We care about security

Our customers trust us with their sensitive data and we take keeping it safe seriously. Greenhouse is ISO 27001:2013 and ISO 27701:2019 certified as well as undergoes SOC 1 and SOC 2 Type II audits annually. Achieving ISO 27001:2013, ISO 27701:2019, SOC 1 and SOC 2 compliance provides assurance, verified by third-party auditors, that Greenhouse has an effective security and privacy program — meaning your data is always protected.

Greenhouse security certification

Our certification

Greenhouse is also proud to be one of the very first ATS companies to achieve ISO 27701:2019 certification. As a data privacy extension of our existing ISO 27001:2013 compliance framework, ISO 27701:2019 provides a mapping of controls and requirements that align with GDPR and other data privacy regulations.

Our infrastructure

Greenhouse’s computing infrastructure is provided by Amazon Web Services, a secure cloud services platform. Amazon’s physical infrastructure has been accredited under ISO 27001:2013, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate and Sarbanes-Oxley.

We created a secure multi-tier network environment on top of Amazon’s infrastructure to make sure our applications and data are protected and always accessible. Access to our infrastructure is tightly controlled and monitored. In addition to strong security controls, We make sure that the data we collect remains available through full, daily backups, and is retained for 30 days and tested weekly.

Greenhouse complies with its obligations as a data processor under the GDPR – read this support article to learn more.

Our applications

We use secure coding practices and ensure we’re, at minimum, protected against the OWASP Top 10. All Greenhouse applications undergo frequent third-party security assessments to catch any missed security bugs. We even have a “bug bounty” program in which we pay hackers to responsibly report bugs they find in our applications.

The communication between your employees and our servers is encrypted with 128-bit SSL/TLS encryption. All user passwords are securely hashed; passwords are never stored in plain text. All data access is protected by a role-based access-control mechanism, which only lets users view data for which they have permission. It’s impossible for users to view data from organizations other than their own.

Our internal processes

Only authorized employees have access to our production infrastructure and require strong authentication. We limit access to customer data to the employees who need it to provide support and troubleshooting on the customer’s behalf. Accessing customer data is done solely on an as-needed basis, and only when approved by the customer (e.g. as part of a support request), or to provide proactive support and maintenance.

Through our security bug bounty program, we collaborate with security researchers worldwide to identify and mitigate security vulnerabilities in our platform. If you believe you have found a security issue, you can submit a report to our security team here. If we confirm the security issue and it's within our guidelines, we'll send you a reward.