Security

Your candidate data, protected by design

RefineCV processes candidate CVs without storing them. Original files are deleted after formatting. All data is encrypted, isolated per agency, and hosted in the EU. Security is not an add-on. It is how the product works.

Built on four principles

No CV retention

Original candidate files are processed in memory and deleted immediately after formatting. We never store raw CVs in our database.

Encrypted everywhere

All data is encrypted in transit with TLS 1.2+ and at rest with AES-256. Formatted documents are stored in private, encrypted storage accessible only to your agency.

Agency-isolated data

Every agency's data is strictly separated at the database level. Your templates, formatted CVs, team members, and billing data are invisible to other agencies.

Your data never trains AI

Candidate information is used for extraction only. Your data is never used to train, fine-tune, or improve any AI models. Period.

What happens to your data

The complete lifecycle of a candidate CV in RefineCV.

1

Upload

You upload a candidate CV. The file is sent to our servers over an encrypted connection.

2

Process in memory

AI extracts structured data and applies your template. The file is held in memory only, never written to disk or database.

3

Original deleted

The original CV file is deleted immediately after processing. It is never stored in our database or file storage.

4

Formatted PDF stored

Only the branded output document is stored in private, encrypted storage so your team can re-download it. This can be disabled on request.

How we protect your data

Encryption

  • TLS 1.2+ for all data in transit
  • AES-256 encryption for data at rest
  • Private storage with signed URL access
  • No unencrypted connections in production

Access controls

  • Token-based authentication on every request
  • Role-based permissions (owner and member)
  • Agency-scoped data isolation at the database level
  • Strict input validation on all API endpoints

EU data residency

  • All data hosted within the European Union
  • Database and file storage in EU data centers
  • GDPR-compliant data processing
  • Data Processing Agreement available on request

Payment security

  • Credit card data handled by PCI-compliant provider
  • RefineCV never sees or stores card numbers
  • Webhook signature verification on all payment events
  • Subscription status only, no financial credentials stored

AI and your data

RefineCV uses AI to extract structured data from candidate CVs and generate formatted documents. Here is exactly what that means for your data:

Never used for training. Your candidate data is never used to train, fine-tune, or improve any AI models.
Processed, not stored. AI reads the document, extracts the data, and the original is deleted. No candidate content is retained in any AI system.
No third-party data sharing. We do not sell, share, or monetize your data. Candidate information is used solely to produce your formatted document.
Your data promise
Original CV deleted after processing
No AI model training on your data
No data sold or shared
EU data residency
Full data deletion on request

Compliance

GDPR

Compliant

Full GDPR compliance as a data processor. We support data subject rights including access, correction, deletion, and portability. Data Processing Agreement available on request.

CCPA

Compliant

California Consumer Privacy Act compliance. We do not sell personal information. Users can request access to and deletion of their data at any time.

SOC 2

In progress

SOC 2 Type II certification is in progress. If your organization requires SOC 2 on a specific timeline, contact us and we can accelerate the process.

Questions about security?

If you need a Data Processing Agreement, have questions about our security practices, or want to discuss SOC 2 timeline for your organization, reach out.

Contact us at team@refine-cv.com

Frequently asked questions

Do you store candidate CVs?

No. When you upload a CV, we process it in memory to extract structured data and generate your branded document. The original file is deleted immediately after processing. We never store raw candidate CVs in our database.

What do you store?

We store the formatted PDF output so your team can re-download it from the history page without being charged again. These files are stored in private, encrypted storage with access restricted to your agency. If you prefer not to keep history, contact us and we will disable it for your agency.

Is candidate data used to train AI models?

No. Your data is never used to train, fine-tune, or improve any AI models. Candidate information is processed for extraction only and is not retained after the formatted document is generated.

Where is my data stored?

All data is stored in EU data centers. Formatted documents, account information, and billing data are all hosted within the European Union.

Do you support GDPR compliance?

Yes. RefineCV is designed for GDPR compliance. We process candidate data only as instructed by your agency (data processor role), retain only what is necessary, and support data subject rights including access, correction, deletion, and export. A Data Processing Agreement is available on request.

Are you SOC 2 certified?

SOC 2 certification is currently in progress. If your organization requires SOC 2 compliance on a specific timeline, contact us at team@refine-cv.com and we can discuss accelerating the process to meet your needs.

How do you handle payment data?

RefineCV does not store credit card numbers or payment credentials. All payment processing is handled by a PCI-compliant third-party payment provider. We only store your subscription status and billing history.

Can I delete all my data?

Yes. You can request full account deletion at any time by contacting team@refine-cv.com. We will delete your account, agency data, templates, and all stored formatted documents. Billing records are retained as required by law.

Ready to format your first CV?

10 free CVs. No credit card. No time limit.

Start Free, 10 CVs Book a Demo

Setup takes less than 30 seconds