// Trust & Security Report
Ashby, Inc.
All-in-one recruiting platform (ATS, CRM, scheduling, analytics) with embedded AI. Three product tiers: Startup (1-100 employees), Growth (101-1000), Enterprise (1000+). AI features include candidate screening, automated outreach, and job description generation.
Certifications held
6
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on ashbyhq.com“Ashby is SOC2 compliant and Type 2 audited annually. Our SOC2 report is available to customers in our Trust Center. SOC1 and SOC2 Type II reports for the audit period 08/01/2024 - 11/30/2024 have been added.”
Verify on trust.ashbyhq.com“SOC 1 and SOC2 Type II reports for the audit period 08/01/2024 - 11/30/2024 have been added to the Trust Center.”
Verify on ashbyhq.com“All of Ashby's products are GDPR compliant. Ashby recently certified to the Data Privacy Framework (DPF), including the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework.”
Verify on ashbyhq.com“Ashby is an active registered Member of the EU-U.S. DPF.”
Verify on ashbyhq.com“Ashby recently certified to the Data Privacy Framework (DPF), including the Swiss-U.S. Data Privacy Framework.”
Verify on ashbyhq.com“Ashby recently certified to the Data Privacy Framework (DPF), including the UK Extension to the EU-U.S. Data Privacy Framework.”
> Show 5 unconfirmed / not-held certifications
source: trust.ashbyhq.comNo public evidence of ISO 27001 certification found on Ashby's trust center or security documentation. Third-party aggregators claim this certification, but Ashby's official trust center does not list it.
source: trust.ashbyhq.comNo public evidence of HIPAA certification found on Ashby's trust center or security pages. HIPAA is not listed among Ashby's compliance certifications.
source: ashbyhq.comAshby does not store credit card information. Payment processing uses Stripe, which is a Level 1 PCI Service Provider. Ashby itself does not hold PCI DSS certification.
source: trust.ashbyhq.comNo public evidence of FedRAMP authorization found on Ashby's trust center or security documentation. FedRAMP is not listed among Ashby's compliance certifications.
source: trust.ashbyhq.comNo public evidence of CSA STAR certification found on Ashby's trust center or security pages. CSA STAR is not listed among Ashby's compliance certifications.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (AWS infrastructure). Ashby acknowledges data may be transferred to the US where privacy laws may be less stringent than the user's country. Ashby offers Transfer Impact Assessment support for GDPR compliance.
Ashby explicitly states: 'Ashby is not currently training any AI models using customer data.' The company uses third-party AI models (OpenAI, AWS Bedrock, Google Gemini) and has a DPA with OpenAI preventing training. PII is redacted from resumes before sending to AI models. Customers retain ownership of all inputs and outputs. Candidates can opt-out of AI-assisted screening, and customers can opt-in/out of specific AI features.
// Security controls
Penetration Testing
Third-party security experts perform detailed penetration tests on the Ashby app and infrastructure
ashbyhq.comVulnerability Disclosure
Responsible Vulnerability Disclosure program with escalation procedures, rapid mitigation, and post-mortem review
ashbyhq.comData Processing
Acts as a data processor on behalf of customers in accordance with GDPR requirements
ashbyhq.comPII Handling
PII is redacted from resumes and candidate data before being sent to third-party AI models
ashbyhq.com// Products & data scope
data: Candidate applications, resumes, communications, scheduling, analytics. For teams 1-100 employees.
Core ATS, CRM, scheduling, and basic analytics. AI-assisted features included. Pricing approximately $400/month.
data: Full recruiting workflow including advanced CRM automation, deeper analytics, and AI features. For teams 101-1000 employees.
Enhanced automation and analytics over Startup tier. Custom pricing typically $30K-$120K annually depending on employee count.
data: Complete recruiting infrastructure with sophisticated hiring workflows, custom integrations, dedicated support, and advanced analytics. For teams 1000+ employees.
Full enterprise support, custom integrations, advanced reporting. Custom pricing based on company size and needs.
data: Advanced recruiting analytics on top of existing ATS
Standalone product for companies using other ATS platforms. Provides Ashby's analytics capabilities independently.
// What to watch
- DISCREPANCY: Third-party compliance aggregators (Nudge Security, RiscLens) claim Ashby holds ISO 27001, HIPAA, FedRAMP, and CSA STAR certifications. However, Ashby's official trust center and security documentation do NOT list these certifications. Only SOC 2, SOC 1, GDPR, and Data Privacy Framework certifications are publicly displayed. AIFOXX should verify directly with Ashby before listing any of the unconfirmed certifications.
- PRODUCT TIERS: Ashby has three distinct product tiers (Startup, Growth, Enterprise) with different pricing models and potential feature differences. Ensure AIFOXX assessment reflects the enterprise-grade SOC 2 certification applies to all tiers, but pricing and feature sets differ significantly.
- AI TRAINING: While Ashby does NOT train on customer data (explicitly stated), the company uses third-party AI models (OpenAI, AWS Bedrock, Google Gemini). Customers should be aware of these third-party dependencies. AI features can be opted out at both candidate and customer levels.
- DATA RESIDENCY: Ashby operates from the US and transfers data to US data centers. Customers in regulated jurisdictions (EU, UK, etc.) should be aware of this. Ashby offers Transfer Impact Assessment support for GDPR compliance, but data residency in US may require additional safeguards for some use cases.
// At a glance
Pricing model
Per-employee model. Startup tier ~$400/month (1-100 employees). Growth tier custom pricing $30K-$120K+/year (101-1000 employees). Enterprise custom pricing (1000+ employees). 2026 change: elevated seats model for advanced users (hiring managers, admins).
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Ashby, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.ashbyhq.com