Is 100Hires GDPR compliant?

100Hires is a GDPR-compliant data processor under Article 28, and you remain the data controller. 100Hires gives you controls to support your obligations, including consent tracking, configurable retention, candidate deletion workflows, data export, and a DPA, while you decide your lawful basis and how you handle candidates. No tool makes your organization compliant on its own.

Where is my candidate data stored?

EU customer data is hosted in Germany on Hetzner, and data for the US, Canada, and the rest of the world is hosted on AWS in the US. Both paths use encryption in transit and at rest. For transfer terms, ask 100Hires for the DPA with Standard Contractual Clauses at privacy@100hires.com.

How does 100Hires handle candidate consent?

100Hires lets you request consent in one click, shows the current consent status on every candidate profile, and keeps an audit trail of changes. Consent is not always the right lawful basis in recruitment, and applying for a job is not the same as consent, so you choose and document your basis while 100Hires records what you collect.

Can a candidate ask me to delete their data?

Yes. In 100Hires, the Remove candidate profile action deletes all of that candidate's data from the candidate record, which helps you respond to an erasure request. You can also set auto-delete so candidates whose consent has expired are removed automatically.

How do I handle a data subject access request?

GDPR requires you to respond to a data subject access request within 30 days. In 100Hires, exporting a candidate gives you their full record in one CSV - profile fields, notes, messages, application history, and evaluations. Bulk GDPR actions let you handle requests across many candidates at once. That covers both the access and data portability obligations in a few clicks.

How long does 100Hires keep candidate data?

You set a retention period from 1 to 60 months in your 100Hires GDPR settings, after which consent lapses and the data can be auto-deleted. Account cancellation is a separate workflow: data is kept for 6 months for reactivation, then irreversibly deleted, including from backups, with a certificate of data destruction available on request.

Do you provide a DPA and SCCs?

Yes. 100Hires offers a GDPR-compliant Data Processing Agreement that includes Standard Contractual Clauses for international transfers. Request it from privacy@100hires.com so your procurement or legal team can review it before you roll out 100Hires.

Does 100Hires use my candidate data to train AI?

No. 100Hires does not use your candidate data to train its AI, and its AI sub-processors run under paid terms that prohibit training on your data. You can switch off AI features like AI Score, AI Copilot, and the AI Email Composer at the account level.

Is 100Hires SOC 2 certified?

100Hires is currently in the process of obtaining SOC 2 Type II attestation, and its controls already map to the SOC 2 Trust Services Criteria. It runs on ISO 27001-certified data centers from AWS and Hetzner. So the honest answer today is in progress rather than certified, and 100Hires can share its current controls for your security review.

How do I turn on GDPR in 100Hires?

Switch on GDPR in your 100Hires account under Settings, then set your retention period, consent options, and privacy policy URL. The setup steps are at https://help.100hires.com/en/article/gdpr-compliance-settings-121zgz5/.

Do candidates need to consent before you can store their CV?

Not necessarily. When a candidate proactively sends you their CV or applies for a role, legitimate interest is often the right lawful basis rather than consent. Consent is usually more appropriate when you add someone to a talent pool without a direct application, or want to contact them about future roles. 100Hires lets you configure your lawful basis in Settings and keeps a record of it alongside each candidate. A data protection professional or your DPO can confirm the right approach for your situation and jurisdiction.

GDPR-Compliant ATS & Recruitment Software for EU & UK Hiring

100Hires

100hires
Features
GDPR-Compliant ATS & Recruitment Software for EU & UK Hiring

What a GDPR-compliant ATS should let you control

An applicant tracking system cannot make you GDPR compliant on its own. What GDPR-compliant recruitment software should do is give you the controls to track consent, set retention periods, run deletion workflows, show a privacy notice, and export candidate data.

100Hires is a GDPR-compliant data processor under Article 28, and you remain the data controller. That split matters: you decide the lawful basis, the privacy notice, and the outreach rules for candidates.

Consent is not always the right basis in recruitment, since applying for a job is not the same as consent. 100Hires records the consent you collect and applies the retention, deletion, and export workflows you configure, so the controls match the decisions you have already made.

Stop scrambling when a candidate asks you to delete their data

The most common source of GDPR exposure in recruiting is not a misconfigured system. It is the email inbox. A candidate sends their CV directly, and it sits in Outlook. Their details get forwarded to a hiring manager.

Notes from the call go into a spreadsheet. Months later they send a deletion request, and you do not know where everything is.

Right-to-be-forgotten and access requests are also arriving more deliberately. Candidates who feel ignored or treated unfairly now send data subject access requests as a form of accountability. Erasure requests that used to be rare now arrive monthly for many EU and UK hiring teams.

Recruiters are unsure how long they can hold a CV, what a privacy notice has to say, and what to do when a candidate emails asking for everything on file.

Then procurement gets involved, asking where data is hosted, whether you sign a DPA, and what happens to the candidates you reject and the resume database you build over time.

When the answers live in scattered spreadsheets and inboxes, every one of those questions becomes a fire drill. GDPR-compliant recruitment software keeps the candidate-data controls and records in one hiring system.

Keep GDPR work inside the hiring workflow

What your security and procurement team will ask for

Security reviews ask the same questions every time. Here is how 100Hires answers them in one place, with the hosting, encryption, and DPA details your procurement team will want on file. For the full program, see the 100Hires security overview.

100Hires vs a typical ATS on GDPR

Here is how 100Hires lines up against a typical ATS on the GDPR features hiring teams actually use, with pricing you can check up front.

We use cookies to offer you our service. By continuing to use this site, you consent to our use of cookies as described in our policy