Security at AppExtractAI
Applicant data is sensitive. Here is how we protect it at every step, from upload to automatic deletion.
Encryption
All data is encrypted in transit and at rest.
- HTTPS enforced on all connections with HSTS (HTTP Strict Transport Security) enabled for 2 years
- Applicant files stored in a private AWS S3 bucket with server-side AES-256 encryption
- Files are never publicly accessible. Access requires time-limited signed URLs generated after authentication
- Database connections use SSL/TLS encryption
Authentication & Access Control
Only authorized users within your organization can access your data.
- Authentication powered by Clerk, an industry-standard identity platform with support for multi-factor authentication
- Organization-based multi-tenancy: each residency program has its own isolated workspace
- Every API endpoint validates the user's organization membership from the server-side session, not from client parameters
- Users can only access orders, templates, and applicant data belonging to their own organization
Automatic Data Deletion
Applicant data is automatically deleted after 3 days.
- All uploaded application PDFs, extracted reports, and Excel exports are automatically deleted 3 days after processing
- Deletion removes both the database records and the actual files from cloud storage
- No long-term storage of applicant information. AppExtractAI is designed as a processing tool, not a data warehouse
Infrastructure
Hosted on enterprise-grade, SOC 2 compliant infrastructure.
- Application hosted on Vercel (SOC 2 Type II compliant)
- Database hosted on Neon (SOC 2 Type II compliant PostgreSQL)
- File storage on AWS S3 with Block All Public Access enabled
- Background processing on Trigger.dev with isolated task execution
AI Processing & Zero Data Retention
Your applicant data is never used for AI model training. The AI provider has a zero data retention policy for API calls.
- Application text is sent to Anthropic's Claude API over encrypted HTTPS connections for data extraction
- Anthropic does not use API inputs or outputs to train, improve, or fine-tune their AI models
- Anthropic's API has a zero data retention policy: applicant data is not stored by the AI provider after the API call completes
- Extracted data is stored temporarily (3 days) on our encrypted infrastructure for you to download, then permanently deleted from all systems
- At no point is applicant data used for any purpose other than extracting the specific fields you requested
Team & Permissions
Collaborate securely with your review committee.
- Invite multiple faculty members to your organization
- All team members share the same secure workspace with the same access controls
- Organization administrators can manage team membership through the built-in organization settings
Browser Security
Modern security headers protect against common web attacks.
- X-Frame-Options: DENY prevents clickjacking attacks
- X-Content-Type-Options: nosniff prevents MIME type sniffing
- Strict referrer policy limits information shared with third parties
- Camera, microphone, and geolocation permissions are disabled by default
Payment Security
Payment processing is handled entirely by Stripe.
- AppExtractAI never sees, stores, or processes credit card numbers
- All payment data is handled by Stripe, which is PCI DSS Level 1 certified (the highest level of certification)
- Subscription webhooks are verified using cryptographic signature validation
Questions about security?
If you have questions about our security practices or would like to request additional information, please contact us at mac.singer@appextractai.com