// Trust & Security Report

    Workable Technology Limited logo

    Workable Technology Limited

    AI-powered Recruiting and HR Platform

    Certifications held

    7

    Maturity

    Enterprise

    Trains on your data

    Yes

    Trust center

    Yes

    // Certification ledger

    Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.

    ISO/IEC 27001
    HELD

    ISO/IEC 27001 — Information Security Management System (ISMS) — Download certificate

    Verify on workable.com
    ISO/IEC 27017
    HELD

    ISO/IEC 27017 — Security Controls for the Provision and Use of Cloud Services — Download certificate

    Verify on workable.com
    SOC 2 Type II
    HELD

    SOC 2 (Type II) — Trust Services Principles — Contact us for access

    Verify on workable.com
    SOC 3
    HELD

    SOC 3 — Service organization controls — Download certificate

    Verify on workable.com
    GDPR Compliance
    HELD

    Workable automates privacy policy distribution, data retention, and candidate data deletion requests.

    Verify on workable.com
    CCPA Compliance
    HELD

    Workable automatically manages data handling and privacy policy access in line with CCPA requirements.

    Verify on workable.com
    EU AI Act Compliance
    HELD

    Workable Agent has been developed to be fully compliant with upcoming AI regulations such as the EU AI Act, and is transparent by design.

    Verify on workable.com
    > Show 1 unconfirmed / not-held certifications
    HIPAA
    NOT CONFIRMED

    // Privacy & AI training

    Trains on customer data

    Yes

    Data processing agreement

    Offered

    Data region

    United Kingdom, United States, Greece (per DPA Exhibit A, Section 8). Primary hosting is US-based per privacy policy. EU SCCs Module Two and UK Addendum in place for cross-border transfers.

    Workable's Terms (Section 12.5) permit use of 'aggregated data derived from the Customer's use of the Services to further develop and improve the Services,' with the restriction that this data 'does not include any information that identifies the Customer or any individual.' Their AI page additionally states: 'Workable's AI tools are trained using implicit or explicit feedback from daily user interactions and analyzing why candidates are hired or moved through the hiring stages.' No opt-out mechanism exists for this aggregated training data use. Customer-identifiable data is not sold to third parties.

    // Security controls

    24/7 Monitoring

    24/7/365 security monitoring of all production resources with automated alerts ensuring immediate response to security events.

    workable.com

    Web Application Firewall

    Industry-leading protection through web application firewalls, DDoS prevention, and hardened TLS configuration.

    workable.com

    CI/CD Vulnerability Scanning

    All new features undergo security validation with automated vulnerability scanning in the CI/CD pipeline.

    workable.com

    Partner Security Assessments

    Annual scoped technical assessments conducted by Google, LinkedIn, ADP, and Zoom to maintain integration partnerships.

    workable.com

    Vulnerability Disclosure Program

    Internal VDP at vdp.workable.com. 'We welcome external feedback and encourage everyone to report bugs. All reports are then processed internally.' Not hosted on HackerOne or Bugcrowd.

    workable.com

    Penetration Testing

    Not explicitly disclosed on public security page. Security team operates 'security assessment and simulation' as one of four stated pillars, which may include pen testing, but no public cadence or third-party attestation is stated.

    workable.com

    Audit Trail

    Full audit trail: every agent action logged, permissioned and reviewable. Model, agent, or human actions all write to the same trail.

    workable.com

    Security White Paper

    Available for download from the security page.

    workable.com

    // Products & data scope

    Workable ATSApplicant Tracking System

    data: Candidate PII, job applications, recruiter activity, compensation data, offer letters, e-signatures, background check integrations. Workable is data processor; customer is data controller for candidate data.

    Core product. Posts to 200+ job boards. Integrates with 270+ tools. LinkedIn Preferred Partner and Indeed Platinum Partner. SOC 2 Type II and ISO 27001 apply.

    Workable AgentAI Recruiting Agent

    data: Access to 400M+ candidate profiles from third-party sources. Processes candidate data for automated sourcing, screening, and outreach. Uses interaction feedback data (anonymized) to improve AI models.

    Launched 2026. EU AI Act compliance claimed. Scores on job criteria, not demographics. Every candidate action is logged. Inherits customer's security and access model. Uses third-party LLMs (disclosed in Terms Section 5.3.3) without specifying which providers.

    Workable HRHuman Resources Information System (HRIS)

    data: Employee records, onboarding documents, performance reviews, time off, attendance, payroll reporting data, e-signatures, org chart. Employer is data controller.

    Includes self-service employee portal, digital document management, 360 performance reviews. Payroll reporting only (not payroll processing). Mobile app on iOS and Android.

    Workable Job BoardPublic Job Listing Platform

    data: Job seeker account data, application data. Workable acts as data controller for job board users who create accounts; employer acts as controller when candidates apply.

    Separate privacy policy applies: workable.com/candidate-privacy. Job seekers have distinct rights under this policy.

    Workable API / MCPDeveloper Platform

    data: Full read/write access to ATS and HR data via REST API and MCP. Third-party agents inherit same access controls and permissions as human users.

    MCP-native. Supports headless operation. All agent actions logged identically to human actions. Webhooks for real-time events. Documented at developer docs.

    // What to watch

    • AI trains on anonymized aggregate customer interaction data by default with no opt-out: Terms Section 12.5 permits use of 'aggregated data derived from the Customer's use of the Services to further develop and improve the Services.'
    • AI page states models are 'trained using implicit or explicit feedback from daily user interactions' — candidates hired or moved through stages. Confirming interaction-level feedback feeds model improvement.
    • Data hosted across US, UK, and Greece — no documented option for single-region EU-only data residency.
    • Vulnerability Disclosure Program is self-hosted and processed internally (vdp.workable.com). Not on HackerOne or Bugcrowd, limiting researcher visibility and third-party validation.
    • Third-party LLMs used in AI features (Terms Section 5.3.3) without public disclosure of which providers, making supply-chain AI risk assessment difficult.
    • No explicit public penetration testing disclosure or cadence stated despite enterprise certification posture.

    // At a glance

    Pricing model

    Subscription (SaaS). 15-day free trial available, no credit card required. Tier details not publicly listed; demo required for enterprise pricing.

    Self-hostable

    No

    // How we verified this

    Every certification marked HELD is confirmed against a verbatim quote on Workable Technology Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.

    Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.

    workable.com

    > Browse all vendor trust reports