Trust

Trust & data protection

Everything you need to evaluate Offersly for compliance — sub-processors, hosting region, Data Processing Agreements, security contacts, and your data-rights options.

At a glance

Primary jurisdiction
Singapore (PDPA)
Also compliant with
EU GDPR · UK GDPR · CCPA (best-effort)
Data hosting region
Supabase (configured in Supabase dashboard — verify in your project's Settings → General)
Encryption in transit
TLS 1.2+ everywhere, HSTS preloaded, no plaintext fallbacks
Encryption at rest
AES-256 (Supabase Postgres) · AES-256 (Cloudflare R2 / KV) · AES-256 (Stripe)
Access control
Postgres Row Level Security on every user-owned table · JWT-based sessions · TOTP 2FA available
Data residency commitments
AI requests routed to Anthropic (US); optional voice transcription to OpenAI (US). Resume content stored in Supabase project region. Payment data with Stripe (region-routed).
Data Protection Officer
[email protected]
Security contact
[email protected] · See responsible disclosure

Singapore PDPA compliance

Offersly is operated from Singapore and treats PDPC as its primary regulator. We map our practices against all eleven PDPA obligations — full audit lives in docs/pdpa-compliance.md internally; this section is the public-facing summary.

  • Consent (§13–17): Deemed consent for service-necessary processing; express consent for optional features (public share).
  • Purpose limitation (§18): Data used only for the purposes listed in the Privacy Policy.
  • Notification (§20): Purposes disclosed before collection.
  • Access & correction (§21–22): Self-service at /settings.
  • Accuracy (§23): User-edited; we are not the source.
  • Protection (§24): RLS, 2FA available, rate limiting, encryption at rest + in transit.
  • Retention limitation (§25): See Privacy Policy §5 retention table.
  • Transfer limitation (§26): SCCs in all sub-processor DPAs — see table below.
  • Openness (§11–12): Public Privacy Policy + Trust page + named DPO.
  • Data breach notification (§26A–D): 3-day PDPC notification per our incident runbook.
  • Data portability: JSON export already implemented (future-proof for upcoming PDPA amendment).

Complaint path: If you have a concern about our handling of your personal data and we don't resolve it satisfactorily, you may lodge a complaint with the PDPC at pdpc.gov.sg/complaints-and-reviews.

AI processing of resume content

Several Offersly features use AI provided by OpenAI: AI Tailor, AI Coach, AI Mock Interview, AI Cover Letter, AI Translate, the bullet/summary improve helpers, and (on browsers without local speech recognition) voice transcription via OpenAI Whisper. Our posture:

  • Photos are never sent to any AI provider. Server-side sanitization in functions/_lib/sanitize.js strips photoUrl, photo, and similar fields before any AI call. Verified in code.
  • Anthropic does not train on your data. Per our DPA + Anthropic's Commercial Terms — your resume text is used only to generate the response you asked for.
  • Short retention by default. Our API tier follows Anthropic's standard Commercial Terms, under which inputs and outputs are retained for up to 30 days for abuse monitoring and then deleted. They are not used for model training. We're pursuing a Zero Data Retention amendment to remove the 30-day window entirely; until that's countersigned, this is the operative retention posture.
  • All outputs are suggestions, not decisions. You always review and accept/reject every AI suggestion before it's saved.
  • Monthly quotas prevent indiscriminate processing — 2 Tailor + 1 Mock + 5 Coach msgs + 1 Cover Letter for free users (see /pricing).
  • Voice answers in Mock Interview prefer in-browser transcription. When your browser supports it (Chrome, Edge, Safari 14.1+), the Web Speech API converts your audio to text on-device and nothing is uploaded. On browsers without that API (iOS Safari, Firefox), audio is sent once to /api/transcribe which forwards it to OpenAI Whisper, returns the transcript, and discards the audio. We do not persist the audio file on our servers.
  • Full DPIA available on request to enterprise customers — covers risk identification, mitigations, and residual risk specifically for AI processing of resumes in employment contexts.

Sub-processors

We use these vendors strictly to run the product. We do not sell, rent, or repurpose your data. We notify users 30 days before adding new sub-processors.

Vendor
Purpose
Region
DPA
SCCs
Authenticated database (Postgres) — stores your account, resume content, AI conversation history, application tracker data
Project-configurable (verify in Supabase dashboard)
Yes — incorporated in DPA
Anthropic (Claude)Privacy policy →
Primary AI provider — powers Tailor, Coach, Mock Interview, Cover Letter, Translate, Score auto-fix, bullet/summary rewriting, and resume upload parsing. Only the relevant resume text is sent; the resume photo is always stripped before any request. Anthropic does not train its models on API content.
United States
Yes — incorporated in DPA
Voice transcription only. On browsers without local speech recognition (iOS Safari, Firefox), short audio clips from Mock Interview Speak mode are forwarded to OpenAI Whisper for transcription and discarded after the response. No resume text or photo is sent.
United States
Yes — incorporated in DPA
Payment processing — card details handled directly by Stripe, never seen by Offersly. We store only customer ID + subscription ID.
Region-routed (US, EU, SG)
Yes — incorporated in DPA
Edge hosting, CDN, DDoS protection, KV store for rate limiting
Global edge
Yes — incorporated in DPA
QuickChart.ioPrivacy policy →
On-demand QR code rendering when you add a portfolio URL to your resume
United States
— (Considering self-hosted replacement)

Data Processing Agreement (DPA)

If you're a business customer using Offersly to process resumes on behalf of others (e.g., a recruiting agency, internal HR team, career-coaching firm), you can execute a DPA with us. It incorporates the EU Standard Contractual Clauses (SCCs) for international transfers.

Email [email protected] with your company details. We countersign within 5 business days.

For consumer accounts (single end-user managing their own resumes), the privacy policy is the operative contract — no separate DPA is required under GDPR Art. 28.

Certifications & attestations

Sub-processors maintain their own compliance attestations — these flow down to us:

  • Supabase — SOC 2 Type II · HIPAA-eligible · GDPR DPA available
  • Anthropic (Claude) — SOC 2 Type II · GDPR DPA · API tier with up to 30-day abuse-monitoring retention (no training use); ZDR amendment in progress
  • OpenAI — voice transcription only (Whisper) · SOC 2 Type II · GDPR DPA · not used for training
  • Stripe — PCI DSS Level 1 · SOC 1/2 · ISO 27001
  • Cloudflare — SOC 2 Type II · ISO 27001 · PCI DSS

Offersly itself does not currently hold SOC 2, ISO 27001, or HIPAA attestation. If you need one of these for procurement, contact [email protected] — we'll pursue it for sufficiently sized agreements.

Your data rights

Self-service flows for every right under GDPR + PDPA live at /settings:

  • Access (GDPR 15 / PDPA §21) — download a JSON export of everything we hold
  • Erasure (GDPR 17 / PDPA §22) — permanently delete your account + all data
  • Portability (GDPR 20) — same JSON export, structured for re-import elsewhere
  • Correction (PDPA §22) — edit any field directly in the editor; changes persist immediately
  • Restriction (GDPR 18) — email [email protected] to request
  • Objection (GDPR 21) — email [email protected] to request

We respond to requests within 30 days as required. For complex requests we may extend by an additional 60 days with notice.

Data breach response

In the event of a confirmed data breach affecting your data, we will:

  • Notify the Singapore PDPC within 3 calendar days for significant breaches (per PDPA §26D)
  • Notify the relevant EU/UK supervisory authority within 72 hours (per GDPR Art. 33)
  • Notify affected users without undue delay when the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34)
  • Provide a post-incident report with root cause, scope, and remediation

Our internal incident-response runbook is in docs/incident-response.md.

Related

This page is updated whenever the sub-processor list or hosting configuration changes. Last reviewed by the team: see the git log of pages/trust.js.

Offersly

Premium resume builder for serious career moves. ATS-safe templates, AI tailoring, transparent pricing.

🛡️ One free basic resume, forever. Cancel any subscription in 1 click. No surprise auto-renewals.

© 2026 Offersly. All rights reserved.

Offersly is an independent product. Template names that reference well-known institutions or companies (Harvard, Goldman, Amazon, McKinsey, LinkedIn) describe the style aesthetic only and do not imply any affiliation or endorsement.