Confeticonfeti
Security

Built for sensitive dataand real audits.

RecruitOS handles candidate information, interview recordings, and hiring decisions. We're CASA Tier 2 verified and ESOF Shield certified, with SOC 2–aligned controls across the platform.

ESOF Verified and Secured — assessed by TAC Security, ADA CASA Assessor

ESOF Shield Certified

CASA Tier 2 verified May 15, 2026 through Cloud Application Security Assessment. Trust Center →

Security Pillars

Enterprise-grade from day one

Four pillars that underpin every layer of the platform — verified application security, SOC 2 readiness, AI governance, and data privacy.

CASA Verified

RecruitOS completed Google CASA Tier 2 (lab-tested, lab-verified) through TAC Security, an authorized App Defense Alliance assessor. ESOF Shield certification validates our application security for sensitive data and Google API integrations.

Tier 2 · Verified May 15, 2026
ESOF Shield Certified
Assessed by TAC Security
Annual revalidation under App Defense Alliance

SOC 2 readiness

Security policies, access controls, logging, and operational practices are designed around SOC 2 Type II criteria. Formal SOC 2 attestation is planned; CASA Tier 2 verification already covers overlapping application-security requirements.

Controls for candidate and interview data
Change management and incident response
Continuous monitoring and alerting
Company-level data isolation

AI Governance

Our AI systems are auditable, explainable, and designed with governance artifacts aligned to recognized frameworks.

NIST AI Risk Management Framework
EU AI Act preparedness
NYC AEDT compliance alignment
Bias monitoring and model auditing

Data Privacy

Privacy is built into the product architecture — not bolted on after the fact. Candidate data is treated with the highest care.

Encryption at rest and in transit
Role-based access controls (RBAC)
Data retention and deletion policies
Candidate consent flows
Core Controls

Practical safeguards, every day

The technical controls that protect data across the platform — from authentication to data isolation.

01

Audit Logging

Full audit trail for authentication, data access, security events, and API activity — queryable and exportable.

02

Rate Limiting

Configurable limits across all API surfaces to protect against brute force, abuse, and automated attacks.

03

Session Management

Session controls designed for compliance: configurable timeouts, token rotation, and real-time activity tracking.

04

RBAC & Isolation

Role-based access control with company-level data isolation across jobs, candidates, interviews, and recordings.

05

SSO & SCIM

Enterprise SSO integration and SCIM provisioning for automated user lifecycle management across your org.

06

Incident Response

Documented incident response procedures with defined escalation paths, communication protocols, and post-incident review.

Need security details?

We can share a detailed overview of controls, compliance artifacts, and help align to your security review process.