// Trust & Security Report
SmartRecruiters, Inc.
SmartRecruiters Talent Acquisition Suite (enterprise ATS/hiring platform, now marketed as "SmartOS") including the Winston AI layer sub-products (Winston Match, Winston Screen, Winston Companion, Winston Chat, Winston Interview) and the Attrax career-site product; SmartRecruiters was acquired by SAP and is positioned as "part of SAP SuccessFactors" for enterprise natively-integrated deployments.
Certifications held
7
Maturity
Enterprise
Trains on your data
Unknown
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on trust.smartrecruiters.com“Certifications: TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials ... Documents: SOC 2 Type 2 Attestation Issued 8-January-2026 / SOC 2 Type 2 Report Issued 8-January-2026”
Verify on trust.smartrecruiters.com“ISO 27001:2022 Certificate Valid 2025-09-03 to 2028-09-02”
Verify on trust.smartrecruiters.com“Smartrecruiters ISO 22301:2019 Certificate”
Verify on trust.smartrecruiters.com“TISAX - Scope S67CLK Assessment (document listed under the profile's TISAX certification)”
Verify on trust.smartrecruiters.com“Certifications: TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials”
Verify on smartrecruiters.com“SmartRecruiters commits to comply with the EU-U.S. DPF, UK Extension to the EU-U.S. DPF, and Swiss-U.S. DPF ... cooperates with EU data protection authorities and the UK Information Commissioner's Office regarding complaints about handling of human resources data.”
> Show 5 unconfirmed / not-held certifications
source: trust.smartrecruiters.comA document titled 'ISO 42001 Certification' is listed as a request-access file in the trust center's document library, but ISO 42001 does not appear in the profile's headline Certifications list (TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials) and no issued/valid certificate date is shown publicly, so this cannot be confirmed as a held certification versus an in-progress or scoped document.
source: trust.smartrecruiters.comNo public evidence: HIPAA is not listed in the trust center's certifications or documents, and is not mentioned on the general or candidate privacy policy pages. Not typically applicable to a recruiting/ATS platform, which does not process PHI.
source: trust.smartrecruiters.comNo public evidence: not listed among trust center certifications or documents. SmartRecruiters is a recruiting/ATS platform and does not appear to process cardholder payment data directly.
source: trust.smartrecruiters.comNo public evidence found in the trust center or on smartrecruiters.com pages reviewed.
source: trust.smartrecruiters.comNo public evidence found in the trust center or on smartrecruiters.com pages reviewed.
// Privacy & AI training
Trains on customer data
Not stated
Data processing agreement
Offered
Data region
Personal data is reported to be processed by SmartRecruiters' hosting subprocessor on AWS infrastructure located in Germany for EU customers, with SmartRecruiters positioning itself as supporting compliant recruiting in over 100 countries via configurable data retention settings; a Data Processing Addendum (SmartRecruiters-with-Customers, GDPR) is published for customers.
The trust center's document library lists multiple AI-governance artifacts gated behind 'Request access' -- Algorithmic Impact Assessments (AIIA) and Data Protection Impact Assessments (DPIA) for Winston Match, Winston Screen, Winston Companion, Winston Chat and Winston Interview, plus 'General Purpose AI (GPAI) Training Data Template' documents naming the underlying foundation models used (Claude Sonnet 3.5/3.7/4.0, Gemini 2.0 Flash/2.5 Pro) -- indicating formal documentation of what training data feeds those third-party foundation models. A general web search surfaced an unverified secondary claim that SmartRecruiters 'anonymizes every piece of candidate data used to train their models' and offers an 'AI Control Center' for customers to govern what Winston 'sees, learns, and acts on,' but this could not be confirmed with a direct quote from a fetched vendor page (the AI whitepaper PDF and the Winston/AI-recruiting-technology marketing pages did not yield the claim on direct fetch, one returned 403). Neither the general privacy policy nor the candidate privacy policy explicitly states whether candidate data trains AI models or names an opt-out mechanism. Treat as unconfirmed pending direct document review or vendor follow-up.
// Security controls
Encryption in transit
Listed as an active control in the trust center: 'Data Security ... Data Encrypted In-Transit'.
trust.smartrecruiters.comEncryption at rest
Listed as an active control in the trust center: 'Data Security ... Data Encrypted At-Rest'.
trust.smartrecruiters.comAuthentication
'Product Security ... Multi-Factor Authentication, Audit Logs, SSO' listed as active controls.
trust.smartrecruiters.comOrganizational security
'Organizational Security ... Device Encryption, Background Checks, Secure Remote Network Access' listed as active controls.
trust.smartrecruiters.comAvailability & incident response
Trust center lists a public Status Page, DoS Protection, Data Redundancy, a Business Continuity Plan, a Disaster Recovery Plan, and an Incident Response Plan as active controls/documents.
trust.smartrecruiters.comIndependent security testing
Trust center document library includes multiple third-party penetration test and DAST reports: 'Security Testing Report SmartRecruiters App 01.2026', 'Penetration Test Report_Smartrecruiters_Mobile app_29-DEC-2025', 'Detectify_DAST_ExecutiveSummary_smartrecruiters-com_2025-03-13', and a retest report, all gated behind request access.
trust.smartrecruiters.comAI-specific security/quality testing
Trust center lists AI red-team/quality reports gated behind request access, including 'Vijil Trust Report: Winston Chat', 'Winston Interview: Protection against Impersonation Attack', and 'Winston Interview: Using AWS Key Management Service (KMS) to Encrypt PII Data'.
trust.smartrecruiters.com// Products & data scope
data: Candidate PII, resumes/applications, employee/recruiter accounts, hiring workflow data
The certifications above (SOC 2 Type 2, ISO 27001, ISO 22301, TISAX, UK Cyber Essentials) apply at the company/trust-center level and are presented as covering the core platform.
data: Candidate data processed through AI features for matching, screening, conversational interaction, and interview support; uses foundation models from Anthropic (Claude) and Google (Gemini) per GPAI training-data-template documents in the trust center
Has dedicated AIIA (Algorithmic Impact Assessment) and DPIA documents per sub-feature, gated behind request access. AI training-on-customer-data posture could not be independently confirmed; see privacy.ai_training_note.
data: Public-facing career site content and candidate-facing application flows
Referenced in a trust center document ('Report_SmartRecruiters_Attrax.pdf') as a distinct sub-product with its own security test report.
data: Same candidate/hiring data as core ATS, natively integrated with SAP SuccessFactors HR data
Homepage markets this as 'SmartRecruiters, part of SAP SuccessFactors -- best-of-breed recruiting, natively integrated with SAP,' reflecting the SAP acquisition; relevant for enterprise buyers already on SAP SuccessFactors.
// What to watch
- AI training posture unconfirmed: could not obtain a direct vendor-page quote (as opposed to a secondary/search-engine-synthesized claim) confirming whether candidate data is used to train Winston's AI models, or whether an opt-out exists. Flag for follow-up before publishing an explicit 'does not train on your data' claim.
- ISO/IEC 42001 (AI management system) appears as a document title in the trust center's file library but is NOT included in the profile's headline Certifications badges (TISAX, CCPA, SOC 2 Type 2, ISO-27001, UK Cyber Essentials) -- graded held=false to avoid over-claiming an unconfirmed/in-scope-only AI cert; recommend a direct vendor confirmation before listing ISO 42001 as held.
- CCPA is listed by the vendor's trust-center platform (SecurityPal) alongside true certifications (SOC 2, ISO 27001) even though CCPA is a legal/regulatory framework rather than an auditable certification -- listed for completeness but should be labeled as a compliance posture, not a cert, in any UI.
- Company was acquired by SAP; some enterprise buyers may conflate SmartRecruiters' standalone trust posture with SAP's much larger compliance program (e.g. SAP-wide FedRAMP/ISO scopes) -- these are not the same and only the SmartRecruiters-specific trust center evidence above should be cited for the SmartRecruiters product.
// At a glance
Pricing model
Enterprise sales-led (contact/quote-based); no self-serve public pricing found on the pages reviewed
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on SmartRecruiters, Inc.'s own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
trust.smartrecruiters.com