// Trust & Security Report

    Eightfold AI, Inc. logo

    Eightfold AI, Inc.

    AI-native talent intelligence platform for recruiting, workforce planning, and career development

    Certifications held

    15

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Eightfold has obtained a SOC 2 Type II assessment provided by independent third-party auditors.

    Verify on eightfold.ai
    SOC 3
    HELD

    Eightfold has a public SOC 3 report that provides an overview of our service organization controls.

    Verify on eightfold.ai
    ISO 27001
    HELD

    Eightfold is ISO 27001 certified by independent third-party auditors.

    Verify on eightfold.ai
    ISO 27017
    HELD

    Eightfold is ISO27017 certified by independent third-party auditors.

    Verify on eightfold.ai
    ISO 27701
    HELD

    Eightfold is ISO27701 certified by independent third-party auditors.

    Verify on eightfold.ai
    ISO/IEC 42001 (AI Management System)
    HELD

    Eightfold is ISO42001 certified for its AI management system by independent third-party auditors. Eightfold claims to be the first HR technology company to be certified for controls as a developer of AI systems, a provider of AI-enabled services, and a consumer of third-party AI.

    Verify on eightfold.ai
    FedRAMP Moderate
    HELD

    Eightfold is FedRAMP Moderate Authorized for our SaaS offering hosted in, meeting the security and compliance requirements of U.S. public sector agencies.

    Verify on eightfold.ai
    DISA IL4 (DoD Impact Level 4 Provisional Authorization)
    HELD

    Eightfold is a FedRAMP authorized and DISA IL4 certified talent intelligence platform.

    Verify on eightfold.ai
    GDPR
    HELD

    Eightfold is compliant with European Union General Data Protection Regulations (GDPR) as applied to Eightfold.

    Verify on eightfold.ai
    EU-U.S. Data Privacy Framework (and UK and Swiss extensions)
    HELD

    Eightfold complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF).

    Verify on eightfold.ai
    CCPA
    HELD

    Eightfold is compliant with the California Consumer Privacy Act (CCPA) as applied to Eightfold.

    Verify on eightfold.ai
    OFCCP
    HELD

    Eightfold supports record keeping standards established by the Office of Federal Contract Compliance Programs (OFCCP).

    Verify on eightfold.ai
    NYC Local Law 144 (Automated Employment Decision Tools bias audit)
    HELD

    New York City Local Law 144 of 2022 regulates 'automated employment decision tools.'

    Verify on eightfold.ai
    WCAG 2.1 and 2.2 AA (Accessibility)
    HELD

    We adhere to global accessibility standards, including: WCAG 2.1 & 2.2 AA

    Verify on eightfold.ai
    Microsoft 365 Certification
    HELD

    Microsoft 365 Certification: meeting Microsoft's rigorous standards for integration and performance.

    Verify on eightfold.ai
    > Show 5 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence found on any eightfold.ai page. Neither the security page, DPA, nor MSA mentions HIPAA or a Business Associate Agreement (BAA). Eightfold is an HR/talent platform and does not appear to operate as a HIPAA-covered entity or business associate.

    PCI DSS
    NOT CONFIRMED

    No public evidence found on any eightfold.ai page.

    CSA STAR
    NOT CONFIRMED

    No public evidence found on any eightfold.ai page.

    TX-RAMP
    NOT CONFIRMED

    Referenced in third-party aggregator (trustlists.org) but not confirmed on any eightfold.ai page including eightfold.ai/security/, trust.eightfold.ai, or the government-focused landing page. Vendor-domain evidence could not be verified; treat as unconfirmed.

    StateRAMP
    NOT CONFIRMED

    Mentioned in third-party search result summaries but not confirmed on any eightfold.ai page. No vendor-domain evidence found.

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States, Canada, or Europe (customer selects deployment region per DPA at eightfold.ai/dpa/); personal data transferred to the US is covered by EU-U.S. DPF and SCCs at eightfold.ai/eu-standard-contractual-clauses

    Eightfold does not use identifiable Customer Personal Data to train AI systems. Per the MSA: 'Eightfold shall not use Customer Personal Data to train or develop AI Systems; provided however, this does not restrict Eightfold's use of Anonymized Learnings to train the AI Model.' Training uses data anonymized via industry-standard techniques. Bias-testing data is pseudonymized. The broader model is trained on 1.6B+ anonymized career trajectories. DPA confirms customer is Controller and Eightfold is Processor; data subject rights for candidates must be routed through the employer-customer, not directly to Eightfold.

    // Security controls

    Encryption at rest

    AES-256-bit; log data uses AES-256-GCM described as quantum-resistant

    eightfold.ai

    Encryption in transit

    TLS 1.2

    eightfold.ai

    Authentication

    SAML 2.0, SSO, MFA, IAM, IdP integration; all privileged users required to use MFA for production system access

    eightfold.ai

    Access control

    Least privilege and need-to-know principles; privileged accounts inactive for 90 days are automatically disabled

    eightfold.ai

    Cloud hosting

    Amazon Web Services (AWS); listed as primary subprocessor for cloud hosting services

    trust.eightfold.ai

    Incident response

    Customer notification goal of 24 hours, no later than 72 hours from incident confirmation; includes incident description, data types, implications, actions taken, and recommended customer protections

    eightfold.ai

    Backup and recovery

    Database replication and periodic snapshots; RTO 3 business days to functional and 5 for full operation; RPO 1 hour

    eightfold.ai

    Vulnerability management SLAs

    Critical: 48 hours; High: 30 days; Medium: 90 days; Low: 180 days

    eightfold.ai

    Penetration testing

    Web Application Penetration Test Attestation Letter available on request via trust center

    trust.eightfold.ai

    Subprocessors

    13 listed including AWS (hosting), Atlassian (support), ElevenLabs (AI voice for AI Interviewer), Recall.ai/Hyperdoc (meeting transcription for AI Companion), DataIris (generative BI); 30-day advance notice required for new subprocessors

    trust.eightfold.ai

    // Products & data scope

    Talent Intelligence Platform (TIP)AI-powered talent acquisition and workforce intelligence

    data: Candidate profiles, job requisitions, employee career data, 1.6M+ skills taxonomy; 1.6B+ anonymized career trajectories in the underlying model

    Core enterprise SaaS; FedRAMP Moderate Authorized; DPA and SCCs apply; processes candidate PII including resumes and assessment scores

    AI InterviewerAgentic automated candidate screening via AI voice interview

    data: Candidate audio/video recordings, transcripts, assessment scores, bias-scored evaluations

    Uses ElevenLabs for AI voice generation and Recall.ai for transcription (both listed as subprocessors); ISO 42001 AI management cert applies; NYC Local Law 144 bias audit covers this product; most sensitive from a candidate-data perspective

    Workforce ExchangeGovernment talent marketplace and workforce planning

    data: Federal employee skills and job-matching data; may include Controlled Unclassified Information (CUI)

    FedRAMP Moderate Authorized and DISA IL4 Provisionally Authorized; available via Tradewinds CDAO marketplace; DoD-focused product line

    Career HubInternal talent mobility and career pathing

    data: Employee skills profiles, career trajectory suggestions, learning recommendations

    Enterprise internal mobility product; runs on the same Talent Intelligence Platform infrastructure; GDPR controller-processor model applies through employer

    // What to watch

    • AI Interviewer uses ElevenLabs and Recall.ai as subprocessors for voice generation and transcription of candidate recordings - enterprises should verify the subprocessor DPA chain for sensitive candidate audio data.
    • TX-RAMP and StateRAMP cited by third-party aggregators but NOT confirmed on any eightfold.ai domain page; AIFOXX should not list these certs until vendor-side evidence is provided.
    • HIPAA/BAA: No evidence of HIPAA compliance or BAA availability on the vendor site; do not represent this platform as HIPAA-covered - it is an HR platform, not a healthcare services vendor.
    • FedRAMP Moderate applies specifically to the hosted SaaS offering; no on-premise option is available.
    • Candidate data subject rights (DSAR, erasure) under GDPR and CCPA route through the enterprise customer (Controller), not directly through Eightfold (Processor) - individual candidates cannot submit requests directly to Eightfold for employer-collected data.
    • ISO/IEC 42001 triple-scope claim is notable: Eightfold claims to be the first HR tech company certified as AI developer, AI-enabled service provider, and AI consumer simultaneously; AIFOXX should highlight this as a differentiator.
    • Security-terms page references quantum-resistant AES-256-GCM for log data while main security page states AES-256 and TLS 1.2 generally; minor inconsistency may reflect tiered or in-progress encryption upgrade.
    • Trust center launched April 2026 (Wolfia-powered) and lists 13 subprocessors; previously on Conveyor. Subprocessor list may not yet be fully synced in the new platform.

    // At a glance

    Pricing model

    Enterprise SaaS subscription; contact-sales only; no public pricing listed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Eightfold AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.eightfold.ai

    > Browse all vendor trust reports