// Trust & Security Report
Eightfold AI, Inc.
AI-native talent intelligence platform for recruiting, workforce planning, and career development
Certifications held
15
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on eightfold.ai“Eightfold has obtained a SOC 2 Type II assessment provided by independent third-party auditors.”
Verify on eightfold.ai“Eightfold has a public SOC 3 report that provides an overview of our service organization controls.”
Verify on eightfold.ai“Eightfold is ISO 27001 certified by independent third-party auditors.”
Verify on eightfold.ai“Eightfold is ISO27017 certified by independent third-party auditors.”
Verify on eightfold.ai“Eightfold is ISO27701 certified by independent third-party auditors.”
Verify on eightfold.ai“Eightfold is ISO42001 certified for its AI management system by independent third-party auditors. Eightfold claims to be the first HR technology company to be certified for controls as a developer of AI systems, a provider of AI-enabled services, and a consumer of third-party AI.”
Verify on eightfold.ai“Eightfold is FedRAMP Moderate Authorized for our SaaS offering hosted in, meeting the security and compliance requirements of U.S. public sector agencies.”
Verify on eightfold.ai“Eightfold is a FedRAMP authorized and DISA IL4 certified talent intelligence platform.”
Verify on eightfold.ai“Eightfold is compliant with European Union General Data Protection Regulations (GDPR) as applied to Eightfold.”
Verify on eightfold.ai“Eightfold complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF).”
Verify on eightfold.ai“Eightfold is compliant with the California Consumer Privacy Act (CCPA) as applied to Eightfold.”
Verify on eightfold.ai“Eightfold supports record keeping standards established by the Office of Federal Contract Compliance Programs (OFCCP).”
Verify on eightfold.ai“New York City Local Law 144 of 2022 regulates 'automated employment decision tools.'”
Verify on eightfold.ai“We adhere to global accessibility standards, including: WCAG 2.1 & 2.2 AA”
Verify on eightfold.ai“Microsoft 365 Certification: meeting Microsoft's rigorous standards for integration and performance.”
> Show 5 unconfirmed / not-held certifications
No public evidence found on any eightfold.ai page. Neither the security page, DPA, nor MSA mentions HIPAA or a Business Associate Agreement (BAA). Eightfold is an HR/talent platform and does not appear to operate as a HIPAA-covered entity or business associate.
No public evidence found on any eightfold.ai page.
No public evidence found on any eightfold.ai page.
Referenced in third-party aggregator (trustlists.org) but not confirmed on any eightfold.ai page including eightfold.ai/security/, trust.eightfold.ai, or the government-focused landing page. Vendor-domain evidence could not be verified; treat as unconfirmed.
Mentioned in third-party search result summaries but not confirmed on any eightfold.ai page. No vendor-domain evidence found.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States, Canada, or Europe (customer selects deployment region per DPA at eightfold.ai/dpa/); personal data transferred to the US is covered by EU-U.S. DPF and SCCs at eightfold.ai/eu-standard-contractual-clauses
Eightfold does not use identifiable Customer Personal Data to train AI systems. Per the MSA: 'Eightfold shall not use Customer Personal Data to train or develop AI Systems; provided however, this does not restrict Eightfold's use of Anonymized Learnings to train the AI Model.' Training uses data anonymized via industry-standard techniques. Bias-testing data is pseudonymized. The broader model is trained on 1.6B+ anonymized career trajectories. DPA confirms customer is Controller and Eightfold is Processor; data subject rights for candidates must be routed through the employer-customer, not directly to Eightfold.
// Security controls
Encryption at rest
AES-256-bit; log data uses AES-256-GCM described as quantum-resistant
eightfold.aiAuthentication
SAML 2.0, SSO, MFA, IAM, IdP integration; all privileged users required to use MFA for production system access
eightfold.aiAccess control
Least privilege and need-to-know principles; privileged accounts inactive for 90 days are automatically disabled
eightfold.aiCloud hosting
Amazon Web Services (AWS); listed as primary subprocessor for cloud hosting services
trust.eightfold.aiIncident response
Customer notification goal of 24 hours, no later than 72 hours from incident confirmation; includes incident description, data types, implications, actions taken, and recommended customer protections
eightfold.aiBackup and recovery
Database replication and periodic snapshots; RTO 3 business days to functional and 5 for full operation; RPO 1 hour
eightfold.aiVulnerability management SLAs
Critical: 48 hours; High: 30 days; Medium: 90 days; Low: 180 days
eightfold.aiPenetration testing
Web Application Penetration Test Attestation Letter available on request via trust center
trust.eightfold.aiSubprocessors
13 listed including AWS (hosting), Atlassian (support), ElevenLabs (AI voice for AI Interviewer), Recall.ai/Hyperdoc (meeting transcription for AI Companion), DataIris (generative BI); 30-day advance notice required for new subprocessors
trust.eightfold.ai// Products & data scope
data: Candidate profiles, job requisitions, employee career data, 1.6M+ skills taxonomy; 1.6B+ anonymized career trajectories in the underlying model
Core enterprise SaaS; FedRAMP Moderate Authorized; DPA and SCCs apply; processes candidate PII including resumes and assessment scores
data: Candidate audio/video recordings, transcripts, assessment scores, bias-scored evaluations
Uses ElevenLabs for AI voice generation and Recall.ai for transcription (both listed as subprocessors); ISO 42001 AI management cert applies; NYC Local Law 144 bias audit covers this product; most sensitive from a candidate-data perspective
data: Federal employee skills and job-matching data; may include Controlled Unclassified Information (CUI)
FedRAMP Moderate Authorized and DISA IL4 Provisionally Authorized; available via Tradewinds CDAO marketplace; DoD-focused product line
data: Employee skills profiles, career trajectory suggestions, learning recommendations
Enterprise internal mobility product; runs on the same Talent Intelligence Platform infrastructure; GDPR controller-processor model applies through employer
// What to watch
- AI Interviewer uses ElevenLabs and Recall.ai as subprocessors for voice generation and transcription of candidate recordings - enterprises should verify the subprocessor DPA chain for sensitive candidate audio data.
- TX-RAMP and StateRAMP cited by third-party aggregators but NOT confirmed on any eightfold.ai domain page; AIFOXX should not list these certs until vendor-side evidence is provided.
- HIPAA/BAA: No evidence of HIPAA compliance or BAA availability on the vendor site; do not represent this platform as HIPAA-covered - it is an HR platform, not a healthcare services vendor.
- FedRAMP Moderate applies specifically to the hosted SaaS offering; no on-premise option is available.
- Candidate data subject rights (DSAR, erasure) under GDPR and CCPA route through the enterprise customer (Controller), not directly through Eightfold (Processor) - individual candidates cannot submit requests directly to Eightfold for employer-collected data.
- ISO/IEC 42001 triple-scope claim is notable: Eightfold claims to be the first HR tech company certified as AI developer, AI-enabled service provider, and AI consumer simultaneously; AIFOXX should highlight this as a differentiator.
- Security-terms page references quantum-resistant AES-256-GCM for log data while main security page states AES-256 and TLS 1.2 generally; minor inconsistency may reflect tiered or in-progress encryption upgrade.
- Trust center launched April 2026 (Wolfia-powered) and lists 13 subprocessors; previously on Conveyor. Subprocessor list may not yet be fully synced in the new platform.
// At a glance
Pricing model
Enterprise SaaS subscription; contact-sales only; no public pricing listed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Eightfold AI, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.eightfold.ai