Trust & Security

Everything procurement, security, and legal teams typically need to evaluate resumAI — in one place, public, and updated as we change.

EU-native, GDPR-compliant, EUR-billed.

  • • Hosted in Germany / Finland (Hetzner) — no third-country transfer for application data.
  • • LLM providers run in API mode with training-on-customer-data disabled.
  • • Self-serve account deletion (30-day grace) and data export (JSON) inside the app.
  • • Multibanco & MB Way for PT business accounts, EUR invoicing.
  • • DPA available before signature — no NDA gating.

Data Processing Agreement (DPA)

The contract between resumAI and your organisation governing how we process Personal Data on your behalf.

Read the DPA

Sub-processors

Public list of every third party that may handle Personal Data on our behalf — legal name, purpose, location, and transfer mechanism.

View sub-processors

Privacy Policy

How we collect, use, retain, and delete personal data. GDPR + Lei n.º 58/2019 (Portugal) compliant.

Read the privacy policy

Terms of Service

Acceptable use, IP, liability, and termination terms.

Read the terms

System status

Live status of API, app, and landing surfaces. Probes every 30 seconds.

View status

Developer API documentation

Authentication, endpoints, error codes, and rate limits — for integration teams evaluating our API surface.

View API docs

Security disclosure

Security contact: security@resumai.eu. We respond within one business day. We don’t run a paid bug-bounty program yet, but we publicly acknowledge legitimate disclosures and try to ship fixes within agreed coordinated-disclosure windows.

Machine-readable security contact at /.well-known/security.txt.

What we are and aren’t certified against

  • GDPR / Lei n.º 58/2019: compliant. DPA, sub-processor list, erasure, portability, and consent records all available.
  • SOC 2 / ISO 27001: not currently certified. We follow the controls in spirit (least-privilege access, audit logging, encrypted transit + at-rest backups), but no third-party audit has been run yet. If certification is a procurement blocker, contact us — it’s on the roadmap and customer demand accelerates it.
  • HIPAA: not in scope. resumAI is built for recruitment data; we do not process PHI and are not a HIPAA Business Associate.
  • FedRAMP / IL-tier: not in scope.