// Trust & Security Report

    SmartRecruiters, Inc. logo

    SmartRecruiters, Inc.

    SmartRecruiters Talent Acquisition Suite (enterprise ATS/hiring platform, now marketed as "SmartOS") including the Winston AI layer sub-products (Winston Match, Winston Screen, Winston Companion, Winston Chat, Winston Interview) and the Attrax career-site product; SmartRecruiters was acquired by SAP and is positioned as "part of SAP SuccessFactors" for enterprise natively-integrated deployments.

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Unknown

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    SOC 2 Type 2
    HELD

    Certifications: TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials ... Documents: SOC 2 Type 2 Attestation Issued 8-January-2026 / SOC 2 Type 2 Report Issued 8-January-2026

    Verify on trust.smartrecruiters.com
    ISO 27001
    HELD

    ISO 27001:2022 Certificate Valid 2025-09-03 to 2028-09-02

    Verify on trust.smartrecruiters.com
    ISO 22301 (Business Continuity Management)
    HELD

    Smartrecruiters ISO 22301:2019 Certificate

    Verify on trust.smartrecruiters.com
    TISAX
    HELD

    TISAX - Scope S67CLK Assessment (document listed under the profile's TISAX certification)

    Verify on trust.smartrecruiters.com
    UK Cyber Essentials
    HELD

    Cyber Essentials Dec 2025 - Dec 2026

    Verify on trust.smartrecruiters.com
    CCPA (compliance posture, not a certification body)
    HELD

    Certifications: TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials

    Verify on trust.smartrecruiters.com
    GDPR (regulatory posture, not a certification)
    HELD

    SmartRecruiters commits to comply with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF ... cooperates with EU data protection authorities and the UK Information Commissioner's Office regarding complaints about handling of human resources data.

    Verify on smartrecruiters.com
    > Show 5 unconfirmed / not-held certifications
    ISO/IEC 42001 (AI management system)
    NOT CONFIRMED

    A document titled 'ISO 42001 Certification' is listed as a request-access file in the trust center's document library, but ISO 42001 does not appear in the profile's headline Certifications list (TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials) and no issued/valid certificate date is shown publicly, so this cannot be confirmed as a held certification versus an in-progress or scoped document.

    source: trust.smartrecruiters.com
    HIPAA
    NOT CONFIRMED

    No public evidence: HIPAA is not listed in the trust center's certifications or documents, and is not mentioned on the general or candidate privacy policy pages. Not typically applicable to a recruiting/ATS platform, which does not process PHI.

    source: trust.smartrecruiters.com
    PCI DSS
    NOT CONFIRMED

    No public evidence: not listed among trust center certifications or documents. SmartRecruiters is a recruiting/ATS platform and does not appear to process cardholder payment data directly.

    source: trust.smartrecruiters.com
    FedRAMP
    NOT CONFIRMED

    No public evidence found in the trust center or on smartrecruiters.com pages reviewed.

    source: trust.smartrecruiters.com
    CSA STAR
    NOT CONFIRMED

    No public evidence found in the trust center or on smartrecruiters.com pages reviewed.

    source: trust.smartrecruiters.com

    // Privacy & AI training

    Trains on customer data

    Not stated

    Data processing agreement

    Offered

    Data region

    Personal data is reported to be processed by SmartRecruiters' hosting subprocessor on AWS infrastructure located in Germany for EU customers, with SmartRecruiters positioning itself as supporting compliant recruiting in over 100 countries via configurable data retention settings; a Data Processing Addendum (SmartRecruiters-with-Customers, GDPR) is published for customers.

    The trust center's document library lists multiple AI-governance artifacts gated behind 'Request access' -- Algorithmic Impact Assessments (AIIA) and Data Protection Impact Assessments (DPIA) for Winston Match, Winston Screen, Winston Companion, Winston Chat and Winston Interview, plus 'General Purpose AI (GPAI) Training Data Template' documents naming the underlying foundation models used (Claude Sonnet 3.5/3.7/4.0, Gemini 2.0 Flash/2.5 Pro) -- indicating formal documentation of what training data feeds those third-party foundation models. A general web search surfaced an unverified secondary claim that SmartRecruiters 'anonymizes every piece of candidate data used to train their models' and offers an 'AI Control Center' for customers to govern what Winston 'sees, learns, and acts on,' but this could not be confirmed with a direct quote from a fetched vendor page (the AI whitepaper PDF and the Winston/AI-recruiting-technology marketing pages did not yield the claim on direct fetch, one returned 403). Neither the general privacy policy nor the candidate privacy policy explicitly states whether candidate data trains AI models or names an opt-out mechanism. Treat as unconfirmed pending direct document review or vendor follow-up.

    // Security controls

    Encryption in transit

    Listed as an active control in the trust center: 'Data Security ... Data Encrypted In-Transit'.

    trust.smartrecruiters.com

    Encryption at rest

    Listed as an active control in the trust center: 'Data Security ... Data Encrypted At-Rest'.

    trust.smartrecruiters.com

    Authentication

    'Product Security ... Multi-Factor Authentication, Audit Logs, SSO' listed as active controls.

    trust.smartrecruiters.com

    Organizational security

    'Organizational Security ... Device Encryption, Background Checks, Secure Remote Network Access' listed as active controls.

    trust.smartrecruiters.com

    Availability & incident response

    Trust center lists a public Status Page, DoS Protection, Data Redundancy, a Business Continuity Plan, a Disaster Recovery Plan, and an Incident Response Plan as active controls/documents.

    trust.smartrecruiters.com

    Independent security testing

    Trust center document library includes multiple third-party penetration test and DAST reports: 'Security Testing Report SmartRecruiters App 01.2026', 'Penetration Test Report_Smartrecruiters_Mobile app_29-DEC-2025', 'Detectify_DAST_ExecutiveSummary_smartrecruiters-com_2025-03-13', and a retest report, all gated behind request access.

    trust.smartrecruiters.com

    AI-specific security/quality testing

    Trust center lists AI red-team/quality reports gated behind request access, including 'Vijil Trust Report: Winston Chat', 'Winston Interview: Protection against Impersonation Attack', and 'Winston Interview: Using AWS Key Management Service (KMS) to Encrypt PII Data'.

    trust.smartrecruiters.com

    // Products & data scope

    SmartRecruiters core ATS / SmartOSEnterprise talent acquisition suite

    data: Candidate PII, resumes/applications, employee/recruiter accounts, hiring workflow data

    The certifications above (SOC 2 Type 2, ISO 27001, ISO 22301, TISAX, UK Cyber Essentials) apply at the company/trust-center level and are presented as covering the core platform.

    Winston (AI layer: Match, Screen, Companion, Chat, Interview)AI-powered recruiting features built on third-party foundation models

    data: Candidate data processed through AI features for matching, screening, conversational interaction, and interview support; uses foundation models from Anthropic (Claude) and Google (Gemini) per GPAI training-data-template documents in the trust center

    Has dedicated AIIA (Algorithmic Impact Assessment) and DPIA documents per sub-feature, gated behind request access. AI training-on-customer-data posture could not be independently confirmed; see privacy.ai_training_note.

    Attrax (career sites)Career site / employer branding product

    data: Public-facing career site content and candidate-facing application flows

    Referenced in a trust center document ('Report_SmartRecruiters_Attrax.pdf') as a distinct sub-product with its own security test report.

    SmartRecruiters for SAP SuccessFactorsEnterprise integration bundle

    data: Same candidate/hiring data as core ATS, natively integrated with SAP SuccessFactors HR data

    Homepage markets this as 'SmartRecruiters, part of SAP SuccessFactors -- best-of-breed recruiting, natively integrated with SAP,' reflecting the SAP acquisition; relevant for enterprise buyers already on SAP SuccessFactors.

    // What to watch

    • AI training posture unconfirmed: could not obtain a direct vendor-page quote (as opposed to a secondary/search-engine-synthesized claim) confirming whether candidate data is used to train Winston's AI models, or whether an opt-out exists. Flag for follow-up before publishing an explicit 'does not train on your data' claim.
    • ISO/IEC 42001 (AI management system) appears as a document title in the trust center's file library but is NOT included in the profile's headline Certifications badges (TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials) -- graded held=false to avoid over-claiming an unconfirmed/in-scope-only AI cert; recommend a direct vendor confirmation before listing ISO 42001 as held.
    • CCPA is listed by the vendor's trust-center platform (SecurityPal) alongside true certifications (SOC 2, ISO 27001) even though CCPA is a legal/regulatory framework rather than an auditable certification -- listed for completeness but should be labeled as a compliance posture, not a cert, in any UI.
    • Company was acquired by SAP; some enterprise buyers may conflate SmartRecruiters' standalone trust posture with SAP's much larger compliance program (e.g. SAP-wide FedRAMP/ISO scopes) -- these are not the same and only the SmartRecruiters-specific trust center evidence above should be cited for the SmartRecruiters product.

    // At a glance

    Pricing model

    Enterprise sales-led (contact/quote-based); no self-serve public pricing found on the pages reviewed

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on SmartRecruiters, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    trust.smartrecruiters.com

    > Browse all vendor trust reports