Log in Book a Demo Try It, Free

Your applicant tracking system holds some of the most sensitive data your company touches: resumes, contact details, interview notes, evaluations, and messages for every person who applies.

When IT or a security reviewer asks how that data is protected, you need a straight answer, not a sales pitch.

This page is that answer. You are the data controller for your candidate data and 100Hires is your processor, so the controls below exist to support your own obligations to candidates.

The full Security FAQ and a GDPR data processing agreement are available on request, and everything here maps to what your reviewers actually ask about.

Your data is encrypted everywhere it lives

Candidate data is encrypted in transit with TLS 1.2 or higher across all network communication, and encrypted at rest with AES-256 in the database. Every web service runs on a valid SSL certificate, and every API and application connection is encrypted.

Email sent from your account is authenticated with DKIM, SPF, and DMARC, which makes candidate messages far less likely to be spoofed.

Your data is hosted in the EU or the US

Where your candidate data physically lives is decided by your primary location. EU customers are hosted in Hetzner data centers in Germany, which publish ISO 27001 certification.

Customers in the US, Canada, and the rest of the world are hosted on Amazon Web Services in the United States, which is SOC 2 Type II and ISO 27001 certified.

Both locations encrypt data in transit and at rest. We say this plainly because it matters for your own assessment: for Canadian customers, candidate data is hosted in the US, which is the detail a Quebec Law 25 privacy impact assessment turns on.

If you need an input document for that assessment, we provide one on request.

You own your data, and we never train AI on it

You keep full ownership of everything you upload or generate in 100Hires: candidate profiles, resumes, notes, evaluations, and messages. We process that data only to run the service for you. We do not sell it, license it, or hand it to anyone for marketing or analytics.

100Hires does not train its own AI models on your data.

When a feature like AI Score, the AI Copilot, or the AI Email Composer sends data to an AI provider, we use paid API tiers under commercial terms where the provider contractually commits not to train its models on your prompts or content.

If your policy or your jurisdiction does not allow third-party AI at all, you can turn every AI feature off for the whole account in one place.

Locked-down access, monitored in real time

Servers accept SSH key authentication only, with password login disabled, and keys are rotated when staff change. Multi-factor authentication is required on every security-sensitive system, including administrative access, customer-data repositories, and any vendor connection.

Inside the application, role-based access follows least privilege, and we review who has access every quarter.

The network denies everything by default and opens only ports 80 and 443, with production separated from non-production.

fail2ban blocks intrusion attempts in real time, Grafana provides monitoring and alerting, and security event logs are kept for at least 90 days with restricted access to change them. Access attempts are logged, successful and failed alike.

GDPR and privacy, built into the product

The privacy controls a reviewer expects are not a separate module or a support ticket. They live in Settings, on the same screens your recruiters already use.

Turn on GDPR in Settings and pick a candidate data retention period from 1 to 60 months. When that period ends, 100Hires can delete the candidate automatically and send consent renewal emails before consent expires, so you are not chasing it by hand.

Add your privacy policy URL once and it shows on every consent request a candidate sees, and on your career site footer if you want it there.

Privacy laws beyond GDPR

The same controls support compliance with Canadian privacy law: PIPEDA, Quebec Law 25, Alberta PIPA, and BC PIPA. Our Privacy Officer is Alex Kravets, reachable at privacy@100hires.com, and a DPA covering PIPEDA and Law 25 terms is available on request.

For candidate outreach under CASL, nurture and bulk email templates carry automatic unsubscribe links, sender identification, and suppression once a candidate opts out.

Where automated decisions are regulated, the design helps: AI Score, the AI Copilot, and the AI Email Composer produce recommendations a recruiter reviews, and they never auto-reject or auto-hire anyone.

Knockout questions can disqualify on a clear-cut answer, so if you hire in Quebec it is worth checking that configuration against Law 25 rules on automated decisions.

We provide template disclosure language if you want to tell candidates when AI assists your process.

The vendors we trust with your data

We keep the list of vendors who touch your data short, and every one of them holds SOC 2 Type II, ISO 27001, or an equivalent certification and signs a data processing agreement. We review the critical ones every year.

Job boards are a different case. When 100Hires distributes a posting to Indeed, LinkedIn, ZipRecruiter, Glassdoor, Google Jobs, and the other boards we support, they receive only the public job description. No candidate or customer data leaves with it.

Your data is yours to export and to delete

You can export all candidate data from the Candidates page at any time, so keeping your own copy is never blocked.

If you cancel, we hold your account data for six months in case you come back, then delete it completely: from production databases, from backups and archives, and from log files that contain personal data.

The removal is irreversible and verified, and we can issue a certificate of destruction on request.

If something goes wrong, you hear it fast

100Hires keeps documented incident response, disaster recovery, and business continuity plans, with automated backups that are tested regularly.

If a breach affecting your data is confirmed, we notify your registered contact within 72 hours with what happened and what we did, followed by a detailed report inside 7 days.

On the development side, code is scanned for vulnerabilities and dependency issues before it ships, security review is part of every change, and we do not deploy with a known vulnerability open.

Critical issues are fixed within 24 hours and high-severity issues within 7 days. Everyone with access to your data clears a background check and signs a confidentiality agreement that survives their leaving.

Security reviews for enterprise teams

Most enterprise deals now include a security questionnaire, and a vendor that will not complete one is a red flag. 100Hires completes them.

If your procurement process needs more than this page, we work with it.

For enterprise customers we answer security questionnaires, share our security policies under a mutual NDA, provide evidence of controls such as configurations and sample logs, and join a security review call with our technical team.

We are direct about where we stand: 100Hires is in the process of obtaining SOC 2 Type II attestation.

Until that is complete, our controls already map to the SOC 2 Trust Services Criteria for security, availability, and confidentiality, and we share that control documentation today so you can complete your own assessment.

To start a review or request a DPA, contact privacy@100hires.com.

We use cookies to offer you our service. By continuing to use this site, you consent to our use of cookies as described in our policy