// Trust & Security Report
iCIMS, Inc.
Enterprise talent acquisition platform: iCIMS Hire (ATS, text recruiting, onboarding, offer management), iCIMS Engage (CRM, employer branding, career sites, chatbot), and Coalesce AI (AI-powered candidate matching, sourcing, and workflow automation).
Certifications held
15
Maturity
Enterprise
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.icims.com“Listed on trust.icims.com; original newsroom: 'validates iCIMS' Talent Cloud, including the suitability of the design and operating effectiveness of its controls relevant to security, availability, and processing integrity' — completed without any exceptions.”
Verify on trust.icims.com“Listed as a downloadable report on trust.icims.com alongside the SOC 2 Type 2 attestation.”
Verify on icims.com“'SOC 1 (SSAE 16), SOC 2, and SOC 3 compliant' — listed on the infrastructure overview page.”
Verify on trust.icims.com“ISO/IEC 27001:2022 and its Statement of Applicability (SoA) are listed as downloadable documents on the live trust center.”
Verify on icims.com“Listed on trust.icims.com; newsroom: 'iCIMS became one of the first recruitment software providers to receive its ISO/IEC 27701 — Privacy Information Management System (PIMS) certification.'”
Verify on icims.com“'ISO 27001, ISO 27017, ISO 27018 certified' — stated on the infrastructure overview page. Not explicitly listed separately on trust center home; assumed covered under ISO 27001:2022 SoA.”
Verify on icims.com“'ISO 27001, ISO 27017, ISO 27018 certified' — stated on the infrastructure overview page. Not explicitly listed separately on trust center home; assumed covered under ISO 27001:2022 SoA.”
Verify on icims.com“'PCI DSS 3.2 certified' — stated on the infrastructure overview page. NOTE: PCI DSS 3.2 is the version cited; PCI DSS 4.0 superseded 3.2 in 2022. PCI DSS is not listed on the live trust center, suggesting the infrastructure page may be outdated. Independent confirmation of current PCI DSS version not obtained.”
Verify on trust.icims.com“Listed on trust.icims.com. Infrastructure page: 'GDPR ready.' Privacy notice: 'iCIMS transfers personal data to other countries in accordance with applicable privacy laws...including Standard Contractual Clauses.' DPF participation confirmed.”
Verify on icims.com“'iCIMS, Inc. and its subsidiaries iCIMS International, LLC, TextRecruit, Inc., and SkillSurvey, Inc. (collectively, iCIMS U.S. entities) comply with the EU-U.S. Data Privacy Framework (DPF), the UK Extension, and the Swiss-U.S. DPF.'”
Verify on trust.icims.com“CSA STAR Level 1 listed on trust.icims.com; CAIQ self-assessment available for download via the trust center.”
Verify on icims.com“'ICIMS earned TrustArc's TRUSTe Responsible AI Certification — the first-ever artificial intelligence certification focused explicitly on data protection and privacy.' Evaluated against validity, explainability, accountability, privacy enhancement, fairness, and security criteria. Certified March 5, 2026.”
Verify on trust.icims.com“TX-RAMP (Texas Risk Assessment Management Program) listed on trust.icims.com.”
Verify on trust.icims.com“Microsoft SSPA (Supplier Security and Privacy Assurance) listed on trust.icims.com.”
Verify on trust.icims.com“APEC PRP (Asia-Pacific Economic Cooperation Privacy Recognition for Processors) listed on trust.icims.com.”
> Show 3 unconfirmed / not-held certifications
source: trust.icims.comHIPAA is not a certification iCIMS lists on trust.icims.com. A 'HIPAA Report' document is available for download in the trust center but this is not a certification. The infrastructure overview page does not mention HIPAA. No formal BAA confirmation found on vendor-domain pages. HIPAA compliance for healthcare clients likely handled contractually on request.
source: trust.icims.comFedRAMP is not listed on trust.icims.com. iCIMS was not found in the official FedRAMP marketplace (fedramp.gov/marketplace) as Authorized or In Process. Third-party security profile sites claim 'FedRAMP Compliant' but this appears to be inaccurate — no FedRAMP ATO confirmed on any vendor-domain page.
source: trust.icims.comNo evidence of ISO/IEC 42001 certification on trust.icims.com or any iCIMS page. iCIMS holds TRUSTe Responsible AI instead for AI governance.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
US (Virginia primary, Oregon/Washington failover); EU (Germany primary, Ireland failover); Canada (Quebec primary, Ontario failover). iCIMS Frontline AI hosted in California with Virginia failover.
The iCIMS services privacy notice states: 'We will not use, disclose, sell, review, share, distribute, transfer, or reference any Subscriber Data except as permitted in the Subscription Agreement.' An iCIMS blog post states AI/ML algorithms 'do not use and are not trained with any candidate personal identifiable data.' However, the TRUSTe certification newsroom (March 2026) says the platform 'is uniquely trained on billions of real-world recruiting data points,' and the services privacy notice permits use of 'Public Personal Data for research and development purposes (for example, to test the accuracy of AI algorithms and to determine if AI algorithms produce biased output).' The distinction appears to be that subscriber PII is protected from training, but aggregated or anonymized/public recruiting data is used. Opt-out for SkillSurvey research is available by contacting privacy@icims.com.
// Security controls
Encryption in transit
TLS (standard; trust center confirms defense-in-depth security model with network segmentation)
trust.icims.comInfrastructure
AWS and Microsoft Azure; multi-region with active failover; 99.9% uptime SLA
icims.comPhysical security
Restricted datacenter access, MFA badge entry, video surveillance, intrusion detection, alarm systems, access logging
icims.comApplication security
Penetration testing, static/dynamic code analysis, CI/CD security practices, audit logging documented in trust center
trust.icims.comIncident response
Dedicated security team monitoring and responding to security events; breach notification obligations per privacy notice
icims.comAccess control
SSO, Google/Microsoft OAuth, Okta SAML support; role-based permissions
security-profiles.nudgesecurity.com// Products & data scope
data: Candidate PII, job application data, offer letters, onboarding documents
Enterprise ATS. Primary product for Fortune 500 clients. Text recruiting and offer management bundled.
data: Candidate contact data, engagement history, career site interactions
Includes career site builder, recruitment chatbot, and employee testimonial video features.
data: Job descriptions, resume data, candidate profiles, interview data, engagement metrics
Built on proprietary recruiting data. TRUSTe Responsible AI certified (March 2026). AI/ML stated to not train on candidate PII. Integrates with iCIMS Hire/Engage with no separate integration required.
data: Reference and background check data; candidate demographic information used for internal research
Acquired product. Subject to separate research data use; opt-out available by contacting privacy@icims.com.
// What to watch
- FedRAMP OVER-CLAIM RISK: Third-party security profiles (e.g. Nudge Security) list iCIMS as 'FedRAMP Compliant,' but iCIMS is NOT found on the official FedRAMP Marketplace (fedramp.gov) as Authorized or In Process, and FedRAMP is absent from trust.icims.com. AIFOXX should NOT list FedRAMP as a held certification.
- HIPAA UNCONFIRMED: A 'HIPAA Report' document is available in the trust center but HIPAA is not listed as a certification. No formal BAA confirmation found on vendor-domain public pages. Healthcare clients should inquire directly about BAA availability. iCIMS infrastructure page does not mention HIPAA.
- PCI DSS VERSION DISCREPANCY: Infrastructure page states 'PCI DSS 3.2 certified' but PCI DSS 3.2 was superseded by version 4.0 in March 2022. PCI DSS is not listed on trust.icims.com, suggesting the infrastructure page may be stale. Current PCI DSS compliance version is unconfirmed.
- AI TRAINING DATA AMBIGUITY: Marketing materials (TRUSTe cert newsroom, March 2026) state the AI is 'uniquely trained on billions of real-world recruiting data points,' while the services privacy notice and blog claim AI/ML does not train on 'candidate personal identifiable data.' The boundary between aggregated/public recruiting data and subscriber PII is not explicitly drawn in a binding legal document on public pages.
// At a glance
Pricing model
Enterprise subscription (per-seat or volume; specific pricing not publicly disclosed; sales-led)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on iCIMS, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.icims.com