If you’ve visited the View My CV section on my website, you may have noticed a new privacy-first flow that asks you to verify your identity before downloading my resume. This feature was introduced to strike a balance between open access and secure sharing of personal documents.
In this post, I’ll explain — at a high level — how this CV request workflow operates, the reasoning behind it, and the technologies used to enable it. Specific implementation details and secrets are not included for security and privacy reasons.
📌 Use Case: Why Add a Gate to CV Access?
Rather than publicly exposing your CV or resume file for anyone to download, a controlled access model can help:
- Collect basic requester information (name, email, company, etc.)
- Maintain transparency with a privacy agreement
- Provide accountability for downloads
- Prevent automated scraping or abuse
This design is especially helpful for independent professionals, consultants, or job seekers who want to track interest without making personal documents fully public.
🔐 Privacy-Centric Flow Overview
The solution introduces a multi-step request flow that respects user privacy while gating document access behind OTP verification.
💬 Sequence Flow:
Request Initiation
- Visitor clicks a “View CV” button.
- Prompted to accept the Privacy Policy before proceeding.
Form Submission
- A form collects minimal information:
- Mandatory: Name, Email
- Optional: Phone, Company, Location
- A form collects minimal information:
OTP Delivery
- A one-time passcode (OTP) is generated.
- Sent to the user’s email (and phone if provided).
Verification
- The user enters the OTP on the next screen.
- Upon successful verification, access to the CV is granted.
Download Access
- A time-limited download link is revealed.
- All user data (except OTP) is logged securely.
⚙️ Technical Highlights
The system follows cloud-native and serverless design patterns:
🛠️ Key Components:
- DynamoDB stores request metadata and OTPs.
- Lambda Functions handle:
- Request submission
- OTP generation and delivery
- OTP validation
- Email & SMS Services send OTP securely via:
- Amazon SES for email
- Amazon SNS for SMS (if phone is provided)
- S3 hosts the protected CV file.
- API Gateway or Netlify Functions expose endpoints for user interactions.
🔒 Security Considerations:
- OTP Hashing: OTPs are never stored in plaintext; they are hashed before saving.
- One-Time Use: OTPs auto-expire after 10 minutes and are deleted after use.
- Rate Limiting: Requests per IP are limited to prevent abuse.
- Presigned URLs: CV is served via a time-limited S3 URL.
- TTL Cleanup: Expired OTPs are automatically cleaned up via DynamoDB TTL.
🧠 Benefits
- Privacy-first: Consent and transparency before any data collection.
- Secure access: No public file exposure; gated access ensures auditability.
- User-friendly: The OTP process is familiar and seamless for most users.
- Auditable: Logged requests provide insight into who is accessing your material.
🔄 Future Enhancements
- Integrate CAPTCHA for bot protection
- Add analytics on request trends
- Auto-reply confirmation email with thank-you note
- Export request logs periodically
📘 Coming Up Next: Behind the Scenes
In the next post, I’ll share a behind-the-scenes look at how this privacy-first CV flow is implemented using:
- AWS Lambda
- DynamoDB table design (with TTL and hashed OTPs)
- SES + SNS delivery pipelines
- Secure pre-signed S3 links
Stay tuned if you’re a developer looking to implement a similar pattern for gated asset downloads or secure lead capture.
✅ Conclusion
This CV request system provides a strong balance between privacy, usability, and security. It’s lightweight enough for individual professionals to implement, yet robust enough to meet modern standards of data protection and access control.
Whether you’re sharing your resume or offering downloadable whitepapers or reports, applying a similar flow can help you respect your visitors’ privacy while protecting your intellectual property.
