// Trust & Security Report
Paradox, Inc. (a Workday company)
Conversational hiring platform built around the Olivia AI assistant, spanning Conversational ATS, Conversational Career Sites, Conversational CRM, Conversational Apply, Conversational Events, and Conversational Scheduling; acquired by Workday (closed October 1, 2025) and now operated as Workday's frontline/high-volume talent acquisition suite.
Certifications held
3
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on paradox.ai“SOC 2 Type II — Certified by independent audit for design and operating effectiveness of security practices and commitment to the Trust Service Principles.”
Verify on paradox.ai“ISO 27001 — Third-party certified for demonstrated compliance of information security management systems and internal controls.”
Verify on paradox.ai“Paradox is an active participant in the EU-U.S. Data Privacy Framework, the UK extension, and the Swiss-U.S. Data Privacy Framework.”
> Show 7 unconfirmed / not-held certifications
source: paradox.aiNo standalone 'GDPR certified' claim exists (GDPR has no certification scheme). Vendor offers a Global Data Privacy Addendum (GDPA) on request: 'To the extent Paradox will be Processing the Personal Information of individuals outside of the United States ... Client may request that Paradox provide copy of its Global Data Privacy Addendum.' Graded held=false because this is a contractual posture, not a verifiable third-party certification; DPF participation (above) is the closest audited proxy for EU transfer compliance.
source: paradox.aiNo public evidence. HIPAA is not mentioned anywhere on the security page, the DPA, or the Terms of Service. Paradox markets a healthcare-hiring solution but this covers candidate/recruiting data, not treatment records, so absence of a HIPAA/BAA claim is consistent with product scope rather than a gap.
source: paradox.aiNo public evidence; not mentioned on the security page. Paradox does not process cardholder payment data as part of its core hiring product, so this is expected to be out of scope.
source: paradox.aiNo public evidence; only ISO 27001 is named on the security page.
source: paradox.aiNo public evidence; the security page lists only ISO 27001, SOC 2 Type II, and the Data Privacy Framework. No AI-governance-specific certification is referenced anywhere on the vendor's legal pages.
source: paradox.aiNo public evidence; no FedRAMP marketplace listing or vendor claim found. Paradox's public clients (7-Eleven, Compass Group, Chipotle, Medtronic) are commercial, not federal.
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
Not publicly disclosed. The US DPA governs US processing; a separate Global Data Privacy Addendum (GDPA) is available on request for personal information of individuals outside the US, implying no single disclosed data-residency commitment on the public site.
Terms of Service, Section 8(D) 'Improvement Data': 'Paradox may use Deidentified Client Data (i) to build, improve and enhance the quality or performance of the Paradox offerings, including the training of Paradox's natural language processing functionality; (ii) for other development, diagnostic and corrective purposes...' Deidentified data is owned outright by Paradox. No customer-facing opt-out mechanism for this training use was found in the DPA or Terms. Flagged: a security-conscious enterprise buyer should confirm opt-out/negotiated exclusion via contract, since it is not offered as a public self-serve toggle.
// Security controls
SOC 2 Type II
Certified by independent third-party audit; details self-reported on vendor security page, not independently re-verified beyond the vendor's own statement.
paradox.aiISO 27001
Third-party certified ISMS covering Paradox's own internal systems, described as separate from any cloud-host (e.g. AWS) certification: 'We're not relying solely on AWS or anyone else for their certification, we went out and got our own.'
paradox.aiUptime / status transparency
Public real-time status page maintained: 'you can see how we're performing at any time on our status page.'
status.paradox.aiEncryption in transit / at rest
Not disclosed on the public security page; no specific technical detail (TLS version, at-rest encryption, key management) is published.
paradox.ai// Products & data scope
data: Candidate PII (name, contact info, application answers, scheduling data), conversational transcripts
Single security/legal framework covers all product surfaces; no separate certs disclosed per sub-product.
data: Candidate applications, screening data, offer data
Positioned as enterprise-grade ATS replacement.
data: Candidate and prospect contact data, event registrations, interview scheduling data
Marketed toward high-volume frontline hiring (retail, restaurant, healthcare, logistics).
// What to watch
- Post-acquisition identity transition: Workday completed its acquisition of Paradox on October 1, 2025 ($1B cash). Both the vendor's /legal/privacy-policy and /legal/data-privacy-framework-notice URLs now 301-redirect to Workday's global privacy statement (workday.com/en-us/privacy.html), so the standalone Paradox DPF self-certification notice is no longer served on-domain; the DPF participation claim remains verifiable only via the summary statement on the still-standalone /legal/security page. /legal/security, /legal/us-dpa, and /legal/service-terms continue to operate as standalone Paradox, Inc. pages. Buyers should confirm which legal entity's terms currently govern a given contract, since the site itself is inconsistent about this transition.
- AI training on deidentified data with no visible public opt-out: Terms of Service Section 8(D) permits use of deidentified client data to train Paradox's NLP functionality; no opt-out toggle is published, only inferred negotiability via direct contract.
- Do not conflate with 'Paradox Group' (paradoxgroup.com), an unrelated company that surfaced in search results under a similar name.
- The SOC 2 Type II / ISO 27001 announcement dates to a 2019 press release; the current security page still cites the same two certifications without a visible renewal date, scope statement, or auditor name, so currency of the underlying audit could not be independently confirmed beyond the vendor's own claim.
- No HIPAA, PCI DSS, ISO 27017/27018/27701, ISO 42001, CSA STAR, or FedRAMP claims found anywhere on vendor-domain pages; treated as honestly absent rather than penalized, consistent with an HR/recruiting SaaS scope.
// At a glance
Pricing model
Enterprise sales-led (demo request; no public self-serve pricing)
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Paradox, Inc. (a Workday company)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
paradox.ai