## Why It Matters A resume often needs to reach someone who isn't in Kit yet — a hiring manager, an interviewer, a teammate weighing in on a candidate. Forwarding the file by email leaves an untracked copy floating around with no record of who opened it. Kit's CV share gives that person the resume behind a link that **expires**, that requires them to **verify an email before downloading**, and that records every download — so a resume leaving your team is always attributable, and you can confine it to people on your company's domains. ## Turning It On CV sharing rides on the **New Applicant** Slack notification. Enable **Share CV in Slack** in your Slack integration settings (admin only). It's off by default, because the link exposes a candidate's resume to everyone in the channel. Once on, the **New Applicant** notification carries a **View CV** button — but only for **unrestricted** postings with a CV on file. If a posting is restricted to specific team members, no public button is added and that CV stays behind login. ## What the Viewer Sees The button opens a focused, **program-branded** page — your logo and colors, the candidate's name and the role they applied for. Teammates already signed in to Kit see an **Open in Kit** shortcut straight to the application. Everyone else sees a **Verify to download** step: the resume isn't served until an email is confirmed. ## Verifying an Email The viewer proves control of an email one of three ways: - **Continue with Slack** or **Continue with Google** — one click, using an account they already have. - **Email me a link** — Kit sends a one-time download link to whatever address they enter. The link is bound to that address and expires in **1 hour**. Verification proves the email, nothing more — Kit never creates a user or account for the viewer. The verified email is what makes each download attributable, and it's recorded with the download. ## Trusted Domains You can keep an allowlist of approved company email domains in your account settings, under **Trusted CV Domains**. A verified email is then classified as **trusted** when it's a member's address or sits on a listed domain, and **external** otherwise. Trusted vs. external is recorded on every download and surfaced in tracking, so you can see at a glance when a resume left for an outside address. Add a domain as a bare host (`acme.com`). Matching is **exact** — `acme.com` does not cover `eu.acme.com`, so add subdomains explicitly if you use them. Public providers (gmail.com, outlook.com, and the like) are rejected: trusting one would trust anyone with that kind of address. ### Strict Mode By default the allowlist only **classifies** downloads — anyone who verifies an email can still download. Turn on **strict mode** to also **enforce** it: downloads are then limited to members and trusted domains, and a verified-but-external email is blocked at the download step. The verify page tells the viewer up front that downloads are limited to an approved company domain. ## Who Downloaded Kit records who opened and who downloaded each CV: - **Signed-in teammates** appear as named avatars. - **Everyone else** is counted as an anonymous link view, and each **download** is recorded with its verified email, whether it was trusted or external, and the country it came from. - The tally shows on the application's page in Kit and is summarized back on the original Slack message. Repeat views within 30 minutes aren't double-counted. - When someone **outside your org** (an external, untrusted email) downloads a CV, your account admins are notified — a download leaving the team is a signal, not a silent event. ## Requesting an Invite A viewer who works with you but isn't on Kit yet can ask to be invited straight from the CV page. The request lands with your account admins, who get a notification with a one-click link to send the invite. Approving it sends a normal team invitation; once accepted they become a full member — no more one-off links. ## Expiry and Auto-Invalidation - The share link expires **48 hours** after it's created, and each download mints its own short-lived URL. - The link stops working automatically — no action needed — when the candidate is **rejected or withdrawn**, the **posting is closed**, or the **CV is replaced**. - A viewer who hits an expired link sees a short notice to ask your team for a fresh one, never a dead end with candidate details.