Skip to main content

Security & Data Protection

Last reviewed: March 18, 2026

22 Skills handles sensitive career data — your resume, job descriptions, and analysis history. This page explains how we store it, who can access it, and how we protect it.

Data Storage

  • Your data is stored in an encrypted database. Data at rest and in transit is protected by industry-standard encryption.
  • Backups are encrypted and managed by our infrastructure provider.

Access Control

  • Every data query is scoped to the authenticated user. You can only access your own resumes, analyses, and job descriptions — no other user can read your data, and you cannot read theirs.
  • All API endpoints validate your session on every request. Unauthenticated requests are rejected before reaching any user data.

AI Processing

  • When you use AI-powered features (ATS analysis, resume rewriter, cover letter generator), your resume text is sent to our AI providers — OpenAI and Anthropic — solely to generate your result.
  • Neither OpenAI nor Anthropic train their models on data submitted through the API.
  • We never attach your account identifiers (user ID, email, or name) to AI requests. However, if your resume or job description text contains personal information, that text is transmitted as part of the analysis.
  • See Terms of Service §6 for a full feature-by-feature breakdown of what data is transmitted.

Authentication

  • Passwords are hashed before storage — we never store your password in a readable form.
  • Sessions are managed using short-lived tokens that are refreshed securely.
  • Social sign-in (Google, Apple) is handled directly by those providers. We receive only the profile information they share.

Payment Security

  • All payments are processed by Stripe. 22 Skills never receives, stores, or transmits your card number, CVV, or full billing address.
  • Payment data is handled entirely within Stripe's PCI-DSS compliant infrastructure.

Data Deletion

  • When you delete your account, all associated data is permanently removed: your profile, resume versions, job descriptions, analysis history, and feedback submissions.
  • To request data deletion without deleting your account (GDPR Art. 17 / CCPA), use the Contact & Support link in the footer and select "Privacy / Data Request".
  • We respond to data subject requests within 30 days.

Responsible Disclosure

  • If you discover a security vulnerability in 22 Skills, please report it using our Contact & Support form (select "Privacy / Data Request").
  • Please do not publicly disclose vulnerabilities before we have had a reasonable opportunity to investigate and address them.
  • We review all security reports and respond as quickly as possible.

For privacy requests, data deletion, or security reports, use the form.

For details on how AI providers process your data, see our Terms of Service §6.