Your Data is Not Our Product.

Distill processes your files in isolated, encrypted environments. Get processed CVs back via direct download, a secure shareable URL, or email push — kept for 24 hours by default, or destroyed on delivery if you switch on Zero-Retention mode. We never sell, share, or train AI models on your candidate data.

The Lifecycle of a Document.

Distill is a short-lived processing pipe, not a database. You decide how processed CVs come back — download from the dashboard, share a secure URL with your team, or push to an inbox — and how long they stay reachable. Toggle below to see how the lifecycle changes.

  1. 1

    Transmission

    The file is uploaded via TLS 1.2+ encrypted tunnel.

  2. 2

    Processing

    The file is loaded into ephemeral memory (RAM) in an isolated, serverless environment.

  3. 3

    Transformation

    Our engine redacts PII or reformats the layout.

  4. 4

    Delivery

    24-hour

    Pick your channel: download directly from the dashboard, generate a secure shareable URL for your team, or push to an inbox. All three stay live throughout the 24-hour window — built for bulk runs and async workflows.

  5. 5

    Auto-Deletion

    24-hour

    Auto-deletes 24 hours after processing — or sooner, if you trigger manual deletion from your dashboard.

"We don't maintain a long-term database of your candidates. Files exist only as long as your workflow needs them — and not a moment longer."

Regulatory Compliance.

UK GDPR & EU GDPR

Distill acts as a Data Processor under UK and EU GDPR. We do not retain, sell, or share personal data — candidate CVs are processed in memory and deleted immediately. A Data Processing Agreement (DPA) is available on request.

Equality Act 2010 & EU Equal Treatment Directives

Distill's anonymisation engine helps recruitment agencies demonstrate a structured, bias-free shortlisting process — removing names, photos, postcodes, and graduation years before a hiring manager sees the CV. This supports compliance with the Equality Act 2010 (UK), the EU Race Equality Directive, and equivalent legislation in Australia and New Zealand.

Bank-Grade Security.

Encryption in Transit

All data sent to and from Distill is encrypted using TLS 1.2 (Transport Layer Security) or higher.

Encryption at Rest

All stored files — whether in the processing queue or held in the short-TTL download window — are encrypted using AES-256 standards, with keys scoped per organisation.

Cloud Provider

Our infrastructure runs on AWS (Amazon Web Services), utilising data centres in the EU (Ireland) and UK that adhere to SOC 2 Type II and ISO 27001 standards.

Serverless Isolation

We use function-as-a-service architecture. Every CV is processed in its own isolated container, preventing cross-contamination of data between clients.

No Training on Your Data.

We do not use your submitted CVs to train public Large Language Models (LLMs). Your candidates remain your proprietary intellectual property. Our parsing models are pre-trained and fixed; they do not "learn" from your confidential uploads.

🚫

Authorized Sub-processors.

To provide our service, we rely on a minimal set of trusted infrastructure partners:

Amazon Web Services (AWS)

Cloud Hosting & Compute

Stripe

Payment Processing

AWS SES

Transactional Email Delivery

Report a Security Issue.

We take the security of our systems seriously. If you believe you have found a vulnerability in Distill.cv, please report it to us immediately. We practice responsible disclosure.

security@distill.cv