// Trust & Security Report

    Recruiterflow Inc. logo

    Recruiterflow Inc.

    AI-native ATS and CRM platform for recruitment and staffing agencies; sub-products include AIRA (AI agent suite with Notetaker, Matchmaker, Field Updates Agent, Submission Agent, Task Agent), multichannel sequences, workflow automation, and Recruiterflow BI

    Certifications held

    3

    Maturity

    Growth

    Trains on your data

    Unknown

    Trust center

    No

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 1
    HELD

    We are now super happy to announce that Recruiterflow is SOC 2 Type 1 and ISO 27001 certified. With this, we meet the highest standards for security and data protection, ensuring your information is safe with us.

    Verify on recruiterflow.com
    ISO 27001
    HELD

    We are now super happy to announce that Recruiterflow is SOC 2 Type 1 and ISO 27001 certified. ISO 27001 Certified badge displayed on the Data Processing Agreement page.

    Verify on recruiterflow.com
    GDPR (posture)
    HELD

    DPA incorporates Standard Contractual Clauses (EU) 2021/914 and the UK International Data Transfer Addendum. User is the Controller of Personal Data and Recruiterflow is the Processor of that data.

    Verify on recruiterflow.com
    > Show 9 unconfirmed / not-held certifications
    SOC 2 Type 2
    NOT CONFIRMED

    Only SOC 2 Type 1 is confirmed per the May 2024 announcement and DPA badge (which shows 'AICPA SOC 2' without a Type qualifier). No public evidence of Type 2 audit completion.

    source: recruiterflow.com
    HIPAA
    NOT CONFIRMED

    No public evidence found. Not mentioned in DPA, privacy policy, product pages, or blog announcements.

    source: recruiterflow.com
    PCI DSS
    NOT CONFIRMED

    unknown / no public evidence

    source: recruiterflow.com
    ISO 27017
    NOT CONFIRMED

    unknown / no public evidence

    source: recruiterflow.com
    ISO 27018
    NOT CONFIRMED

    unknown / no public evidence

    source: recruiterflow.com
    ISO 27701
    NOT CONFIRMED

    unknown / no public evidence

    source: recruiterflow.com
    ISO/IEC 42001 (AI Governance)
    NOT CONFIRMED

    unknown / no public evidence. Recruiterflow markets AI-native capabilities (AIRA) but no AI governance certification found.

    source: recruiterflow.com
    CSA STAR
    NOT CONFIRMED

    unknown / no public evidence

    source: recruiterflow.com
    FedRAMP
    NOT CONFIRMED

    unknown / no public evidence. Product targets private-sector recruiting agencies, not US federal government.

    source: recruiterflow.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Not publicly disclosed. DPA references EU and UK data protection law and includes SCCs but does not specify processing locations or data center regions.

    Public marketing materials state AIRA operates on 'client-specific datasets only' with 'no cross-account training or shared memory' and 'no data ever leaves the system,' but these commitments are not confirmed in the publicly accessible privacy policy or DPA text. AI training posture is not explicitly addressed in the DPA or user agreement. Prospective customers should request a written AI data usage commitment before contracting.

    // Security controls

    Encryption in transit

    Not explicitly stated in public documentation; implied by ISO 27001 and SOC 2 Type 1 compliance. No specific TLS version or cipher suite published.

    recruiterflow.com

    Encryption at rest

    Not explicitly stated in public documentation; implied by ISO 27001 and SOC 2 Type 1 compliance. No AES specification published.

    recruiterflow.com

    Access controls

    Role-based permissions available. DPA references physical and logical access controls, data transfer controls, and entry logging per Annex II.

    recruiterflow.com

    Penetration testing

    Not mentioned in any public-facing documentation.

    recruiterflow.com

    Availability / SLA

    SLA-backed support mentioned on homepage. Specific uptime SLA percentage not publicly stated.

    recruiterflow.com

    Breach notification

    Data Breach Policy document exists (recruiterflow.com/data-breach-policy). Specific notification timelines could not be extracted from the PDF. GDPR 72-hour notification is required by DPA framework.

    recruiterflow.com

    Sub-processors

    EXHIBIT 3 of the DPA references a sub-processor list but it is not publicly disclosed in the DPA document itself.

    recruiterflow.com

    // Products & data scope

    Platform PlanATS + CRM

    data: Candidate profiles, contact data, job mandates, email and LinkedIn communications, call recordings (if AIRA Notetaker used). Handles special-category GDPR data (CVs, employment history, potentially Article 9 data).

    $149/user/month. Includes ATS, CRM, multichannel sequences, automation, API access, and basic reporting. No AIRA AI agents in this tier.

    AIRA PlanAI-native ATS + CRM + AI Agents

    data: All Platform Plan data plus AI-processed call transcripts, meeting summaries, auto-populated CRM fields, and sourced external candidate profiles (AIRA Source).

    Custom pricing for larger teams. Adds full AIRA agent suite: Notetaker, Matchmaker, Job Change Alerts, Field Updates Agent, Submission Agent, Task Agent, and agentic orchestration. AI data handling commitments are the key procurement question for this tier.

    // What to watch

    • SOC 2 TYPE AMBIGUITY: Homepage and DPA badge display 'SOC 2' without a type qualifier. Only the May 2024 blog announcement explicitly confirms Type 1. SOC 2 Type 2 (continuous audit) has not been announced. AIFOXX should list 'SOC 2 Type 1' not 'SOC 2' to avoid implying the stronger Type 2 audit.
    • NO DEDICATED TRUST CENTER: trust.recruiterflow.com, security.recruiterflow.com, and compliance.recruiterflow.com all redirect to the main marketing homepage. The data-security page (recruiterflow.com/data-security) returned 404. Security evidence is scattered across the DPA, blog post, and product pages rather than consolidated.
    • AI TRAINING POSTURE UNDOCUMENTED: Marketing claims 'no cross-account training or shared memory' for AIRA but this commitment does not appear in the DPA or Privacy Policy text. Customers using the AI-heavy AIRA Plan should obtain explicit contractual AI data commitments.
    • DATA RESIDENCY UNKNOWN: The DPA uses SCCs and UK IDTA but does not name data center locations or regions. Customers with strict data sovereignty requirements (e.g., EU-only hosting) cannot confirm compliance from public docs.
    • HIPAA NOT ADDRESSED: Recruiterflow handles candidate health data as a special category under GDPR Article 9 but has no stated HIPAA posture. Healthcare or healthcare-adjacent recruiters using this platform should assess BAA availability separately.

    // At a glance

    Pricing model

    Per-user per-month SaaS. Platform Plan at $149/user/month; AIRA Plan at custom pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Recruiterflow Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    recruiterflow.com

    > Browse all vendor trust reports