// Trust & Security Report

    ZipStorm, Inc. (d/b/a SeekOut) logo

    ZipStorm, Inc. (d/b/a SeekOut)

    AI recruiting suite with two distinct products: SeekOut Recruit (self-serve AI sourcing/screening/outreach platform for in-house recruiters) and SeekOut Spot (managed, agentic-AI-plus-human-recruiter sourcing service); also offers a ChatGPT-integrated search experience.

    Certifications held

    5

    Maturity

    Growth

    Trains on your data

    No

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type II
    HELD

    SeekOut is SOC 2 Type 2 certified as of June 8, 2023.' Trust center resource list also shows 'SeekOut SOC 2 Type II June 2025' as the most-accessed report.

    Verify on seekout.com
    ISO/IEC 42001:2023 (AI Management System)
    HELD

    SeekOut is compliant with ISO/IEC: 42001:2023 and ISO/IEC: 23894:2023. Note: the vendor states 'compliant with' (a self-attested alignment), not third-party 'certified'; 42001 is a certifiable management-system standard, so treat this as a stated AI-governance compliance posture rather than a confirmed audited certificate.

    Verify on seekout.com
    ISO/IEC 23894:2023 (AI risk management guidance)
    HELD

    SeekOut is compliant with ISO/IEC: 42001:2023 and ISO/IEC: 23894:2023. Note: 23894 is a guidance standard (not third-party certifiable in the way 27001/42001 are), so treat this as a stated governance-framework alignment rather than an audited certificate.

    Verify on seekout.com
    GDPR
    HELD

    Compliant with GDPR, CCPA, and other privacy regulations' with documented data processing agreements; trust center Compliance tab lists 'GDPR' alongside SOC 2 and CCPA.

    Verify on trust.seekout.com
    CCPA
    HELD

    Trust center Compliance tab shows 'CCPA ... COMPLIANT'.

    Verify on trust.seekout.com
    > Show 4 unconfirmed / not-held certifications
    ISO/IEC 27001
    NOT CONFIRMED

    SeekOut's own security page lists 'SOC 2, ISO/IEC, CSA/CCM, ITAR, CJIS, HIPAA and IRS 1075' as certifications held by Microsoft Azure (the hosting infrastructure), not by SeekOut itself. No ISO 27001 certificate is claimed for SeekOut/ZipStorm as an organization on the security page or trust center.

    source: seekout.com
    HIPAA
    NOT CONFIRMED

    HIPAA appears only in the list of certifications held by Microsoft Azure ('Microsoft Azure ... HIPAA') on SeekOut's security page and is not claimed as a SeekOut/ZipStorm compliance status anywhere on the trust center or privacy policy.

    source: seekout.com
    PCI DSS
    NOT CONFIRMED

    No public evidence: PCI DSS is not mentioned on the trust center, security page, or privacy policy. SeekOut does not appear to process payment card data directly, so this framework is likely out of scope rather than a gap.

    source: trust.seekout.com
    FedRAMP
    NOT CONFIRMED

    No public evidence of a FedRAMP authorization on any vendor-domain page reviewed.

    source: seekout.com

    // Privacy & AI training

    Trains on customer data

    No

    Data processing agreement

    Offered

    Data region

    United States (Microsoft Azure US data centers); SeekOut states it 'complies with our obligations under data processing agreements with our customers, including applicable standard contractual clauses' for transfers from the EEA and other jurisdictions to the US.

    SeekOut's security page states plainly: 'SeekOut does not use any client data to train our AI models' and 'does not test its software with customer data' or 'use client data to enhance its own data.' Separately, the privacy policy confirms SeekOut does not use Google Workspace API data 'to develop, improve, or train generalized/non-personalized AI or machine learning models.' The privacy policy does note SeekOut uses machine learning internally to generate inferences (e.g., job mobility, demographic characteristics) about candidates already in its own sourced database, which is a distinct practice from training on a customer's own tenant data.

    // Security controls

    Encryption in transit

    HTTPS/TLS 1.2+ required; 'The SeekOut service can only be accessed by secure HTTPS connection'

    seekout.com

    Encryption at rest

    AES-256; 'All customer data is encrypted in transit and at rest'

    seekout.com

    Key management

    Encryption keys managed by Microsoft Azure

    seekout.com

    Hosting infrastructure

    Runs on Microsoft Azure, 'SOC 2 certified data centers in the United States'; daily backups geographically distributed

    seekout.com

    Penetration testing

    Third-party pentest at least annually; trust center lists 'Recruit Pentest Results 2025' as a published resource; monthly vulnerability scans on webapps/networks

    trust.seekout.com

    Bug bounty

    Active HackerOne bug bounty program

    seekout.com

    Fairness/bias auditing

    Independent bias audits published for both products: 'Bias Audit - SeekOut Recruit' and 'Bias Audit - SeekOut Spot'

    trust.seekout.com

    Cyber insurance

    Trust center lists a 'Certificate of CyberInsurance' as an available resource

    trust.seekout.com

    Subprocessors disclosed

    Trust center subprocessor list includes Microsoft Azure (cloud hosting, US), Intercom (support widget, US), Atlassian SSO/Jira/Confluence (support ticketing, US)

    trust.seekout.com

    // Products & data scope

    SeekOut RecruitSelf-serve AI recruiting platform

    data: Customer ATS data plus SeekOut's 1B+ sourced candidate profile database; recruiter-controlled sourcing, AI screening/scoring of applicants, outreach campaigns

    Primary self-serve product; free trial offered.

    SeekOut SpotManaged/agentic AI recruiting service

    data: Candidate resumes, screening transcripts, and evaluation packets handled directly by SeekOut's own agentic AI and human recruiters on the customer's behalf

    Higher data-handling exposure than Recruit because SeekOut staff/AI conduct outreach and screening directly rather than the customer's own recruiters; sold via custom engagement, not self-serve.

    SeekOut in ChatGPTConversational search integration

    data: Exposes SeekOut sourcing capability inside ChatGPT; scope of data shared with/through OpenAI's platform is not detailed in vendor-domain material reviewed

    Newly promoted on the homepage; no dedicated security/privacy disclosure found for this integration specifically, worth a follow-up question for enterprise buyers.

    // What to watch

    • Host-vs-vendor cert ambiguity: SeekOut's own /security page lists Microsoft Azure's certifications (SOC 2, ISO/IEC, CSA/CCM, ITAR, CJIS, HIPAA, IRS 1075) in the same breath as SeekOut's own SOC 2 Type II claim. A careless reader could mistake Azure's ISO/IEC and HIPAA coverage for SeekOut's own certification status; graded ISO 27001 and HIPAA held=false for SeekOut specifically because no vendor-level (not host-level) attestation was found.
    • Trust center (trust.seekout.com) requires 'Request access' for full document access; grading is based on the publicly visible summary page (captured in evidence) plus corroborating detail from the public /security page and third-party summary of the privacy policy, not the underlying signed audit reports themselves.
    • ISO/IEC 23894:2023 is a risk-management guidance standard, not a certifiable management-system standard like 27001/42001; listing it alongside 42001 as a 'certification' on the vendor's own page is itself a mild over-statement worth flagging to buyers.
    • No distinct security/privacy disclosure found for the new 'SeekOut in ChatGPT' integration; enterprise buyers evaluating that surface should ask SeekOut directly what data crosses into OpenAI's platform.

    // At a glance

    Pricing model

    Custom/enterprise quote-based pricing for both products; free trial available for SeekOut Recruit, no public self-serve pricing for SeekOut Spot

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on ZipStorm, Inc. (d/b/a SeekOut)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.seekout.com

    > Browse all vendor trust reports