// Trust & Security Report
Harver B.V. (formerly pymetrics, Inc.)
AI-powered pre-employment and behavioral assessment platform (gamified assessments, video interviews, reference checking)
Certifications held
6
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.harver.com“Harver 2025-ISO 27001_2022-Recertification Audit-Certificate.pdf and Harver 2026-ISO 27001 Recertification Audit-Final Report.pdf are listed in the trust center. Harver's CTO stated: 'This certification is a testament to Harver's dedication in providing robust security for our customers.'”
Verify on trust.harver.com“Harver-2026-Type 1 SOC 2-Final Report.pdf is listed in the trust center under the SOC 2 compliance section.”
Verify on trust.harver.com“Harver Holdings B.V. - 2026 - Type 1 SOC 2 & Type 2 SOC 2 - CoE.pdf is listed in the trust center. The security page states: 'regularly audited by trusted third-party organizations to ensure we're compliant with the industry's most rigorous security standards, like ISO 27001 and SOC 2 Type 2.'”
Verify on trust.harver.com“GDPR is listed under the Compliance tab on the trust center. Security page confirms: 'dedicated privacy team ensures oversight on all personal data processing activities, policies, processes, and controls for customer data.' Harver employs a European-based external Data Protection Officer (DPO).”
Verify on harver.com“Harver's security page explicitly states CCPA compliance alongside GDPR: 'adheres to GDPR and CCPA requirements.'”
Verify on harver.com“Both the Harver Platform and pymetrics Soft Skills Platform successfully completed independent third-party bias audits conducted by BABL AI Inc. in accordance with NYC Local Law 144 for automated employment decision tools.”
> Show 1 unconfirmed / not-held certifications
source: trust.harver.comNo mention of HIPAA certification or compliance in any Harver source. Not applicable to HR assessment use cases.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Not stated
Data region
Netherlands (Harver B.V. HQ), United Kingdom, United States. No explicit data residency selection or region-lock feature documented publicly.
No explicit policy found about using candidate assessment data for AI model training. Harver operates as a 'Processor' (not Controller) for candidate personal data collected on behalf of hiring companies. This processor role implies they do not use that data for their own model training without authorization, but no explicit prohibition or confirmation is stated publicly. Candidates' data is retained for 8 weeks after the application process ends (1 year with extended permission from hiring company). Recommend requesting a DPA and explicit AI training opt-out clause during procurement.
// Security controls
Penetration Testing
Independent third-party penetration testing confirmed for pymetrics Platform (Q4 2025). Reports listed: 'CONFIDENTIAL_Pymetrics Platform Penetration Test_Q4 2025_ Executive Response.pdf' and 'CONFIDENTIAL_Pymetrics Platform Penetration Test Management Report_Q4_2025.pdf'. Also confirmed for Checkster platform Q4 2025.
trust.harver.comDisaster Recovery Testing
Confirmed for pymetrics Platform: 'Pymetrics Platform_Disaster Recovery Test Report_Q4 2025.pdf'. Continuity and disaster recovery plans established and tested.
trust.harver.comEncryption
Data encrypted in transit and at rest. Encrypted backup storage on cloud-based solutions.
harver.comAccess Controls
2FA and SAML SSO enforcement across the organization. Unique production database authentication enforced. Encryption key access restricted. Authorized personnel access restrictions.
trust.harver.comVulnerability Management
Ongoing vulnerability scans and penetration tests performed by qualified independent third parties.
harver.comData Protection Officer
European-based external DPO engaged for independent privacy advice and audits.
harver.comBug Bounty / Vulnerability Disclosure
No public bug bounty program found on HackerOne, Bugcrowd, or the Harver website. Security contact email: GlobalSecurity@Harver.com (listed on trust center).
trust.harver.comInsurance Coverage
Evidence of Coverage - COI - 2026.pdf listed in trust center under resources.
trust.harver.comCAIQ
Cloud Security Alliance CAIQ (v4.02) available for both Harver Platform and Checkster Platform.
trust.harver.com// Products & data scope
data: Candidate PII, neuroscience-based cognitive and emotional behavioral data from 12 gamified assessments measuring 90+ attributes. Hiring company is the Data Controller; Harver processes on their behalf. Separate pymetrics Platform pen test and DR reports available. Shared security model document published.
pymetrics was an independent company acquired by Harver. It is now a product within Harver's suite, not a standalone platform. The domain pymetrics.ai now redirects to Harver. NYC Local Law 144 bias audit completed by BABL AI Inc.
data: Candidate PII, skills assessments, video interview data, fraud detection signals. High-level architecture diagram and secure network diagram available in trust center. CAIQ v4.02 available.
Serves Fortune 500 clients at scale. Processes 100+ million candidates globally. Architecture diagrams, data protection policy, and shared security model available in trust center.
data: Candidate and reference contact PII, reference feedback. Separate CAIQ and Q4 2025 pen test reports available.
Pen test conducted Q4 2025 by independent third party. Architecture diagram published in trust center.
data: Candidate video and audio data, facial/verbal analysis signals.
Listed as a product on harver.com but no separate trust documentation found for this product in the trust center.
// What to watch
- pymetrics is no longer a standalone company: it is a product under Harver B.V. Directory listing should reflect 'Harver (pymetrics)' as the vendor name.
- No public bug bounty or vulnerability disclosure program found. Security contact GlobalSecurity@Harver.com is the only channel identified.
- DPA availability not publicly confirmed. Given GDPR processor role, a DPA should exist for enterprise customers but was not found on a public URL. Verify during procurement.
- AI training on candidate data not addressed in public policy. No explicit prohibition or disclosure found. Clarify with vendor before deployment in privacy-sensitive environments.
- Data residency options not documented. Harver has entities in Netherlands, UK, and US. Enterprises with strict data localization requirements should confirm region during contracting.
- NYC Local Law 144 compliance is a positive differentiator: BABL AI Inc. conducted independent bias audits on both the Harver Platform and pymetrics Platform.
// At a glance
Pricing model
Enterprise B2B SaaS, contract-based. No public pricing. Demo request required.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Harver B.V. (formerly pymetrics, Inc.)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.harver.com