Compliance Scanner
Scan your resume for HIPAA Protected Health Information, CMMC Controlled Unclassified Information, and GDPR data rights. Each finding includes regulatory citations and compliant alternatives.
Try the HIPAA demoLocal-First Resume Security
Your resume. Your device. Your AI.
ShieldCV scans your resume for compliance violations and ATS keyword gaps. The AI runs in your browser. Your data never leaves your device. Zero external requests. Zero data retention. Zero trust required.
Best first click HIPAA demo on /scan
Shows local AI compliance analysis immediately, no vault unlock required.
Fast trust signal Attack Mode
Demonstrates real-time blocking, CSP enforcement, and tamper-evident audit logging.
Core Flows
See what ShieldCV does in one click
ATS Match
Paste a job description and see how your resume matches. Cosine similarity scoring, missing keyword detection, and placement suggestions. All analysis runs locally.
Try ATS matchingAttack Mode
Watch ShieldCV block 7 real attack payloads in real time. XSS, prototype pollution, CSP violations, and more. Every block is logged to a tamper-evident audit chain.
Enter Attack ModeApplication Tracker
Track every job application in one encrypted place. Know which companies have your data. Exercise your GDPR rights with one click.
Start trackingWhy ShieldCV?
Privacy and compliance risks start before you ever click apply
Every AI resume tool asks you to upload your resume to their servers. Career centers like UC Berkeley warn students to strip personally identifying information before using these tools. Healthcare students describing clinical rotations risk HIPAA violations. Defense applicants risk exposing Controlled Unclassified Information. And every applicant leaves a data trail across dozens of ATS systems with no easy way to exercise their privacy rights.
ShieldCV is different. The AI models run in your browser via WebAssembly. Your resume is encrypted with AES-GCM using a key derived from your passphrase. The encryption key never leaves your device. There is no server that stores, processes, or even sees your data.
Security Architecture
Built to verify, not just claim
Per-request CSP nonces via Cloudflare Worker
Every response carries a fresh nonce to protect scripts and styles from inline injection.
Trusted Types enforcement (no unsafe innerHTML)
The UI blocks dangerous DOM sinks so untrusted markup cannot be injected into the page.
AES-GCM encryption at rest (PBKDF2 600K iterations)
Resume data is encrypted locally with a passphrase-derived key before it reaches browser storage.
Zero external runtime connections
The app is designed to run locally without shipping resume contents to third-party APIs or services.
In-browser AI via Transformers.js WebAssembly
Scanning and ATS analysis execute on-device instead of in a remote inference pipeline.
Hash-chain tamper-evident audit log
Security-relevant events are linked together so unexpected edits are easier to detect.
100% test coverage on all security packages
Core security packages ship with complete automated test coverage to reduce blind spots.
DPIA, STRIDE threat model, CycloneDX SBOM
The security program includes privacy, threat-modeling, and software supply chain documentation.