// Trust & Security Report
ZipStorm, Inc. (d/b/a SeekOut)
AI recruiting suite with two distinct products: SeekOut Recruit (self-serve AI sourcing/screening/outreach platform for in-house recruiters) and SeekOut Spot (managed, agentic-AI-plus-human-recruiter sourcing service); also offers a ChatGPT-integrated search experience.
Certifications held
5
Maturity
Growth
Trains on your data
No
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on seekout.com“SeekOut is SOC 2 Type 2 certified as of June 8, 2023.' Trust center resource list also shows 'SeekOut SOC 2 Type II June 2025' as the most-accessed report.”
Verify on seekout.com“SeekOut is compliant with ISO/IEC: 42001:2023 and ISO/IEC: 23894:2023. Note: the vendor states 'compliant with' (a self-attested alignment), not third-party 'certified'; 42001 is a certifiable management-system standard, so treat this as a stated AI-governance compliance posture rather than a confirmed audited certificate.”
Verify on seekout.com“SeekOut is compliant with ISO/IEC: 42001:2023 and ISO/IEC: 23894:2023. Note: 23894 is a guidance standard (not third-party certifiable in the way 27001/42001 are), so treat this as a stated governance-framework alignment rather than an audited certificate.”
Verify on trust.seekout.com“Compliant with GDPR, CCPA, and other privacy regulations' with documented data processing agreements; trust center Compliance tab lists 'GDPR' alongside SOC 2 and CCPA.”
> Show 4 unconfirmed / not-held certifications
source: seekout.comSeekOut's own security page lists 'SOC 2, ISO/IEC, CSA/CCM, ITAR, CJIS, HIPAA and IRS 1075' as certifications held by Microsoft Azure (the hosting infrastructure), not by SeekOut itself. No ISO 27001 certificate is claimed for SeekOut/ZipStorm as an organization on the security page or trust center.
source: seekout.comHIPAA appears only in the list of certifications held by Microsoft Azure ('Microsoft Azure ... HIPAA') on SeekOut's security page and is not claimed as a SeekOut/ZipStorm compliance status anywhere on the trust center or privacy policy.
source: trust.seekout.comNo public evidence: PCI DSS is not mentioned on the trust center, security page, or privacy policy. SeekOut does not appear to process payment card data directly, so this framework is likely out of scope rather than a gap.
source: seekout.comNo public evidence of a FedRAMP authorization on any vendor-domain page reviewed.
// Privacy & AI training
Trains on customer data
No
Data processing agreement
Offered
Data region
United States (Microsoft Azure US data centers); SeekOut states it 'complies with our obligations under data processing agreements with our customers, including applicable standard contractual clauses' for transfers from the EEA and other jurisdictions to the US.
SeekOut's security page states plainly: 'SeekOut does not use any client data to train our AI models' and 'does not test its software with customer data' or 'use client data to enhance its own data.' Separately, the privacy policy confirms SeekOut does not use Google Workspace API data 'to develop, improve, or train generalized/non-personalized AI or machine learning models.' The privacy policy does note SeekOut uses machine learning internally to generate inferences (e.g., job mobility, demographic characteristics) about candidates already in its own sourced database, which is a distinct practice from training on a customer's own tenant data.
// Security controls
Encryption in transit
HTTPS/TLS 1.2+ required; 'The SeekOut service can only be accessed by secure HTTPS connection'
seekout.comHosting infrastructure
Runs on Microsoft Azure, 'SOC 2 certified data centers in the United States'; daily backups geographically distributed
seekout.comPenetration testing
Third-party pentest at least annually; trust center lists 'Recruit Pentest Results 2025' as a published resource; monthly vulnerability scans on webapps/networks
trust.seekout.comFairness/bias auditing
Independent bias audits published for both products: 'Bias Audit - SeekOut Recruit' and 'Bias Audit - SeekOut Spot'
trust.seekout.comCyber insurance
Trust center lists a 'Certificate of CyberInsurance' as an available resource
trust.seekout.comSubprocessors disclosed
Trust center subprocessor list includes Microsoft Azure (cloud hosting, US), Intercom (support widget, US), Atlassian SSO/Jira/Confluence (support ticketing, US)
trust.seekout.com// Products & data scope
data: Customer ATS data plus SeekOut's 1B+ sourced candidate profile database; recruiter-controlled sourcing, AI screening/scoring of applicants, outreach campaigns
Primary self-serve product; free trial offered.
data: Candidate resumes, screening transcripts, and evaluation packets handled directly by SeekOut's own agentic AI and human recruiters on the customer's behalf
Higher data-handling exposure than Recruit because SeekOut staff/AI conduct outreach and screening directly rather than the customer's own recruiters; sold via custom engagement, not self-serve.
data: Exposes SeekOut sourcing capability inside ChatGPT; scope of data shared with/through OpenAI's platform is not detailed in vendor-domain material reviewed
Newly promoted on the homepage; no dedicated security/privacy disclosure found for this integration specifically, worth a follow-up question for enterprise buyers.
// What to watch
- Host-vs-vendor cert ambiguity: SeekOut's own /security page lists Microsoft Azure's certifications (SOC 2, ISO/IEC, CSA/CCM, ITAR, CJIS, HIPAA, IRS 1075) in the same breath as SeekOut's own SOC 2 Type II claim. A careless reader could mistake Azure's ISO/IEC and HIPAA coverage for SeekOut's own certification status; graded ISO 27001 and HIPAA held=false for SeekOut specifically because no vendor-level (not host-level) attestation was found.
- Trust center (trust.seekout.com) requires 'Request access' for full document access; grading is based on the publicly visible summary page (captured in evidence) plus corroborating detail from the public /security page and third-party summary of the privacy policy, not the underlying signed audit reports themselves.
- ISO/IEC 23894:2023 is a risk-management guidance standard, not a certifiable management-system standard like 27001/42001; listing it alongside 42001 as a 'certification' on the vendor's own page is itself a mild over-statement worth flagging to buyers.
- No distinct security/privacy disclosure found for the new 'SeekOut in ChatGPT' integration; enterprise buyers evaluating that surface should ask SeekOut directly what data crosses into OpenAI's platform.
// At a glance
Pricing model
Custom/enterprise quote-based pricing for both products; free trial available for SeekOut Recruit, no public self-serve pricing for SeekOut Spot
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on ZipStorm, Inc. (d/b/a SeekOut)'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.seekout.com