// Trust & Security Report

    Greenhouse Software, Inc. logo

    Greenhouse Software, Inc.

    Applicant tracking system (ATS) and end-to-end hiring platform with AI-powered recruiting, onboarding, and candidate fraud detection

    Certifications held

    11

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    Greenhouse Software - 2025 SOC 2 Type 2 - Report (document listed on trust center); security page states 'Annual audits against SOC 1 Type 2 and SOC 2 Type 2'

    Verify on trust.greenhouse.com
    SOC 1 Type II
    HELD

    Greenhouse Software - 2025 SOC 1 Type 2 - Report (document listed on trust center); 12 Badges shown including 'SOC 1 Type II'

    Verify on trust.greenhouse.com
    ISO 27001:2022
    HELD

    ISO certifications - Certified for ISO 27001:2022, ISO 27701:2019 and ISO 42001:2023

    Verify on greenhouse.com
    ISO 27701:2019
    HELD

    ISO 27701 badge shown on trust center; security page states 'ISO 27001:2022, ISO 27701:2019 and ISO 42001:2023'; certificate PDF 'Greenhouse Software - ISO 27001 & 27701 Certificate' listed

    Verify on trust.greenhouse.com
    ISO 42001:2023
    HELD

    Greenhouse achieves ISO 42001 Certification (Feb 26, 2026 announcement): 'Greenhouse is now ISO/IEC 42001:2023 certified, the global standard for Artificial Intelligence Management Systems (AIMS). This certification independently validates our commitment to developing AI with accountability, fairness, privacy, and security at its core.' Certificate PDF 'Greenhouse Software - ISO 42001:2023 Certificate' listed on trust center.

    Verify on trust.greenhouse.com
    GDPR
    HELD

    Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF

    Verify on trust.greenhouse.com
    CCPA / CPRA
    HELD

    Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF

    Verify on trust.greenhouse.com
    PCI DSS
    HELD

    Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF

    Verify on trust.greenhouse.com
    EU-US Data Privacy Framework (DPF)
    HELD

    Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF

    Verify on trust.greenhouse.com
    UK-US Data Privacy Framework (DPF)
    HELD

    Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF

    Verify on trust.greenhouse.com
    Swiss-US Data Privacy Framework (DPF)
    HELD

    Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF

    Verify on trust.greenhouse.com
    > Show 4 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    No public evidence of HIPAA compliance or BAA availability found on greenhouse.com, trust.greenhouse.com, or the DPA. Greenhouse is an ATS/hiring platform; HIPAA is not a standard compliance expectation for this product category.

    source: trust.greenhouse.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of FedRAMP authorization found on greenhouse.com or trust.greenhouse.com.

    source: trust.greenhouse.com
    ISO 27017 / ISO 27018
    NOT CONFIRMED

    No public evidence of ISO 27017 (cloud security controls) or ISO 27018 (PII in public cloud) certifications found on greenhouse.com or trust.greenhouse.com.

    source: trust.greenhouse.com
    CSA STAR
    NOT CONFIRMED

    No public evidence of CSA STAR certification or self-assessment found on greenhouse.com or trust.greenhouse.com.

    source: trust.greenhouse.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    Primary infrastructure in the United States (AWS). AWS also used in Germany and Australia. DPA covers EU/EEA, UK, Switzerland, Brazil, and US transfers. No in-region EU data residency option publicly documented.

    Greenhouse explicitly states on its AI Principles page: 'Customer data is never used for AI training' and 'Greenhouse does not use personal data from customers to train internal LLMs, proprietary models or third-party models.' Proprietary AI models are 'trained only on anonymized, de-identified data such as job location, time-to-hire metrics and scheduling availability.' LLM inference is handled via subprocessors Anthropic and OpenAI but under data processor terms, not for training. CAVEAT: The privacy policy for the consumer-facing MyGreenhouse candidate portal states Greenhouse may use data to 'develop and train artificial intelligence (AI) models' for candidates who create MyGreenhouse accounts. This is a different privacy context from B2B hiring customers. Customers can toggle any AI feature on or off at the org level. Enterprise customers can set features as opt-in by default.

    // Security controls

    Encryption in transit

    Yes - security page states 'encryption in transit and at rest'

    greenhouse.com

    Encryption at rest

    Yes - security page states 'encryption in transit and at rest'

    greenhouse.com

    Cloud infrastructure

    Amazon Web Services (US, Germany, Australia)

    trust.greenhouse.com

    Penetration testing

    Annual third-party penetration testing; Q2 2025 Greenhouse Recruiting Pentest Report and Q3 2025 Greenhouse Onboarding Pentest Report published on trust center; Q1 2026 External Network Pentest Customer Letter available

    trust.greenhouse.com

    SOC monitoring

    24/7/365 security operations center

    greenhouse.com

    Identity and access management

    Single sign-on (SSO), SCIM user provisioning, audit log API, permissions approvals, centralized IAM solution

    greenhouse.com

    Bug bounty / vulnerability disclosure

    Yes - bug bounty or vulnerability disclosure program in place; 'Report a Vulnerability' link on trust center

    trust.greenhouse.com

    Disaster recovery

    Formal disaster recovery plan in place with routine backups and disaster recovery tests

    trust.greenhouse.com

    Cyber insurance

    Certificate of Cyber Insurance 2025-2026 published on trust center

    trust.greenhouse.com

    Mobile device management

    Formal MDM program in place

    trust.greenhouse.com

    Subprocessors disclosure

    31 subprocessors listed on trust center (updated June 16, 2026); 30-day advance notice to customers before adding new subprocessors

    trust.greenhouse.com

    Incident response (recent)

    June 24, 2026: Klue third-party security incident disclosed. Unauthorized access via Klue credentials scoped to Klue integration only; no Greenhouse product, hiring, or candidate data affected. Relevant data protection authorities notified.

    trust.greenhouse.com

    // Products & data scope

    Greenhouse RecruitingApplicant Tracking System (ATS)

    data: Job applicant PII (name, email, address, resume, education, employment history), hiring team data, interview scorecards, offer letters

    Core ATS product. Full SOC 2 Type II, ISO 27001/27701/42001 coverage. DPA applies. AI features (talent matching, notetaking, fraud detection) can be toggled on/off per org.

    Greenhouse OnboardingEmployee Onboarding

    data: New hire PII, document e-signatures (via Dropbox Sign), tax and banking information

    SOC 1 Type II audit covers financial controls relevant to onboarding. Separate pentest conducted Q3 2025.

    Greenhouse Sourcing AutomationTalent Sourcing

    data: Candidate profiles from external sources, email tracking metadata

    Uses Cloudflare for email tracking and MongoDB as datastore. Scoped under same trust certifications.

    Real TalentCandidate Fraud Detection and Identity Verification

    data: Candidate identity signals, fraud indicators, biometric-adjacent identity data, matching scores

    Explicitly scoped within ISO 42001:2023 certification. Uses IPQualityScore for fraud signals. High data sensitivity; buyers should review DPA scope.

    MyGreenhouseCandidate Portal (consumer-facing)

    data: Candidate job history, application status, profile data

    IMPORTANT: Privacy policy for MyGreenhouse allows using data to develop and train AI models. This is a different privacy regime from B2B recruiting customers. Candidates using MyGreenhouse should be aware of this AI training provision.

    Greenhouse AI (Voice AI, Notetaking, Talent Matching)AI-Powered Hiring Tools

    data: Interview transcripts (via Recall.ai), candidate profiles, job descriptions

    ISO 42001:2023 certified. All AI features are toggleable. Customer data explicitly not used for training. Uses Anthropic and OpenAI as LLM subprocessors.

    // What to watch

    • AI TRAINING NUANCE: B2B customer data is explicitly excluded from AI training. However, the MyGreenhouse consumer candidate portal privacy policy does permit AI model training on candidate portal data. This is a different product surface and user consent context but should be disclosed to enterprise buyers whose candidates will use MyGreenhouse.
    • PCI DSS via SELF-ASSESSMENT only: Greenhouse's PCI DSS compliance is documented via a Self-Assessment Questionnaire (SAQ), not a full QSA-led Report on Compliance. Buyers with strict PCI requirements should verify the SAQ level and scope.
    • RECENT THIRD-PARTY SECURITY INCIDENT: On June 11, 2026, attackers used compromised Klue credentials to access Greenhouse sales and CRM contact data (names and business contact info only). No product, hiring, or candidate data was affected. Greenhouse disclosed promptly and notified data protection authorities. Subprocessor security chain risk is real.
    • LLM SUBPROCESSORS: Greenhouse uses both Anthropic and OpenAI as LLM hosting subprocessors. Customer data is not sent for training, but AI feature prompts and outputs may transit these providers as data processors. Enterprise buyers should review subprocessor DPA chain.
    • NO EU DATA RESIDENCY: No publicly documented option for EU-resident data to stay within the EU. AWS Germany nodes are listed as infrastructure but not confirmed as a customer-selectable residency option. GDPR transfers rely on SCCs and DPF self-certification.
    • NO HIPAA, FEDRAMP, CSA STAR: Greenhouse does not hold HIPAA, FedRAMP, or CSA STAR certifications. Not expected for an ATS platform but notable for buyers in regulated industries.
    • STRONG AI GOVERNANCE: ISO 42001:2023 makes Greenhouse one of the first ATS vendors with certified AI management system governance - a notable differentiator for AI-cautious buyers.

    // At a glance

    Pricing model

    B2B SaaS; tiered (Early-stage, Scaling Company, Enterprise). Pricing not publicly listed; demo required.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Greenhouse Software, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.greenhouse.com

    > Browse all vendor trust reports