// Trust & Security Report
Greenhouse Software, Inc.
Applicant tracking system (ATS) and end-to-end hiring platform with AI-powered recruiting, onboarding, and candidate fraud detection
Certifications held
11
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.greenhouse.com“Greenhouse Software - 2025 SOC 2 Type 2 - Report (document listed on trust center); security page states 'Annual audits against SOC 1 Type 2 and SOC 2 Type 2'”
Verify on trust.greenhouse.com“Greenhouse Software - 2025 SOC 1 Type 2 - Report (document listed on trust center); 12 Badges shown including 'SOC 1 Type II'”
Verify on greenhouse.com“ISO certifications - Certified for ISO 27001:2022, ISO 27701:2019 and ISO 42001:2023”
Verify on trust.greenhouse.com“ISO 27701 badge shown on trust center; security page states 'ISO 27001:2022, ISO 27701:2019 and ISO 42001:2023'; certificate PDF 'Greenhouse Software - ISO 27001 & 27701 Certificate' listed”
Verify on trust.greenhouse.com“Greenhouse achieves ISO 42001 Certification (Feb 26, 2026 announcement): 'Greenhouse is now ISO/IEC 42001:2023 certified, the global standard for Artificial Intelligence Management Systems (AIMS). This certification independently validates our commitment to developing AI with accountability, fairness, privacy, and security at its core.' Certificate PDF 'Greenhouse Software - ISO 42001:2023 Certificate' listed on trust center.”
Verify on trust.greenhouse.com“Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF”
Verify on trust.greenhouse.com“Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF”
Verify on trust.greenhouse.com“Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF”
Verify on trust.greenhouse.com“Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF”
Verify on trust.greenhouse.com“Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF”
Verify on trust.greenhouse.com“Badges ISO 42001 ISO 27001 ISO 27701 SOC 1 Type II SOC 2 Type II GDPR CCPA PCI SIG EU-US DPF UK-US DPF Swiss-US DPF”
> Show 4 unconfirmed / not-held certifications
source: trust.greenhouse.comNo public evidence of HIPAA compliance or BAA availability found on greenhouse.com, trust.greenhouse.com, or the DPA. Greenhouse is an ATS/hiring platform; HIPAA is not a standard compliance expectation for this product category.
source: trust.greenhouse.comNo public evidence of FedRAMP authorization found on greenhouse.com or trust.greenhouse.com.
source: trust.greenhouse.comNo public evidence of ISO 27017 (cloud security controls) or ISO 27018 (PII in public cloud) certifications found on greenhouse.com or trust.greenhouse.com.
source: trust.greenhouse.comNo public evidence of CSA STAR certification or self-assessment found on greenhouse.com or trust.greenhouse.com.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
Primary infrastructure in the United States (AWS). AWS also used in Germany and Australia. DPA covers EU/EEA, UK, Switzerland, Brazil, and US transfers. No in-region EU data residency option publicly documented.
Greenhouse explicitly states on its AI Principles page: 'Customer data is never used for AI training' and 'Greenhouse does not use personal data from customers to train internal LLMs, proprietary models or third-party models.' Proprietary AI models are 'trained only on anonymized, de-identified data such as job location, time-to-hire metrics and scheduling availability.' LLM inference is handled via subprocessors Anthropic and OpenAI but under data processor terms, not for training. CAVEAT: The privacy policy for the consumer-facing MyGreenhouse candidate portal states Greenhouse may use data to 'develop and train artificial intelligence (AI) models' for candidates who create MyGreenhouse accounts. This is a different privacy context from B2B hiring customers. Customers can toggle any AI feature on or off at the org level. Enterprise customers can set features as opt-in by default.
// Security controls
Penetration testing
Annual third-party penetration testing; Q2 2025 Greenhouse Recruiting Pentest Report and Q3 2025 Greenhouse Onboarding Pentest Report published on trust center; Q1 2026 External Network Pentest Customer Letter available
trust.greenhouse.comIdentity and access management
Single sign-on (SSO), SCIM user provisioning, audit log API, permissions approvals, centralized IAM solution
greenhouse.comBug bounty / vulnerability disclosure
Yes - bug bounty or vulnerability disclosure program in place; 'Report a Vulnerability' link on trust center
trust.greenhouse.comDisaster recovery
Formal disaster recovery plan in place with routine backups and disaster recovery tests
trust.greenhouse.comCyber insurance
Certificate of Cyber Insurance 2025-2026 published on trust center
trust.greenhouse.comSubprocessors disclosure
31 subprocessors listed on trust center (updated June 16, 2026); 30-day advance notice to customers before adding new subprocessors
trust.greenhouse.comIncident response (recent)
June 24, 2026: Klue third-party security incident disclosed. Unauthorized access via Klue credentials scoped to Klue integration only; no Greenhouse product, hiring, or candidate data affected. Relevant data protection authorities notified.
trust.greenhouse.com// Products & data scope
data: Job applicant PII (name, email, address, resume, education, employment history), hiring team data, interview scorecards, offer letters
Core ATS product. Full SOC 2 Type II, ISO 27001/27701/42001 coverage. DPA applies. AI features (talent matching, notetaking, fraud detection) can be toggled on/off per org.
data: New hire PII, document e-signatures (via Dropbox Sign), tax and banking information
SOC 1 Type II audit covers financial controls relevant to onboarding. Separate pentest conducted Q3 2025.
data: Candidate profiles from external sources, email tracking metadata
Uses Cloudflare for email tracking and MongoDB as datastore. Scoped under same trust certifications.
data: Candidate identity signals, fraud indicators, biometric-adjacent identity data, matching scores
Explicitly scoped within ISO 42001:2023 certification. Uses IPQualityScore for fraud signals. High data sensitivity; buyers should review DPA scope.
data: Candidate job history, application status, profile data
IMPORTANT: Privacy policy for MyGreenhouse allows using data to develop and train AI models. This is a different privacy regime from B2B recruiting customers. Candidates using MyGreenhouse should be aware of this AI training provision.
data: Interview transcripts (via Recall.ai), candidate profiles, job descriptions
ISO 42001:2023 certified. All AI features are toggleable. Customer data explicitly not used for training. Uses Anthropic and OpenAI as LLM subprocessors.
// What to watch
- AI TRAINING NUANCE: B2B customer data is explicitly excluded from AI training. However, the MyGreenhouse consumer candidate portal privacy policy does permit AI model training on candidate portal data. This is a different product surface and user consent context but should be disclosed to enterprise buyers whose candidates will use MyGreenhouse.
- PCI DSS via SELF-ASSESSMENT only: Greenhouse's PCI DSS compliance is documented via a Self-Assessment Questionnaire (SAQ), not a full QSA-led Report on Compliance. Buyers with strict PCI requirements should verify the SAQ level and scope.
- RECENT THIRD-PARTY SECURITY INCIDENT: On June 11, 2026, attackers used compromised Klue credentials to access Greenhouse sales and CRM contact data (names and business contact info only). No product, hiring, or candidate data was affected. Greenhouse disclosed promptly and notified data protection authorities. Subprocessor security chain risk is real.
- LLM SUBPROCESSORS: Greenhouse uses both Anthropic and OpenAI as LLM hosting subprocessors. Customer data is not sent for training, but AI feature prompts and outputs may transit these providers as data processors. Enterprise buyers should review subprocessor DPA chain.
- NO EU DATA RESIDENCY: No publicly documented option for EU-resident data to stay within the EU. AWS Germany nodes are listed as infrastructure but not confirmed as a customer-selectable residency option. GDPR transfers rely on SCCs and DPF self-certification.
- NO HIPAA, FEDRAMP, CSA STAR: Greenhouse does not hold HIPAA, FedRAMP, or CSA STAR certifications. Not expected for an ATS platform but notable for buyers in regulated industries.
- STRONG AI GOVERNANCE: ISO 42001:2023 makes Greenhouse one of the first ATS vendors with certified AI management system governance - a notable differentiator for AI-cautious buyers.
// At a glance
Pricing model
B2B SaaS; tiered (Early-stage, Scaling Company, Enterprise). Pricing not publicly listed; demo required.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Greenhouse Software, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.greenhouse.com