Trust
Trust & data protection
Everything you need to evaluate Offersly for compliance — sub-processors, hosting region, Data Processing Agreements, security contacts, and your data-rights options.
At a glance
- Primary jurisdiction
- Singapore (PDPA)
- Also compliant with
- EU GDPR · UK GDPR · CCPA (best-effort)
- Data hosting region
- Supabase (configured in Supabase dashboard — verify in your project's Settings → General)
- Encryption in transit
- TLS 1.2+ everywhere, HSTS preloaded, no plaintext fallbacks
- Encryption at rest
- AES-256 (Supabase Postgres) · AES-256 (Cloudflare R2 / KV) · AES-256 (Stripe)
- Access control
- Postgres Row Level Security on every user-owned table · JWT-based sessions · TOTP 2FA available
- Data residency commitments
- AI requests routed to Anthropic (US); optional voice transcription to OpenAI (US). Resume content stored in Supabase project region. Payment data with Stripe (region-routed).
- Data Protection Officer
- [email protected]
- Security contact
- [email protected] · See responsible disclosure
Singapore PDPA compliance
Offersly is operated from Singapore and treats PDPC as its primary regulator. We map our practices against all eleven PDPA obligations — full audit lives in docs/pdpa-compliance.md internally; this section is the public-facing summary.
- Consent (§13–17): Deemed consent for service-necessary processing; express consent for optional features (public share).
- Purpose limitation (§18): Data used only for the purposes listed in the Privacy Policy.
- Notification (§20): Purposes disclosed before collection.
- Access & correction (§21–22): Self-service at /settings.
- Accuracy (§23): User-edited; we are not the source.
- Protection (§24): RLS, 2FA available, rate limiting, encryption at rest + in transit.
- Retention limitation (§25): See Privacy Policy §5 retention table.
- Transfer limitation (§26): SCCs in all sub-processor DPAs — see table below.
- Openness (§11–12): Public Privacy Policy + Trust page + named DPO.
- Data breach notification (§26A–D): 3-day PDPC notification per our incident runbook.
- Data portability: JSON export already implemented (future-proof for upcoming PDPA amendment).
Complaint path: If you have a concern about our handling of your personal data and we don't resolve it satisfactorily, you may lodge a complaint with the PDPC at pdpc.gov.sg/complaints-and-reviews.
AI processing of resume content
Several Offersly features use AI provided by OpenAI: AI Tailor, AI Coach, AI Mock Interview, AI Cover Letter, AI Translate, the bullet/summary improve helpers, and (on browsers without local speech recognition) voice transcription via OpenAI Whisper. Our posture:
- Photos are never sent to any AI provider. Server-side sanitization in
functions/_lib/sanitize.jsstripsphotoUrl,photo, and similar fields before any AI call. Verified in code. - Anthropic does not train on your data. Per our DPA + Anthropic's Commercial Terms — your resume text is used only to generate the response you asked for.
- Short retention by default. Our API tier follows Anthropic's standard Commercial Terms, under which inputs and outputs are retained for up to 30 days for abuse monitoring and then deleted. They are not used for model training. We're pursuing a Zero Data Retention amendment to remove the 30-day window entirely; until that's countersigned, this is the operative retention posture.
- All outputs are suggestions, not decisions. You always review and accept/reject every AI suggestion before it's saved.
- Monthly quotas prevent indiscriminate processing — 2 Tailor + 1 Mock + 5 Coach msgs + 1 Cover Letter for free users (see /pricing).
- Voice answers in Mock Interview prefer in-browser transcription. When your browser supports it (Chrome, Edge, Safari 14.1+), the Web Speech API converts your audio to text on-device and nothing is uploaded. On browsers without that API (iOS Safari, Firefox), audio is sent once to
/api/transcribewhich forwards it to OpenAI Whisper, returns the transcript, and discards the audio. We do not persist the audio file on our servers. - Full DPIA available on request to enterprise customers — covers risk identification, mitigations, and residual risk specifically for AI processing of resumes in employment contexts.
Sub-processors
We use these vendors strictly to run the product. We do not sell, rent, or repurpose your data. We notify users 30 days before adding new sub-processors.
Data Processing Agreement (DPA)
If you're a business customer using Offersly to process resumes on behalf of others (e.g., a recruiting agency, internal HR team, career-coaching firm), you can execute a DPA with us. It incorporates the EU Standard Contractual Clauses (SCCs) for international transfers.
Email [email protected] with your company details. We countersign within 5 business days.
For consumer accounts (single end-user managing their own resumes), the privacy policy is the operative contract — no separate DPA is required under GDPR Art. 28.
Certifications & attestations
Sub-processors maintain their own compliance attestations — these flow down to us:
- Supabase — SOC 2 Type II · HIPAA-eligible · GDPR DPA available
- Anthropic (Claude) — SOC 2 Type II · GDPR DPA · API tier with up to 30-day abuse-monitoring retention (no training use); ZDR amendment in progress
- OpenAI — voice transcription only (Whisper) · SOC 2 Type II · GDPR DPA · not used for training
- Stripe — PCI DSS Level 1 · SOC 1/2 · ISO 27001
- Cloudflare — SOC 2 Type II · ISO 27001 · PCI DSS
Offersly itself does not currently hold SOC 2, ISO 27001, or HIPAA attestation. If you need one of these for procurement, contact [email protected] — we'll pursue it for sufficiently sized agreements.
Your data rights
Self-service flows for every right under GDPR + PDPA live at /settings:
- Access (GDPR 15 / PDPA §21) — download a JSON export of everything we hold
- Erasure (GDPR 17 / PDPA §22) — permanently delete your account + all data
- Portability (GDPR 20) — same JSON export, structured for re-import elsewhere
- Correction (PDPA §22) — edit any field directly in the editor; changes persist immediately
- Restriction (GDPR 18) — email [email protected] to request
- Objection (GDPR 21) — email [email protected] to request
We respond to requests within 30 days as required. For complex requests we may extend by an additional 60 days with notice.
Data breach response
In the event of a confirmed data breach affecting your data, we will:
- Notify the Singapore PDPC within 3 calendar days for significant breaches (per PDPA §26D)
- Notify the relevant EU/UK supervisory authority within 72 hours (per GDPR Art. 33)
- Notify affected users without undue delay when the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34)
- Provide a post-incident report with root cause, scope, and remediation
Our internal incident-response runbook is in docs/incident-response.md.
Related
- Privacy policy — what we collect and why
- Terms of service — your contract with us
- Security & responsible disclosure — how to report vulnerabilities
- Settings & data — export or delete your data
/.well-known/security.txt— RFC 9116 machine-readable contact
This page is updated whenever the sub-processor list or hosting configuration changes. Last reviewed by the team: see the git log of pages/trust.js.