Use this when
- Your organization is deciding whether to start a partner trial or rollout.
- You need a review-ready document that can be shared internally.
- You want a direct summary before sending a custom questionnaire.
Trust Packet
Blacklight Resumes Trust Packet
Public first-pass review material for partner due diligence, privacy review, security review, and institutional rollout planning.
Blacklight Resumes is operated by Blacklight AI Resumes Inc.
Need the deeper technical view?
The main trust packet is meant to stay review-friendly. If your team wants the more technical layer on retention windows, hashed-token handling, analytics posture, and provider-specific handling, use the technical appendix alongside this packet.
What this packet is for
This packet is the official first-pass trust document for organizations reviewing Blacklight Resumes. It is meant to answer the questions most teams ask first about security boundaries, privacy posture, retention, subprocessors, and operational handling before a longer questionnaire is needed.
What this is not
- It is not a marketing brochure.
- It is not a full legal agreement or custom security addendum.
- It is not a substitute for your organization's own procurement checklist.
Service overview
Blacklight Resumes provides resume-generation and job-readiness support for individuals and for organizations that want to offer structured help to their own users. The platform is built to keep the public experience simple while keeping privileged partner and admin actions behind stronger operational controls.
Security and access controls
Admin and partner access is role-scoped, MFA-gated for sensitive workflows, and reinforced with audit logging around high-risk actions.
Data handling and retention
The platform documents what data is collected, how it is used, how scheduled minimization and retention work, and how deletion requests speed up removal when needed.
AI usage and model handling
The trust package explains where AI is used in resume generation, what operational safeguards exist, and how model processing stays bounded to the workflow.
Operational readiness and privacy stance
Incident response, backup and recovery, subprocessors, partner-support boundaries, and the cookie-free public-site stance are documented so reviews can move faster.
Table of contents
- 1. Security overviewSecurity reviewers, technical approvers, and mission-driven partners validating baseline controls before rollout.
- 2. Data handling summaryPrivacy, legal, and operations teams reviewing data scope and handling expectations.
- 3. Retention and deletion summaryInstitutions reviewing deletion workflows, privacy requests, and retention controls.
- 4. Incident response summaryTeams that need to know how incidents, outages, and high-risk operational issues are handled.
- 5. Access control summaryReviewers validating privileged access, role separation, and operator safeguards.
- 6. Audit logging summarySecurity and compliance reviewers focused on traceability and sensitive-event review.
- 7. AI usage and model handling summaryOrganizations reviewing model usage, AI boundaries, and operational handling expectations.
- 8. Subprocessor listProcurement and legal teams reviewing vendor dependencies and external service providers.
- 9. Backup and recovery summaryTeams validating resilience expectations before rollout or paid conversion.
- 10. Institutional questionnaire templateInstitutional reviewers using standardized questionnaires across libraries, schools, workforce groups, nonprofits, and related organizations.
Section 1
Security overview
Security reviewers, technical approvers, and mission-driven partners validating baseline controls before rollout.
High-level architecture, authentication boundaries, and platform-control summary for organizations that need a serious first-pass review.
Why this matters
If your organization is trusting Blacklight with resume requests for patrons, members, students, or clients, your team should be able to see quickly how privileged access is limited and where higher-risk actions are controlled.
Public intake, partner workflows, and admin operations are separated into different surfaces so the same person is not moving through every part of the system with the same level of access.
Sensitive actions such as billing changes, privacy handling, partner-access changes, and high-risk admin actions sit behind stronger authentication requirements and auditability.
The platform is designed to keep customer-facing intake simple while keeping privileged operational controls limited to authenticated internal or partner-authorized paths.
Section 2
Data handling summary
Privacy, legal, and operations teams reviewing data scope and handling expectations.
What partner and end-user data enters the system, where it flows, and how it stays constrained to the service path.
Why this matters
Partners should not have to guess what Blacklight collects, who touches it, or whether a hidden ad-tech stack is following their users around. This summary explains the actual data path in plain language.
Blacklight collects the information needed to generate, deliver, and support resume requests: intake details, uploaded documents, selected targets, delivery records, and support or privacy follow-up when needed.
That data stays tied to the service path rather than being reused for ad targeting, third-party tracking, or unrelated marketing profiling.
The public site is intentionally cookie-light and tracking-light, so the normal assumptions people make about ad-tech stacks do not apply here.
Section 3
Retention and deletion summary
Institutions reviewing deletion workflows, privacy requests, and retention controls.
Retention windows, purge behavior, and privacy/deletion workflow expectations across normal operations and request-based deletion.
Why this matters
Organizations helping people through job transitions need to know their users’ information is not hanging around forever. This summary explains the normal cleanup cycle, scheduled minimization, and the faster deletion path when someone asks for it.
Blacklight uses normal retention windows and scheduled cleanup rather than keeping full personal information indefinitely by default.
Some records are minimized or redacted on schedule even when no one files a deletion request, while deletion requests move the specific request into a faster removal workflow.
In practice, that means operational records are kept only for the period needed to deliver the service, support the request, and satisfy limited legal or security obligations before they are minimized or removed.
Section 4
Incident response summary
Teams that need to know how incidents, outages, and high-risk operational issues are handled.
How operational issues are triaged, investigated, and handled when sensitive systems or partner workflows are involved.
Why this matters
When a partner is using Blacklight to support real people, an outage or sensitive issue is not abstract. This summary explains how issues are surfaced, reviewed, and handled when continuity matters.
Operational issues are reviewed through a defined handling path instead of being treated like ordinary support noise when sensitive systems or partner-facing workflows are involved.
The focus is on fast triage, scoped investigation, and limiting the blast radius when something affects privacy, delivery, partner access, or continuity.
Public trust materials stay high-level on purpose, but the operating posture behind them is built around escalation, containment, communication, and follow-through when a real issue affects service or data handling.
Section 5
Access control summary
Reviewers validating privileged access, role separation, and operator safeguards.
Admin, partner, and privileged workflow controls with MFA and role boundaries.
Why this matters
Partners need confidence that their staff only see what they are meant to see and that Blacklight keeps higher-risk controls behind stronger authentication. This summary focuses on those boundaries.
Partner and admin capabilities are split by role so routine visibility, billing actions, user management, and higher-risk controls do not all sit behind the same permission level.
Sensitive routes use stronger authentication expectations, especially where account changes, partner-access decisions, or operational overrides are involved.
Location-aware and role-aware access boundaries are part of the model so larger organizations can limit what staff see when broader access is not appropriate.
Section 6
Audit logging summary
Security and compliance reviewers focused on traceability and sensitive-event review.
Sensitive admin and billing actions are logged for review and traceability.
Why this matters
A trust review is stronger when your team can see that sensitive changes do not disappear into a black box. This summary explains how Blacklight keeps traceability around higher-risk actions.
Higher-risk actions such as sensitive admin updates, billing changes, privacy handling, and partner-access changes are captured for traceability.
The goal is not surveillance of ordinary use. It is accountability around the kinds of actions that matter in support, privacy, and partner operations.
This gives reviewers a first-pass answer to “how would you know who changed something important?” without opening internal dashboards during procurement.
Section 7
AI usage and model handling summary
Organizations reviewing model usage, AI boundaries, and operational handling expectations.
Where AI is used in the workflow, how outputs are validated, and where human review still applies.
Why this matters
Partners choosing Blacklight are not just buying automation. They are trusting a workflow that should be clear about where AI is used, where it is bounded, and how those outputs are handled responsibly.
AI is used inside the resume-generation workflow rather than as an open-ended chat product layered across the whole site.
Model processing is scoped to the request workflow, and Blacklight stores the service outputs it needs in its own system rather than relying on an OpenAI-hosted conversation history as the business record.
That means partners can review AI use as one bounded part of the service path: generation happens for the request, outputs are kept in Blacklight systems, and the platform record does not depend on a separate chat history living elsewhere.
Section 8
Subprocessor list
Procurement and legal teams reviewing vendor dependencies and external service providers.
Current core vendors involved in hosting, billing, identity, messaging, and model operations.
Why this matters
Organizations should not have to guess which outside services are involved when they partner with Blacklight. This summary identifies the core vendors in the service path so reviews can start from a real list instead of assumptions.
Current core vendors include Supabase for application data, auth, and storage; Stripe for payments; Postmark for transactional email delivery; Cloudflare for web delivery and edge infrastructure; and OpenAI for model processing inside resume generation.
Each provider is tied to a specific operational role in the service path rather than being part of a larger advertising, analytics, or reseller network.
The vendor footprint is intentionally narrow and service-specific so partner review can focus on the providers actually involved in hosting, delivery, payments, and bounded model processing.
Section 9
Backup and recovery summary
Teams validating resilience expectations before rollout or paid conversion.
Recovery posture and continuity expectations for partner-facing operations.
Why this matters
If your organization is planning to rely on Blacklight as part of a public-facing or member-facing service, continuity matters. This summary gives a direct overview of the recovery posture without pretending to be a full infrastructure manual.
Core operations are set up with continuity in mind so a temporary problem in one layer does not automatically become a total service loss.
The public trust page does not expose internal recovery runbooks, but it does state clearly that resilience, recovery, and continuity are treated as operational requirements rather than afterthoughts.
The practical expectation is straightforward: Blacklight is run so temporary faults can be recovered from, partner-facing operations can be restored, and continuity is part of normal operations rather than an afterthought.
Section 10
Institutional questionnaire template
Institutional reviewers using standardized questionnaires across libraries, schools, workforce groups, nonprofits, and related organizations.
A starting point for library systems, schools, workforce groups, nonprofits, and other institutional reviewers when a formal review is required.
Why this matters
Some partners need more than a public trust page. This packet is the bridge into a more formal review when your organization uses a standard questionnaire or procurement checklist before moving forward.
The questionnaire packet is the structured next step for institutions that cannot move forward on a public trust page alone.
It is meant to shorten back-and-forth by giving Blacklight and the partner a common starting point instead of starting every review from scratch.
It is best suited to organizations that already use a formal procurement checklist, vendor questionnaire, or privacy/security review template and need Blacklight to answer within that structure.
Review follow-up
If your organization needs a deeper procurement, privacy, or security review after this packet, use the trust contact flow. Blacklight can then respond with questionnaire support, follow-up clarification, or the next review material appropriate to the stage of your partnership.