A4 F3 1D 87 B6 22 4E 09
$ gpg --encrypt --recipient security@beaucv.fr report.txt
→ report.txt.gpg ready to send
$ _