// Trust & Security Report

    Ashby, Inc. logo

    Ashby, Inc.

    All-in-one recruiting platform (ATS, CRM, scheduling, analytics) with embedded AI. Three product tiers: Startup (1-100 employees), Growth (101-1000), Enterprise (1000+). AI features include candidate screening, automated outreach, and job description generation.

    Certifications held

    6

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Ashby is SOC2 compliant and Type 2 audited annually. Our SOC2 report is available to customers in our Trust Center. SOC1 and SOC2 Type II reports for the audit period 08/01/2024 - 11/30/2024 have been added.

    Verify on ashbyhq.com
    SOC 1 Type 2
    HELD

    SOC 1 and SOC2 Type II reports for the audit period 08/01/2024 - 11/30/2024 have been added to the Trust Center.

    Verify on trust.ashbyhq.com
    GDPR Compliance
    HELD

    All of Ashby's products are GDPR compliant. Ashby recently certified to the Data Privacy Framework (DPF), including the EU-U.S. Data Privacy Framework, the Swiss-U.S. Data Privacy Framework, and the UK Extension to the EU-U.S. Data Privacy Framework.

    Verify on ashbyhq.com
    EU-U.S. Data Privacy Framework
    HELD

    Ashby is an active registered Member of the EU-U.S. DPF.

    Verify on ashbyhq.com
    Swiss-U.S. Data Privacy Framework
    HELD

    Ashby recently certified to the Data Privacy Framework (DPF), including the Swiss-U.S. Data Privacy Framework.

    Verify on ashbyhq.com
    UK Extension to EU-U.S. Data Privacy Framework
    HELD

    Ashby recently certified to the Data Privacy Framework (DPF), including the UK Extension to the EU-U.S. Data Privacy Framework.

    Verify on ashbyhq.com
    > Show 5 unconfirmed / not-held certifications
    ISO 27001
    NOT CONFIRMED

    No public evidence of ISO 27001 certification found on Ashby's trust center or security documentation. Third-party aggregators claim this certification, but Ashby's official trust center does not list it.

    source: trust.ashbyhq.com
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA certification found on Ashby's trust center or security pages. HIPAA is not listed among Ashby's compliance certifications.

    source: trust.ashbyhq.com
    PCI DSS
    NOT CONFIRMED

    Ashby does not store credit card information. Payment processing uses Stripe, which is a Level 1 PCI Service Provider. Ashby itself does not hold PCI DSS certification.

    source: ashbyhq.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on Ashby's trust center or security documentation. FedRAMP is not listed among Ashby's compliance certifications.

    source: trust.ashbyhq.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification found on Ashby's trust center or security pages. CSA STAR is not listed among Ashby's compliance certifications.

    source: trust.ashbyhq.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (AWS infrastructure). Ashby acknowledges data may be transferred to the US where privacy laws may be less stringent than the user's country. Ashby offers Transfer Impact Assessment support for GDPR compliance.

    Ashby explicitly states: 'Ashby is not currently training any AI models using customer data.' The company uses third-party AI models (OpenAI, AWS Bedrock, Google Gemini) and has a DPA with OpenAI preventing training. PII is redacted from resumes before sending to AI models. Customers retain ownership of all inputs and outputs. Candidates can opt-out of AI-assisted screening, and customers can opt-in/out of specific AI features.

    // Security controls

    Encryption in Transit

    TLS 1.2 and TLS 1.3

    ashbyhq.com

    Infrastructure

    Amazon Web Services (AWS) managed infrastructure services

    ashbyhq.com

    Penetration Testing

    Third-party security experts perform detailed penetration tests on the Ashby app and infrastructure

    ashbyhq.com

    SSL Rating

    Qualys SSL Labs A+ rating

    trust.ashbyhq.com

    Vulnerability Disclosure

    Responsible Vulnerability Disclosure program with escalation procedures, rapid mitigation, and post-mortem review

    ashbyhq.com

    Data Processing

    Acts as a data processor on behalf of customers in accordance with GDPR requirements

    ashbyhq.com

    PII Handling

    PII is redacted from resumes and candidate data before being sent to third-party AI models

    ashbyhq.com

    // Products & data scope

    Ashby All-in-one (Startup Tier)ATS with AI

    data: Candidate applications, resumes, communications, scheduling, analytics. For teams 1-100 employees.

    Core ATS, CRM, scheduling, and basic analytics. AI-assisted features included. Pricing approximately $400/month.

    Ashby All-in-one (Growth Tier)ATS with AI

    data: Full recruiting workflow including advanced CRM automation, deeper analytics, and AI features. For teams 101-1000 employees.

    Enhanced automation and analytics over Startup tier. Custom pricing typically $30K-$120K annually depending on employee count.

    Ashby All-in-one (Enterprise Tier)ATS with AI

    data: Complete recruiting infrastructure with sophisticated hiring workflows, custom integrations, dedicated support, and advanced analytics. For teams 1000+ employees.

    Full enterprise support, custom integrations, advanced reporting. Custom pricing based on company size and needs.

    Ashby AnalyticsAnalytics Add-on

    data: Advanced recruiting analytics on top of existing ATS

    Standalone product for companies using other ATS platforms. Provides Ashby's analytics capabilities independently.

    // What to watch

    • DISCREPANCY: Third-party compliance aggregators (Nudge Security, RiscLens) claim Ashby holds ISO 27001, HIPAA, FedRAMP, and CSA STAR certifications. However, Ashby's official trust center and security documentation do NOT list these certifications. Only SOC 2, SOC 1, GDPR, and Data Privacy Framework certifications are publicly displayed. AIFOXX should verify directly with Ashby before listing any of the unconfirmed certifications.
    • PRODUCT TIERS: Ashby has three distinct product tiers (Startup, Growth, Enterprise) with different pricing models and potential feature differences. Ensure AIFOXX assessment reflects the enterprise-grade SOC 2 certification applies to all tiers, but pricing and feature sets differ significantly.
    • AI TRAINING: While Ashby does NOT train on customer data (explicitly stated), the company uses third-party AI models (OpenAI, AWS Bedrock, Google Gemini). Customers should be aware of these third-party dependencies. AI features can be opted out at both candidate and customer levels.
    • DATA RESIDENCY: Ashby operates from the US and transfers data to US data centers. Customers in regulated jurisdictions (EU, UK, etc.) should be aware of this. Ashby offers Transfer Impact Assessment support for GDPR compliance, but data residency in US may require additional safeguards for some use cases.

    // At a glance

    Pricing model

    Per-employee model. Startup tier ~$400/month (1-100 employees). Growth tier custom pricing $30K-$120K+/year (101-1000 employees). Enterprise custom pricing (1000+ employees). 2026 change: elevated seats model for advanced users (hiring managers, admins).

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Ashby, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-06. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.ashbyhq.com

    > Browse all vendor trust reports