Security and trust,
in one place.
Everything your security reviewers usually ask for, gathered here: our certifications, the controls we run, our policies, subprocessors, and audit reports. Less back and forth, faster answers.
How we think about security
You’re trusting us with real hiring data: resumes, interview answers, notes, decisions. Keeping that safe is work we do every day, not a box we ticked once.
This page pulls together our certifications, the controls we run, how we handle data, and how our AI behaves, so you can check TidyHire against your own requirements. We keep it current as things change.
Certifications and audits
Our information security management system is independently audited. Many enterprises accept ISO 27001 in place of SOC 2, and we’re working through our SOC 2 audit now.
| Standard | What it covers | Status |
|---|---|---|
| ISO/IEC 27001:2022 | Information security management | Certified |
| SOC 2 Type I & II | Trust Services Criteria for Security | In progress |
We can share the ISO 27001 certificate, and the SOC 2 reports once they’re ready, under NDA. Request documents.
How we handle your data
Your data stays yours
We don't sell your data or hand it to third parties for their own use. When we improve our own product, we work from data that's aggregated and stripped of anything that identifies a person.
Deletion on request
Candidates and customers can ask us to delete their personal data at any time. We action the request, subject to our legal obligations, and the data is securely deleted or anonymized.
If something goes wrong
We keep a documented incident response plan. If a confirmed security incident affects your data, we notify you promptly, keep you updated, and follow up with a post-mortem.
Only as long as needed
We keep personal data only for as long as we need it to run the service and meet our legal obligations. After that, it's securely deleted or anonymized, and trial data is removed once the trial ends.
AI you can take to your legal team
Charlie (our AI interviewer) and Ria (our AI voice screener) do real work in your hiring process, so how they handle data and decisions matters. Here is exactly what they do and don’t do.
Why this matters: laws like NYC Local Law 144, the Illinois AI Video Interview Act, and the EU AI Act increasingly limit automated facial and emotion analysis in hiring. We don’t do any of it, so bringing in Charlie and Ria doesn’t add to your compliance load.
The controls we run
Technical and operational safeguards, active around the clock.
Encryption at rest and in transit
AES-256 for data at rest and TLS for everything in transit. Encryption keys are protected and their strength is reviewed regularly.
Role-based access control
Least-privilege access with MFA on all production and privileged accounts, with regular password rotation and access reviews.
Secure infrastructure
Hosted on Google Cloud behind Cloudflare for WAF and DDoS protection, with network segmentation, firewalls, and isolated production.
Monitoring and logging
Central log management with regular reviews, automated anomaly alerts, and retained audit logs.
Secure development
Peer review on every change, SAST and DAST, and OWASP Top 10 / SANS Top 25 coding standards. Critical and high issues are fixed before release.
Vulnerability management
Penetration tests and vulnerability scans on our public systems, plus a test before every production release. Findings are prioritized and fixed by severity.
Backups and recovery
Encrypted backups are stored in a separate region and regularly restore-tested, with recovery-time and recovery-point objectives in place.
Incident response
A documented runbook covers detection and containment, and we notify affected customers promptly after a confirmed incident.
Policies, certificates, and reports
Available for your review. Confidential documents are shared under NDA. Request access and we’ll follow up.
Who we work with
These vendors help us run TidyHire and may process customer data. Each one is vetted against its ISO 27001 or SOC 2 report before we bring it on, and we keep this list current as it changes.
Questions we get often
Is TidyHire ISO 27001 certified?
Yes. TidyHire, operated by Facteye Tech Labs Pvt Ltd, is ISO/IEC 27001 certified for its information security management system. We can share a copy of the certificate on request.
Do you have a SOC 2 report?
We're currently going through both our SOC 2 Type I and Type II audits. When they're done, the reports will be available under NDA. Email us and we'll let you know when they're ready.
Do you train AI models on our candidate data?
No. Candidate and customer data is never used to train foundation models, and our LLM providers process data under enterprise API terms that keep it out of their training.
How is my data encrypted?
Data is encrypted in transit with TLS and at rest with AES-256.
Where is my data hosted?
TidyHire runs on Google Cloud Platform in India, with Cloudflare for WAF and DDoS protection.
How long do you keep my data?
We keep personal data only as long as we need it to provide the service and meet our legal obligations, then securely delete or anonymize it. Trial data is removed after the trial ends.
How do I request deletion of my data?
Email support@tidyhire.app. Candidates and customers can ask us to delete their personal data at any time, subject to our legal obligations, and it's then securely deleted or anonymized.
How do I report a security issue?
Email support@tidyhire.app with enough detail to reproduce it. We look into every good-faith report and will confirm we've received yours.
Get in touch
Report a vulnerability
Found an issue? Send steps to reproduce and we’ll take a look.
support@tidyhire.appFor security reports, give us a reasonable window to fix things before going public, and please don’t access data that isn’t yours. Report in good faith and we won’t pursue legal action.