// Trust & Security Report

    Employ Inc. logo

    Employ Inc.

    Lever is a modern applicant tracking system (ATS) with candidate relationship management (CRM) functionality, offering AI-powered hiring automation for recruiting teams. Part of Employ Inc's portfolio alongside JazzHR (foundational), Jobvite (sophisticated), and NXTThing RPO.

    Certifications held

    7

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    A Service Organization Report (SOC 2 Type 2 report) is designed to evidence a service provider's internal organizational controls. Issued by Schellman, an independent auditor.

    Verify on lever.co
    ISO/IEC 27001
    HELD

    Lever maintains this international standard certification, demonstrating an organization has established and maintains robust information security management systems (ISMS). Verified by Schellman.

    Verify on lever.co
    GDPR Compliance
    HELD

    Information security parameters comply with the General Data Protection Regulation (GDPR). Employ provides a Data Protection Addendum (DPA) covering GDPR Regulation 2016/679 and UK GDPR, effective November 8, 2023 (last updated May 20, 2025).

    Verify on employinc.com
    CCPA Compliance
    HELD

    Information security parameters comply with the California Consumer Privacy Act (CCPA) and are intended to support customers' compliance with the GDPR and CCPA.

    Verify on lever.co
    Data Privacy Framework
    HELD

    Lever adheres to applicable privacy requirements for EU personal data transfers and maintains Data Privacy Framework status. For any Customer Data transferred outside the EEA, UK, or Swiss territories, the Data Privacy Framework will apply as primary mechanism.

    Verify on employinc.com
    Standard Contractual Clauses (SCC)
    HELD

    Available for EU data processing needs. SCCs are incorporated as Exhibit A for transfers outside the EEA, UK, and Switzerland as fallback mechanism if Data Privacy Framework becomes invalidated.

    Verify on employinc.com
    CSA Consensus Assessments Initiative Questionnaire (CAIQ)
    HELD

    Lever completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire covering 16 governing domains.

    Verify on lever.co
    > Show 5 unconfirmed / not-held certifications
    HIPAA/HIPAA BAA
    NOT CONFIRMED

    HIPAA is not mentioned in Lever's security documentation. No evidence of HIPAA certification or Business Associate Agreement (BAA) availability. Lever is not positioned as a HIPAA-compliant product.

    source: lever.co
    PCI DSS
    NOT CONFIRMED

    No public evidence. PCI DSS is not mentioned in Lever's published certifications or security documentation.

    source: lever.co
    ISO 27017 / ISO 27018 / ISO 27701
    NOT CONFIRMED

    No public evidence. These additional ISO standards are not mentioned in Lever's published certifications.

    source: lever.co
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    No public evidence. ISO 42001 is not mentioned in Lever's published certifications or AI governance documentation.

    source: lever.co
    CSA STAR for AI
    NOT CONFIRMED

    No public evidence. CSA STAR for AI was launched by Cloud Security Alliance in October 2025 for trustworthy AI governance. Lever does not currently claim this certification.

    source: cloudsecurityalliance.org

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    AWS us-west-2 (Oregon, US) and AWS eu-central-1 (Frankfurt, Germany). Customers are striped across multiple availability zones. Weekly full backups, daily full instance/system images, database transaction logs every 15 minutes. All backup files encrypted prior to backup and at rest. Access logging enabled.

    Lever uses AI throughout the hiring platform (candidate screening, fraud detection, interview scheduling, scoring). However, Lever does not publicly disclose whether customer hiring data (resumes, application details, candidate information) is used to train or improve these AI models. Employ Inc. has committed to responsible AI principles aligned with ADP Marketplace (human oversight, monitoring, privacy, explainability, transparency, bias mitigation), but no explicit opt-out policy for AI training is documented. This represents a significant gap in transparency.

    // Security controls

    Encryption in Transit

    Enforced (standard for HTTPS + TLS)

    lever.co

    Encryption at Rest

    Enforced for customer data and backups

    help.lever.co

    Data Backup Frequency

    Weekly full backups, daily full instance/system images, DB transaction logs every 15 minutes

    help.lever.co

    Incident Notification

    Security incident notification includes nature, date/time, affected data subjects, and remediation measures per DPA requirements

    employinc.com

    Sub-processor Management

    15-day advance notice of new sub-processors with 30-day objection period. Customers may terminate if objections not accommodated.

    employinc.com

    Audit Rights

    Annual compliance audits permitted through independent third parties

    employinc.com

    Data Deletion Post-Termination

    Within 45 days of service termination, except where legally required to retain

    employinc.com

    Access Controls

    Layered safeguards for fraud detection and data protection as part of platform security architecture

    lever.co

    Fraud Detection

    Built-in application screening with identity verification, resume conflict detection, and resume fraud flagging

    lever.co

    // Products & data scope

    Lever ATSApplicant Tracking System & Candidate Relationship Management

    data: Candidate resumes, application data, interview notes, hiring team communications, candidate feedback, offer letters, applicant history

    Core product combining ATS and CRM functionality. Includes AI-powered features for candidate screening, match scoring, fraud detection, interview scheduling, and hiring recommendations. Available for small, mid-sized, and enterprise organizations.

    Lever AI FeaturesAI-Powered Recruiting Automation

    data: Applicant data, role matching signals, skill extraction, leadership indicators, compensation analysis, fraud signals

    AI-embedded across entire hiring journey. Provides role-specific experience matching, leadership signal detection, salary consideration analysis, and fraud flagging. No public documentation of customer data usage for model training or fine-tuning.

    // What to watch

    • AI Training Transparency Gap: Lever uses AI extensively throughout the platform but does not publicly disclose whether customer hiring data is used to train or fine-tune AI models. No opt-out policy found. This is a material gap for enterprises with sensitive hiring data.
    • No HIPAA Support: Lever is not HIPAA-compliant and does not offer BAA, limiting use for healthcare recruiting.
    • Limited AI Governance Certification: No ISO 42001 or CSA STAR AI certification. Given the embedded AI across the platform, third-party AI governance validation would strengthen trust posture.
    • Compliance Claims vs. Certifications: Lever claims GDPR and CCPA compliance but holds only 2 third-party verified certifications (SOC 2 Type 2 and ISO 27001). GDPR and CCPA are compliance postures, not certifications.
    • CSA CAIQ Completion Not Independently Verified: CSA CAIQ was completed but no link to public CSA profile provided. Cannot independently verify questionnaire details.

    // At a glance

    Pricing model

    Customized based on company size, hiring volume, feature needs, and implementation requirements. Per-user or per-hire models. Enterprise and mid-market focus.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Employ Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    lever.co

    > Browse all vendor trust reports