// Trust & Security Report

    Paradox, Inc. (a Workday company) logo

    Paradox, Inc. (a Workday company)

    Conversational hiring platform built around the Olivia AI assistant, spanning Conversational ATS, Conversational Career Sites, Conversational CRM, Conversational Apply, Conversational Events, and Conversational Scheduling; acquired by Workday (closed October 1, 2025) and now operated as Workday's frontline/high-volume talent acquisition suite.

    Certifications held

    3

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SOC 2 Type II — Certified by independent audit for design and operating effectiveness of security practices and commitment to the Trust Service Principles.

    Verify on paradox.ai
    ISO 27001
    HELD

    ISO 27001 — Third-party certified for demonstrated compliance of information security management systems and internal controls.

    Verify on paradox.ai
    EU-U.S. / UK / Swiss-U.S. Data Privacy Framework
    HELD

    Paradox is an active participant in the EU-U.S. Data Privacy Framework, the UK extension, and the Swiss-U.S. Data Privacy Framework.

    Verify on paradox.ai
    > Show 7 unconfirmed / not-held certifications
    GDPR (general posture, via DPA/GDPA)
    NOT CONFIRMED

    No standalone 'GDPR certified' claim exists (GDPR has no certification scheme). Vendor offers a Global Data Privacy Addendum (GDPA) on request: 'To the extent Paradox will be Processing the Personal Information of individuals outside of the United States ... Client may request that Paradox provide copy of its Global Data Privacy Addendum.' Graded held=false because this is a contractual posture, not a verifiable third-party certification; DPF participation (above) is the closest audited proxy for EU transfer compliance.

    source: paradox.ai
    HIPAA
    NOT CONFIRMED

    No public evidence. HIPAA is not mentioned anywhere on the security page, the DPA, or the Terms of Service. Paradox markets a healthcare-hiring solution but this covers candidate/recruiting data, not treatment records, so absence of a HIPAA/BAA claim is consistent with product scope rather than a gap.

    source: paradox.ai
    PCI DSS
    NOT CONFIRMED

    No public evidence; not mentioned on the security page. Paradox does not process cardholder payment data as part of its core hiring product, so this is expected to be out of scope.

    source: paradox.ai
    ISO 27017 / 27018 / 27701
    NOT CONFIRMED

    No public evidence; only ISO 27001 is named on the security page.

    source: paradox.ai
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    No public evidence; the security page lists only ISO 27001, SOC 2 Type II, and the Data Privacy Framework. No AI-governance-specific certification is referenced anywhere on the vendor's legal pages.

    source: paradox.ai
    CSA STAR
    NOT CONFIRMED

    No public evidence found on any vendor-domain page.

    source: paradox.ai
    FedRAMP
    NOT CONFIRMED

    No public evidence; no FedRAMP marketplace listing or vendor claim found. Paradox's public clients (7-Eleven, Compass Group, Chipotle, Medtronic) are commercial, not federal.

    source: paradox.ai

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    Not publicly disclosed. The US DPA governs US processing; a separate Global Data Privacy Addendum (GDPA) is available on request for personal information of individuals outside the US, implying no single disclosed data-residency commitment on the public site.

    Terms of Service, Section 8(D) 'Improvement Data': 'Paradox may use Deidentified Client Data (i) to build, improve and enhance the quality or performance of the Paradox offerings, including the training of Paradox's natural language processing functionality; (ii) for other development, diagnostic and corrective purposes...' Deidentified data is owned outright by Paradox. No customer-facing opt-out mechanism for this training use was found in the DPA or Terms. Flagged: a security-conscious enterprise buyer should confirm opt-out/negotiated exclusion via contract, since it is not offered as a public self-serve toggle.

    // Security controls

    SOC 2 Type II

    Certified by independent third-party audit; details self-reported on vendor security page, not independently re-verified beyond the vendor's own statement.

    paradox.ai

    ISO 27001

    Third-party certified ISMS covering Paradox's own internal systems, described as separate from any cloud-host (e.g. AWS) certification: 'We're not relying solely on AWS or anyone else for their certification, we went out and got our own.'

    paradox.ai

    Uptime / status transparency

    Public real-time status page maintained: 'you can see how we're performing at any time on our status page.'

    status.paradox.ai

    Security contact

    security@paradox.ai listed for security-related inquiries.

    paradox.ai

    Encryption in transit / at rest

    Not disclosed on the public security page; no specific technical detail (TLS version, at-rest encryption, key management) is published.

    paradox.ai

    // Products & data scope

    Olivia (Conversational AI assistant)Core AI chat/voice/text interface

    data: Candidate PII (name, contact info, application answers, scheduling data), conversational transcripts

    Single security/legal framework covers all product surfaces; no separate certs disclosed per sub-product.

    Conversational ATSApplicant tracking system

    data: Candidate applications, screening data, offer data

    Positioned as enterprise-grade ATS replacement.

    Conversational Career Sites / Apply / Events / Scheduling / CRMRecruiting marketing, event, and scheduling tooling

    data: Candidate and prospect contact data, event registrations, interview scheduling data

    Marketed toward high-volume frontline hiring (retail, restaurant, healthcare, logistics).

    // What to watch

    • Post-acquisition identity transition: Workday completed its acquisition of Paradox on October 1, 2025 ($1B cash). Both the vendor's /legal/privacy-policy and /legal/data-privacy-framework-notice URLs now 301-redirect to Workday's global privacy statement (workday.com/en-us/privacy.html), so the standalone Paradox DPF self-certification notice is no longer served on-domain; the DPF participation claim remains verifiable only via the summary statement on the still-standalone /legal/security page. /legal/security, /legal/us-dpa, and /legal/service-terms continue to operate as standalone Paradox, Inc. pages. Buyers should confirm which legal entity's terms currently govern a given contract, since the site itself is inconsistent about this transition.
    • AI training on deidentified data with no visible public opt-out: Terms of Service Section 8(D) permits use of deidentified client data to train Paradox's NLP functionality; no opt-out toggle is published, only inferred negotiability via direct contract.
    • Do not conflate with 'Paradox Group' (paradoxgroup.com), an unrelated company that surfaced in search results under a similar name.
    • The SOC 2 Type II / ISO 27001 announcement dates to a 2019 press release; the current security page still cites the same two certifications without a visible renewal date, scope statement, or auditor name, so currency of the underlying audit could not be independently confirmed beyond the vendor's own claim.
    • No HIPAA, PCI DSS, ISO 27017/27018/27701, ISO 42001, CSA STAR, or FedRAMP claims found anywhere on vendor-domain pages; treated as honestly absent rather than penalized, consistent with an HR/recruiting SaaS scope.

    // At a glance

    Pricing model

    Enterprise sales-led (demo request; no public self-serve pricing)

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Paradox, Inc. (a Workday company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    paradox.ai

    > Browse all vendor trust reports