// Trust & Security Report

    iCIMS, Inc. logo

    iCIMS, Inc.

    Enterprise talent acquisition platform: iCIMS Hire (ATS, text recruiting, onboarding, offer management), iCIMS Engage (CRM, employer branding, career sites, chatbot), and Coalesce AI (AI-powered candidate matching, sourcing, and workflow automation).

    Certifications held

    15

    Maturity

    Enterprise

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Listed on trust.icims.com; original newsroom: 'validates iCIMS' Talent Cloud, including the suitability of the design and operating effectiveness of its controls relevant to security, availability, and processing integrity' — completed without any exceptions.

    Verify on trust.icims.com
    SOC 3
    HELD

    Listed as a downloadable report on trust.icims.com alongside the SOC 2 Type 2 attestation.

    Verify on trust.icims.com
    SOC 1 (SSAE 16)
    HELD

    'SOC 1 (SSAE 16), SOC 2, and SOC 3 compliant' — listed on the infrastructure overview page.

    Verify on icims.com
    ISO/IEC 27001:2022
    HELD

    ISO/IEC 27001:2022 and its Statement of Applicability (SoA) are listed as downloadable documents on the live trust center.

    Verify on trust.icims.com
    ISO/IEC 27701
    HELD

    Listed on trust.icims.com; newsroom: 'iCIMS became one of the first recruitment software providers to receive its ISO/IEC 27701 — Privacy Information Management System (PIMS) certification.'

    Verify on icims.com
    ISO/IEC 27017
    HELD

    'ISO 27001, ISO 27017, ISO 27018 certified' — stated on the infrastructure overview page. Not explicitly listed separately on trust center home; assumed covered under ISO 27001:2022 SoA.

    Verify on icims.com
    ISO/IEC 27018
    HELD

    'ISO 27001, ISO 27017, ISO 27018 certified' — stated on the infrastructure overview page. Not explicitly listed separately on trust center home; assumed covered under ISO 27001:2022 SoA.

    Verify on icims.com
    PCI DSS
    HELD

    'PCI DSS 3.2 certified' — stated on the infrastructure overview page. NOTE: PCI DSS 3.2 is the version cited; PCI DSS 4.0 superseded 3.2 in 2022. PCI DSS is not listed on the live trust center, suggesting the infrastructure page may be outdated. Independent confirmation of current PCI DSS version not obtained.

    Verify on icims.com
    GDPR (posture)
    HELD

    Listed on trust.icims.com. Infrastructure page: 'GDPR ready.' Privacy notice: 'iCIMS transfers personal data to other countries in accordance with applicable privacy laws...including Standard Contractual Clauses.' DPF participation confirmed.

    Verify on trust.icims.com
    EU-US Data Privacy Framework (DPF)
    HELD

    'iCIMS, Inc. and its subsidiaries iCIMS International, LLC, TextRecruit, Inc., and SkillSurvey, Inc. (collectively, iCIMS U.S. entities) comply with the EU-U.S. Data Privacy Framework (DPF), the UK Extension, and the Swiss-U.S. DPF.'

    Verify on icims.com
    CSA STAR Level 1
    HELD

    CSA STAR Level 1 listed on trust.icims.com; CAIQ self-assessment available for download via the trust center.

    Verify on trust.icims.com
    TRUSTe Responsible AI Certification
    HELD

    'ICIMS earned TrustArc's TRUSTe Responsible AI Certification — the first-ever artificial intelligence certification focused explicitly on data protection and privacy.' Evaluated against validity, explainability, accountability, privacy enhancement, fairness, and security criteria. Certified March 5, 2026.

    Verify on icims.com
    TX-RAMP
    HELD

    TX-RAMP (Texas Risk Assessment Management Program) listed on trust.icims.com.

    Verify on trust.icims.com
    Microsoft SSPA
    HELD

    Microsoft SSPA (Supplier Security and Privacy Assurance) listed on trust.icims.com.

    Verify on trust.icims.com
    APEC PRP
    HELD

    APEC PRP (Asia-Pacific Economic Cooperation Privacy Recognition for Processors) listed on trust.icims.com.

    Verify on trust.icims.com
    > Show 3 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    HIPAA is not a certification iCIMS lists on trust.icims.com. A 'HIPAA Report' document is available for download in the trust center but this is not a certification. The infrastructure overview page does not mention HIPAA. No formal BAA confirmation found on vendor-domain pages. HIPAA compliance for healthcare clients likely handled contractually on request.

    source: trust.icims.com
    FedRAMP
    NOT CONFIRMED

    FedRAMP is not listed on trust.icims.com. iCIMS was not found in the official FedRAMP marketplace (fedramp.gov/marketplace) as Authorized or In Process. Third-party security profile sites claim 'FedRAMP Compliant' but this appears to be inaccurate — no FedRAMP ATO confirmed on any vendor-domain page.

    source: trust.icims.com
    ISO/IEC 42001 (AI Management)
    NOT CONFIRMED

    No evidence of ISO/IEC 42001 certification on trust.icims.com or any iCIMS page. iCIMS holds TRUSTe Responsible AI instead for AI governance.

    source: trust.icims.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    US (Virginia primary, Oregon/Washington failover); EU (Germany primary, Ireland failover); Canada (Quebec primary, Ontario failover). iCIMS Frontline AI hosted in California with Virginia failover.

    The iCIMS services privacy notice states: 'We will not use, disclose, sell, review, share, distribute, transfer, or reference any Subscriber Data except as permitted in the Subscription Agreement.' An iCIMS blog post states AI/ML algorithms 'do not use and are not trained with any candidate personal identifiable data.' However, the TRUSTe certification newsroom (March 2026) says the platform 'is uniquely trained on billions of real-world recruiting data points,' and the services privacy notice permits use of 'Public Personal Data for research and development purposes (for example, to test the accuracy of AI algorithms and to determine if AI algorithms produce biased output).' The distinction appears to be that subscriber PII is protected from training, but aggregated or anonymized/public recruiting data is used. Opt-out for SkillSurvey research is available by contacting privacy@icims.com.

    // Security controls

    Encryption at rest

    AES-256 encryption of customer data at rest across all hosting regions

    icims.com

    Encryption in transit

    TLS (standard; trust center confirms defense-in-depth security model with network segmentation)

    trust.icims.com

    Infrastructure

    AWS and Microsoft Azure; multi-region with active failover; 99.9% uptime SLA

    icims.com

    Physical security

    Restricted datacenter access, MFA badge entry, video surveillance, intrusion detection, alarm systems, access logging

    icims.com

    Security scoring

    SecurityScorecard grade A; BitSight 780; CyberVadis 972

    trust.icims.com

    Application security

    Penetration testing, static/dynamic code analysis, CI/CD security practices, audit logging documented in trust center

    trust.icims.com

    Incident response

    Dedicated security team monitoring and responding to security events; breach notification obligations per privacy notice

    icims.com

    Access control

    SSO, Google/Microsoft OAuth, Okta SAML support; role-based permissions

    security-profiles.nudgesecurity.com

    // Products & data scope

    iCIMS Hire (ATS + onboarding)Applicant Tracking System

    data: Candidate PII, job application data, offer letters, onboarding documents

    Enterprise ATS. Primary product for Fortune 500 clients. Text recruiting and offer management bundled.

    iCIMS Engage (CRM + Employer Branding)Candidate Relationship Management

    data: Candidate contact data, engagement history, career site interactions

    Includes career site builder, recruitment chatbot, and employee testimonial video features.

    Coalesce AIAI Recruiting Automation

    data: Job descriptions, resume data, candidate profiles, interview data, engagement metrics

    Built on proprietary recruiting data. TRUSTe Responsible AI certified (March 2026). AI/ML stated to not train on candidate PII. Integrates with iCIMS Hire/Engage with no separate integration required.

    SkillSurveyReference Checking

    data: Reference and background check data; candidate demographic information used for internal research

    Acquired product. Subject to separate research data use; opt-out available by contacting privacy@icims.com.

    // What to watch

    • FedRAMP OVER-CLAIM RISK: Third-party security profiles (e.g. Nudge Security) list iCIMS as 'FedRAMP Compliant,' but iCIMS is NOT found on the official FedRAMP Marketplace (fedramp.gov) as Authorized or In Process, and FedRAMP is absent from trust.icims.com. AIFOXX should NOT list FedRAMP as a held certification.
    • HIPAA UNCONFIRMED: A 'HIPAA Report' document is available in the trust center but HIPAA is not listed as a certification. No formal BAA confirmation found on vendor-domain public pages. Healthcare clients should inquire directly about BAA availability. iCIMS infrastructure page does not mention HIPAA.
    • PCI DSS VERSION DISCREPANCY: Infrastructure page states 'PCI DSS 3.2 certified' but PCI DSS 3.2 was superseded by version 4.0 in March 2022. PCI DSS is not listed on trust.icims.com, suggesting the infrastructure page may be stale. Current PCI DSS compliance version is unconfirmed.
    • AI TRAINING DATA AMBIGUITY: Marketing materials (TRUSTe cert newsroom, March 2026) state the AI is 'uniquely trained on billions of real-world recruiting data points,' while the services privacy notice and blog claim AI/ML does not train on 'candidate personal identifiable data.' The boundary between aggregated/public recruiting data and subscriber PII is not explicitly drawn in a binding legal document on public pages.

    // At a glance

    Pricing model

    Enterprise subscription (per-seat or volume; specific pricing not publicly disclosed; sales-led)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on iCIMS, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-29. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.icims.com

    > Browse all vendor trust reports