Security

Our Security Philosophy

The most secure data is data that is never collected. OfferLetter.ai is architected from the ground up to minimize data exposure by keeping everything client-side. We believe your salary details, offer letters, and interview preparation should remain entirely under your control.

Client-Side Architecture

OfferLetter.ai runs entirely in your web browser. There is no backend server that receives, processes, or stores your data. When you paste an offer letter or practice interview answers, that text stays on your device. The only external communication is directly from your browser to the Anthropic Claude API, using your own API key.

This architecture eliminates entire categories of security risk:

• No server-side data breaches -- there is no server storing your data
• No database leaks -- there is no database
• No insider access -- our team cannot see your information
• No data in transit to our infrastructure -- requests go directly to Anthropic

API Key Security

Your Anthropic Claude API key is stored in your browser's localStorage. This storage mechanism is:

• Domain-isolated: Only OfferLetter.ai pages can access keys stored under our domain
• Not transmitted: Unlike cookies, localStorage values are not automatically sent with HTTP requests
• User-controlled: You can delete your stored key at any time through browser settings or the app
• Never logged: We have no server-side logging infrastructure that could capture your key

We recommend treating your API key like a password. Do not share it, and rotate it periodically through your Anthropic dashboard.

Encryption in Transit

All communication between your browser and the Anthropic API occurs over HTTPS (TLS 1.2+), ensuring that your offer letter text and interview content is encrypted during transmission. The OfferLetter.ai site itself is served over HTTPS.

No Data Retention

We retain zero user data because we collect zero user data. There are no server logs containing your queries, no analytics databases tracking your behavior, and no backups of your information on our infrastructure. When you close the browser tab, the only thing that persists is your API key in localStorage (if you chose to save it).

Content Security

The application implements security best practices including:

• Content Security Policy (CSP) headers to prevent cross-site scripting (XSS)
• No inline script execution from user-generated content
• No use of eval() or similar dynamic code execution
• Subresource integrity for third-party assets where supported

What We Do NOT Do

• We do not proxy API requests through our servers
• We do not log, cache, or store any text you enter
• We do not track your identity, IP address, or browsing behavior
• We do not share any information with third parties (we have none to share)
• We do not use your data to train models or improve our service

Responsible Disclosure

We take security seriously and welcome reports from security researchers. If you discover a vulnerability or security concern, please report it to us responsibly:

• Email: security@offerletter.ai
• Please include a detailed description of the vulnerability and steps to reproduce
• Allow us reasonable time to address the issue before public disclosure
• Do not access or modify other users' data during your research

We appreciate your help keeping OfferLetter.ai secure and will acknowledge valid reports.

Questions

For security-related questions, contact security@offerletter.ai. For general inquiries, reach us at support@offerletter.ai.