// Trust & Security Report
Workable Technology Limited
AI-powered Recruiting and HR Platform
Certifications held
7
Maturity
Enterprise
Trains on your data
Yes
Trust center
Yes
// Certification ledger
Each held certification is backed by a verbatim quote from the vendor's own trust or security page. “Not confirmed” means we could not verify it publicly, not that the vendor lacks it.
Verify on workable.com“ISO/IEC 27001 — Information Security Management System (ISMS) — Download certificate”
Verify on workable.com“ISO/IEC 27017 — Security Controls for the Provision and Use of Cloud Services — Download certificate”
Verify on workable.com“SOC 2 (Type II) — Trust Services Principles — Contact us for access”
Verify on workable.com“Workable automates privacy policy distribution, data retention, and candidate data deletion requests.”
Verify on workable.com“Workable automatically manages data handling and privacy policy access in line with CCPA requirements.”
Verify on workable.com“Workable Agent has been developed to be fully compliant with upcoming AI regulations such as the EU AI Act, and is transparent by design.”
> Show 1 unconfirmed / not-held certifications
// Privacy & AI training
Trains on customer data
Yes
Data processing agreement
Offered
Data region
United Kingdom, United States, Greece (per DPA Exhibit A, Section 8). Primary hosting is US-based per privacy policy. EU SCCs Module Two and UK Addendum in place for cross-border transfers.
Workable's Terms (Section 12.5) permit use of 'aggregated data derived from the Customer's use of the Services to further develop and improve the Services,' with the restriction that this data 'does not include any information that identifies the Customer or any individual.' Their AI page additionally states: 'Workable's AI tools are trained using implicit or explicit feedback from daily user interactions and analyzing why candidates are hired or moved through the hiring stages.' No opt-out mechanism exists for this aggregated training data use. Customer-identifiable data is not sold to third parties.
// Security controls
24/7 Monitoring
24/7/365 security monitoring of all production resources with automated alerts ensuring immediate response to security events.
workable.comWeb Application Firewall
Industry-leading protection through web application firewalls, DDoS prevention, and hardened TLS configuration.
workable.comCI/CD Vulnerability Scanning
All new features undergo security validation with automated vulnerability scanning in the CI/CD pipeline.
workable.comPartner Security Assessments
Annual scoped technical assessments conducted by Google, LinkedIn, ADP, and Zoom to maintain integration partnerships.
workable.comVulnerability Disclosure Program
Internal VDP at vdp.workable.com. 'We welcome external feedback and encourage everyone to report bugs. All reports are then processed internally.' Not hosted on HackerOne or Bugcrowd.
workable.comPenetration Testing
Not explicitly disclosed on public security page. Security team operates 'security assessment and simulation' as one of four stated pillars, which may include pen testing, but no public cadence or third-party attestation is stated.
workable.comAudit Trail
Full audit trail: every agent action logged, permissioned and reviewable. Model, agent, or human actions all write to the same trail.
workable.com// Products & data scope
data: Candidate PII, job applications, recruiter activity, compensation data, offer letters, e-signatures, background check integrations. Workable is data processor; customer is data controller for candidate data.
Core product. Posts to 200+ job boards. Integrates with 270+ tools. LinkedIn Preferred Partner and Indeed Platinum Partner. SOC 2 Type II and ISO 27001 apply.
data: Access to 400M+ candidate profiles from third-party sources. Processes candidate data for automated sourcing, screening, and outreach. Uses interaction feedback data (anonymized) to improve AI models.
Launched 2026. EU AI Act compliance claimed. Scores on job criteria, not demographics. Every candidate action is logged. Inherits customer's security and access model. Uses third-party LLMs (disclosed in Terms Section 5.3.3) without specifying which providers.
data: Employee records, onboarding documents, performance reviews, time off, attendance, payroll reporting data, e-signatures, org chart. Employer is data controller.
Includes self-service employee portal, digital document management, 360 performance reviews. Payroll reporting only (not payroll processing). Mobile app on iOS and Android.
data: Job seeker account data, application data. Workable acts as data controller for job board users who create accounts; employer acts as controller when candidates apply.
Separate privacy policy applies: workable.com/candidate-privacy. Job seekers have distinct rights under this policy.
data: Full read/write access to ATS and HR data via REST API and MCP. Third-party agents inherit same access controls and permissions as human users.
MCP-native. Supports headless operation. All agent actions logged identically to human actions. Webhooks for real-time events. Documented at developer docs.
// What to watch
- AI trains on anonymized aggregate customer interaction data by default with no opt-out: Terms Section 12.5 permits use of 'aggregated data derived from the Customer's use of the Services to further develop and improve the Services.'
- AI page states models are 'trained using implicit or explicit feedback from daily user interactions' — candidates hired or moved through stages. Confirming interaction-level feedback feeds model improvement.
- Data hosted across US, UK, and Greece — no documented option for single-region EU-only data residency.
- Vulnerability Disclosure Program is self-hosted and processed internally (vdp.workable.com). Not on HackerOne or Bugcrowd, limiting researcher visibility and third-party validation.
- Third-party LLMs used in AI features (Terms Section 5.3.3) without public disclosure of which providers, making supply-chain AI risk assessment difficult.
- No explicit public penetration testing disclosure or cadence stated despite enterprise certification posture.
// At a glance
Pricing model
Subscription (SaaS). 15-day free trial available, no credit card required. Tier details not publicly listed; demo required for enterprise pricing.
Self-hostable
No
// How we verified this
Every certification marked HELD is confirmed against a verbatim quote on Workable Technology Limited's own trust, security, or privacy pages. We reject certifications claimed only on third-party aggregators, on a cloud host's behalf, or by a similarly named company.
Last verified 2026-06-27. Compliance changes over time. Always confirm directly with the vendor before relying on any certification for a purchasing or compliance decision.
workable.com