// Trust & Security Report
Recruiterflow Inc.
AI-native ATS and CRM platform for recruitment and staffing agencies; sub-products include AIRA (AI agent suite with Notetaker, Matchmaker, Field Updates Agent, Submission Agent, Task Agent), multichannel sequences, workflow automation, and Recruiterflow BI
Certifications held
3
Maturity
Growth
Trains on your data
Unknown
Trust center
No
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on recruiterflow.com“We are now super happy to announce that Recruiterflow is SOC 2 Type 1 and ISO 27001 certified. With this, we meet the highest standards for security and data protection, ensuring your information is safe with us.”
Verify on recruiterflow.com“We are now super happy to announce that Recruiterflow is SOC 2 Type 1 and ISO 27001 certified. ISO 27001 Certified badge displayed on the Data Processing Agreement page.”
Verify on recruiterflow.com“DPA incorporates Standard Contractual Clauses (EU) 2021/914 and the UK International Data Transfer Addendum. User is the Controller of Personal Data and Recruiterflow is the Processor of that data.”
> Show 9 unconfirmed / not-held certifications
source: recruiterflow.comOnly SOC 2 Type 1 is confirmed per the May 2024 announcement and DPA badge (which shows 'AICPA SOC 2' without a Type qualifier). No public evidence of Type 2 audit completion.
source: recruiterflow.comNo public evidence found. Not mentioned in DPA, privacy policy, product pages, or blog announcements.
source: recruiterflow.comunknown / no public evidence. Recruiterflow markets AI-native capabilities (AIRA) but no AI governance certification found.
source: recruiterflow.comunknown / no public evidence. Product targets private-sector recruiting agencies, not US federal government.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Not publicly disclosed. DPA references EU and UK data protection law and includes SCCs but does not specify processing locations or data center regions.
Public marketing materials state AIRA operates on 'client-specific datasets only' with 'no cross-account training or shared memory' and 'no data ever leaves the system,' but these commitments are not confirmed in the publicly accessible privacy policy or DPA text. AI training posture is not explicitly addressed in the DPA or user agreement. Prospective customers should request a written AI data usage commitment before contracting.
// Security controls
Encryption in transit
Not explicitly stated in public documentation; implied by ISO 27001 and SOC 2 Type 1 compliance. No specific TLS version or cipher suite published.
recruiterflow.comEncryption at rest
Not explicitly stated in public documentation; implied by ISO 27001 and SOC 2 Type 1 compliance. No AES specification published.
recruiterflow.comAccess controls
Role-based permissions available. DPA references physical and logical access controls, data transfer controls, and entry logging per Annex II.
recruiterflow.comAvailability / SLA
SLA-backed support mentioned on homepage. Specific uptime SLA percentage not publicly stated.
recruiterflow.comBreach notification
Data Breach Policy document exists (recruiterflow.com/data-breach-policy). Specific notification timelines could not be extracted from the PDF. GDPR 72-hour notification is required by DPA framework.
recruiterflow.comSub-processors
EXHIBIT 3 of the DPA references a sub-processor list but it is not publicly disclosed in the DPA document itself.
recruiterflow.com// Products & data scope
data: Candidate profiles, contact data, job mandates, email and LinkedIn communications, call recordings (if AIRA Notetaker used). Handles special-category GDPR data (CVs, employment history, potentially Article 9 data).
$149/user/month. Includes ATS, CRM, multichannel sequences, automation, API access, and basic reporting. No AIRA AI agents in this tier.
data: All Platform Plan data plus AI-processed call transcripts, meeting summaries, auto-populated CRM fields, and sourced external candidate profiles (AIRA Source).
Custom pricing for larger teams. Adds full AIRA agent suite: Notetaker, Matchmaker, Job Change Alerts, Field Updates Agent, Submission Agent, Task Agent, and agentic orchestration. AI data handling commitments are the key procurement question for this tier.
// What to watch
- SOC 2 TYPE AMBIGUITY: Homepage and DPA badge display 'SOC 2' without a type qualifier. Only the May 2024 blog announcement explicitly confirms Type 1. SOC 2 Type 2 (continuous audit) has not been announced. AIFOXX should list 'SOC 2 Type 1' not 'SOC 2' to avoid implying the stronger Type 2 audit.
- NO DEDICATED TRUST CENTER: trust.recruiterflow.com, security.recruiterflow.com, and compliance.recruiterflow.com all redirect to the main marketing homepage. The data-security page (recruiterflow.com/data-security) returned 404. Security evidence is scattered across the DPA, blog post, and product pages rather than consolidated.
- AI TRAINING POSTURE UNDOCUMENTED: Marketing claims 'no cross-account training or shared memory' for AIRA but this commitment does not appear in the DPA or Privacy Policy text. Customers using the AI-heavy AIRA Plan should obtain explicit contractual AI data commitments.
- DATA RESIDENCY UNKNOWN: The DPA uses SCCs and UK IDTA but does not name data center locations or regions. Customers with strict data sovereignty requirements (e.g., EU-only hosting) cannot confirm compliance from public docs.
- HIPAA NOT ADDRESSED: Recruiterflow handles candidate health data as a special category under GDPR Article 9 but has no stated HIPAA posture. Healthcare or healthcare-adjacent recruiters using this platform should assess BAA availability separately.
// At a glance
Pricing model
Per-user per-month SaaS. Platform Plan at $149/user/month; AIRA Plan at custom pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Recruiterflow Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
recruiterflow.com