// Trust & Security Report
Employ Inc.
Lever is a modern applicant tracking system (ATS) with candidate relationship management (CRM) functionality, offering AI-powered hiring automation for recruiting teams. Part of Employ Inc's portfolio alongside JazzHR (foundational), Jobvite (sophisticated), and NXTThing RPO.
Certifications held
7
Maturity
Growth
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on lever.co“A Service Organization Report (SOC 2 Type 2 report) is designed to evidence a service provider's internal organizational controls. Issued by Schellman, an independent auditor.”
Verify on lever.co“Lever maintains this international standard certification, demonstrating an organization has established and maintains robust information security management systems (ISMS). Verified by Schellman.”
Verify on employinc.com“Information security parameters comply with the General Data Protection Regulation (GDPR). Employ provides a Data Protection Addendum (DPA) covering GDPR Regulation 2016/679 and UK GDPR, effective November 8, 2023 (last updated May 20, 2025).”
Verify on lever.co“Information security parameters comply with the California Consumer Privacy Act (CCPA) and are intended to support customers' compliance with the GDPR and CCPA.”
Verify on employinc.com“Lever adheres to applicable privacy requirements for EU personal data transfers and maintains Data Privacy Framework status. For any Customer Data transferred outside the EEA, UK, or Swiss territories, the Data Privacy Framework will apply as primary mechanism.”
Verify on employinc.com“Available for EU data processing needs. SCCs are incorporated as Exhibit A for transfers outside the EEA, UK, and Switzerland as fallback mechanism if Data Privacy Framework becomes invalidated.”
Verify on lever.co“Lever completed the Cloud Security Alliance (CSA) Consensus Assessments Initiative Questionnaire covering 16 governing domains.”
> Show 5 unconfirmed / not-held certifications
source: lever.coHIPAA is not mentioned in Lever's security documentation. No evidence of HIPAA certification or Business Associate Agreement (BAA) availability. Lever is not positioned as a HIPAA-compliant product.
source: lever.coNo public evidence. PCI DSS is not mentioned in Lever's published certifications or security documentation.
source: lever.coNo public evidence. These additional ISO standards are not mentioned in Lever's published certifications.
source: lever.coNo public evidence. ISO 42001 is not mentioned in Lever's published certifications or AI governance documentation.
source: cloudsecurityalliance.orgNo public evidence. CSA STAR for AI was launched by Cloud Security Alliance in October 2025 for trustworthy AI governance. Lever does not currently claim this certification.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
AWS us-west-2 (Oregon, US) and AWS eu-central-1 (Frankfurt, Germany). Customers are striped across multiple availability zones. Weekly full backups, daily full instance/system images, database transaction logs every 15 minutes. All backup files encrypted prior to backup and at rest. Access logging enabled.
Lever uses AI throughout the hiring platform (candidate screening, fraud detection, interview scheduling, scoring). However, Lever does not publicly disclose whether customer hiring data (resumes, application details, candidate information) is used to train or improve these AI models. Employ Inc. has committed to responsible AI principles aligned with ADP Marketplace (human oversight, monitoring, privacy, explainability, transparency, bias mitigation), but no explicit opt-out policy for AI training is documented. This represents a significant gap in transparency.
// Security controls
Data Backup Frequency
Weekly full backups, daily full instance/system images, DB transaction logs every 15 minutes
help.lever.coIncident Notification
Security incident notification includes nature, date/time, affected data subjects, and remediation measures per DPA requirements
employinc.comSub-processor Management
15-day advance notice of new sub-processors with 30-day objection period. Customers may terminate if objections not accommodated.
employinc.comData Deletion Post-Termination
Within 45 days of service termination, except where legally required to retain
employinc.comAccess Controls
Layered safeguards for fraud detection and data protection as part of platform security architecture
lever.coFraud Detection
Built-in application screening with identity verification, resume conflict detection, and resume fraud flagging
lever.co// Products & data scope
data: Candidate resumes, application data, interview notes, hiring team communications, candidate feedback, offer letters, applicant history
Core product combining ATS and CRM functionality. Includes AI-powered features for candidate screening, match scoring, fraud detection, interview scheduling, and hiring recommendations. Available for small, mid-sized, and enterprise organizations.
data: Applicant data, role matching signals, skill extraction, leadership indicators, compensation analysis, fraud signals
AI-embedded across entire hiring journey. Provides role-specific experience matching, leadership signal detection, salary consideration analysis, and fraud flagging. No public documentation of customer data usage for model training or fine-tuning.
// What to watch
- AI Training Transparency Gap: Lever uses AI extensively throughout the platform but does not publicly disclose whether customer hiring data is used to train or fine-tune AI models. No opt-out policy found. This is a material gap for enterprises with sensitive hiring data.
- No HIPAA Support: Lever is not HIPAA-compliant and does not offer BAA, limiting use for healthcare recruiting.
- Limited AI Governance Certification: No ISO 42001 or CSA STAR AI certification. Given the embedded AI across the platform, third-party AI governance validation would strengthen trust posture.
- Compliance Claims vs. Certifications: Lever claims GDPR and CCPA compliance but holds only 2 third-party verified certifications (SOC 2 Type 2 and ISO 27001). GDPR and CCPA are compliance postures, not certifications.
- CSA CAIQ Completion Not Independently Verified: CSA CAIQ was completed but no link to public CSA profile provided. Cannot independently verify questionnaire details.
// At a glance
Pricing model
Customized based on company size, hiring volume, feature needs, and implementation requirements. Per-user or per-hire models. Enterprise and mid-market focus.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Employ Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-07-07. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
lever.co