Trust Center

Security and trust,
in one place.

Everything your security reviewers usually ask for, gathered here: our certifications, the controls we run, our policies, subprocessors, and audit reports. Less back and forth, faster answers.

01
ISO 27001
27001:2022 · Certified
02
SOC 2
Type I & II · In progress
03
99.9%
Uptime SLA
04
AES-256
Encryption at rest
Security approach

How we think about security

You’re trusting us with real hiring data: resumes, interview answers, notes, decisions. Keeping that safe is work we do every day, not a box we ticked once.

This page pulls together our certifications, the controls we run, how we handle data, and how our AI behaves, so you can check TidyHire against your own requirements. We keep it current as things change.

Compliance

Certifications and audits

Our information security management system is independently audited. Many enterprises accept ISO 27001 in place of SOC 2, and we’re working through our SOC 2 audit now.

StandardWhat it coversStatus
ISO/IEC 27001:2022Information security managementCertified
SOC 2 Type I & IITrust Services Criteria for SecurityIn progress

We can share the ISO 27001 certificate, and the SOC 2 reports once they’re ready, under NDA. Request documents.

Privacy & data

How we handle your data

Your data stays yours

We don't sell your data or hand it to third parties for their own use. When we improve our own product, we work from data that's aggregated and stripped of anything that identifies a person.

Deletion on request

Candidates and customers can ask us to delete their personal data at any time. We action the request, subject to our legal obligations, and the data is securely deleted or anonymized.

If something goes wrong

We keep a documented incident response plan. If a confirmed security incident affects your data, we notify you promptly, keep you updated, and follow up with a post-mortem.

Only as long as needed

We keep personal data only for as long as we need it to run the service and meet our legal obligations. After that, it's securely deleted or anonymized, and trial data is removed once the trial ends.

AI posture

AI you can take to your legal team

Charlie (our AI interviewer) and Ria (our AI voice screener) do real work in your hiring process, so how they handle data and decisions matters. Here is exactly what they do and don’t do.

Training on your data
No. We never use candidate or customer data to train foundation models. Our LLM calls run under enterprise API terms that keep your data out of provider training.
Human in the loop
Yes. Charlie and Ria surface evidence and signal. The hiring decision stays with your team. Nothing is hired or rejected automatically.
Emotion or facial analysis
None. We look at what a candidate says and the skills they show. We do not score appearance, facial expression, or inferred emotion.
Explainability
Traceable. Every recommendation ties back to the candidate's actual answers, mapped to the rubric for the role. It isn't a black-box score.
Bias monitoring
Ongoing. We review screening and interview outcomes for adverse impact and keep prompts and rubrics focused on job-relevant signal.

Why this matters: laws like NYC Local Law 144, the Illinois AI Video Interview Act, and the EU AI Act increasingly limit automated facial and emotion analysis in hiring. We don’t do any of it, so bringing in Charlie and Ria doesn’t add to your compliance load.

Security controls

The controls we run

Technical and operational safeguards, active around the clock.

Active

Encryption at rest and in transit

AES-256 for data at rest and TLS for everything in transit. Encryption keys are protected and their strength is reviewed regularly.

Active

Role-based access control

Least-privilege access with MFA on all production and privileged accounts, with regular password rotation and access reviews.

Active

Secure infrastructure

Hosted on Google Cloud behind Cloudflare for WAF and DDoS protection, with network segmentation, firewalls, and isolated production.

Active

Monitoring and logging

Central log management with regular reviews, automated anomaly alerts, and retained audit logs.

Active

Secure development

Peer review on every change, SAST and DAST, and OWASP Top 10 / SANS Top 25 coding standards. Critical and high issues are fixed before release.

Active

Vulnerability management

Penetration tests and vulnerability scans on our public systems, plus a test before every production release. Findings are prioritized and fixed by severity.

Active

Backups and recovery

Encrypted backups are stored in a separate region and regularly restore-tested, with recovery-time and recovery-point objectives in place.

Active

Incident response

A documented runbook covers detection and containment, and we notify affected customers promptly after a confirmed incident.

Documents

Policies, certificates, and reports

Available for your review. Confidential documents are shared under NDA. Request access and we’ll follow up.

ISO 27001 CertificateCertificateRequest access
SOC 2 Type I Report· in progressReportRequest access
SOC 2 Type II Report· in progressReportRequest access
Penetration Test (VAPT) ReportReportRequest access
Information Security PolicyPolicyRequest access
Access Control PolicyPolicyRequest access
Encryption & Key Management PolicyPolicyRequest access
Network Management PolicyPolicyRequest access
Incident Management PolicyPolicyRequest access
Business Continuity & Disaster Recovery PolicyPolicyRequest access
Backup & Restore PolicyPolicyRequest access
Patch & Vulnerability Management PolicyPolicyRequest access
Secure Development & Maintenance PolicyPolicyRequest access
Vendor Management PolicyPolicyRequest access
Data Privacy PolicyPolicyRequest access
Data Retention & Deletion PolicyPolicyRequest access
Subprocessors

Who we work with

These vendors help us run TidyHire and may process customer data. Each one is vetted against its ISO 27001 or SOC 2 report before we bring it on, and we keep this list current as it changes.

Google Cloud PlatformCloud hosting and infrastructureIN
CloudflareCDN, WAF and DDoS protectionGlobal
SentryError monitoring and performanceUS
PostHogProduct analyticsUS
FAQ

Questions we get often

Is TidyHire ISO 27001 certified?

Yes. TidyHire, operated by Facteye Tech Labs Pvt Ltd, is ISO/IEC 27001 certified for its information security management system. We can share a copy of the certificate on request.

Do you have a SOC 2 report?

We're currently going through both our SOC 2 Type I and Type II audits. When they're done, the reports will be available under NDA. Email us and we'll let you know when they're ready.

Do you train AI models on our candidate data?

No. Candidate and customer data is never used to train foundation models, and our LLM providers process data under enterprise API terms that keep it out of their training.

How is my data encrypted?

Data is encrypted in transit with TLS and at rest with AES-256.

Where is my data hosted?

TidyHire runs on Google Cloud Platform in India, with Cloudflare for WAF and DDoS protection.

How long do you keep my data?

We keep personal data only as long as we need it to provide the service and meet our legal obligations, then securely delete or anonymize it. Trial data is removed after the trial ends.

How do I request deletion of my data?

Email support@tidyhire.app. Candidates and customers can ask us to delete their personal data at any time, subject to our legal obligations, and it's then securely deleted or anonymized.

How do I report a security issue?

Email support@tidyhire.app with enough detail to reproduce it. We look into every good-faith report and will confirm we've received yours.

Contact

Get in touch

Security & compliance

Documents, questionnaires, and security reviews.

support@tidyhire.app

Privacy & data

Data requests, deletion, and privacy questions.

support@tidyhire.app

Report a vulnerability

Found an issue? Send steps to reproduce and we’ll take a look.

support@tidyhire.app

For security reports, give us a reasonable window to fix things before going public, and please don’t access data that isn’t yours. Report in good faith and we won’t pursue legal action.