01
Infrastructure
Built on enterprise-grade cloud infrastructure inside the EU.
Security & compliance
Built for the audit.
Hiring data is some of the most sensitive data your company holds. Staffer’s security model is built for that reality, not retrofitted around it.
Certified
In progress
In progress
In progress
How we protect
your data.
02
Application security
Layered defenses across our code, dependencies, and supply chain.
03
Data protection
Customer data is encrypted, kept inside the EU, and never used to train shared models.
04
Identity & access
Sign in with Microsoft, Google, or LinkedIn. Invite-only access — no domain lock, regardless of email. MFA enforced for staff; just-in-time employee access.
05
AI safety
Every score has a reasoning trace. Bias-tested per rubric, quarterly. Designed to meet EU AI Act high-risk system requirements.
06
Human in the loop
Every shortlist, outreach, and offer is gated to a named person. No automated hiring decisions, ever.
Certifications
Where we stand.
GDPR is certified and continuous today. SOC 2 Type II, ISO/IEC 27001, and the EU AI Act conformity assessment are underway — controls implemented and evidence being collected. HIPAA is available on Enterprise on request.
| Status | Standard | Scope | Timing |
|---|---|---|---|
| Certified | GDPR | Articles 5–37 + DPIA | Continuous |
| In progress | SOC 2 Type II | Security, Availability, Confidentiality | Type I report targeted Q3 2026 |
| In progress | ISO/IEC 27001 | ISMS, full platform | Stage 1 audit Q4 2026 |
| In progress | EU AI Act | High-risk system, Annex III | Conformity assessment in progress, 2026 |
| Planned | HIPAA | Available on Enterprise | On request |
GDPR reports available today. SOC 2 / ISO 27001 evidence packages and the audit roadmap are shared under NDA. Email security@staffer.com →
Questions, answered straight.
The questions we get most often from security, legal, and procurement teams. If yours isn’t here, ask us.
Where is my data stored?
In AWS eu-west-1 with cross-region replication to eu-north-1. Customer data stays inside the EU by default; US residency is available on Enterprise.
Do you train AI models on my data?
No. Customer data is tenant-isolated and never used to train shared or third-party models. Models are trained on public-source and licensed data only.
Who inside Staffer can access my data?
Access is just-in-time and audited. Only on-call engineers can elevate access, and only when a customer-authorized ticket requires it. All access is logged.
How long do you keep my data?
For as long as you have an active subscription. After cancellation, data is retained for 30 days for restoration, then permanently deleted (including backups within 90 days).
Are sub-processors disclosed?
Yes. The full list is published in the trust pack and available on request. We give 30 days' notice for additions or changes, with the right to object.
How do you handle data breaches?
Named on-call rotation. 72-hour notification to controllers per GDPR Article 33. Post-mortems are shared publicly with the fix, not blamed.
Your data, your call
Delete my data.
You own your data. Under GDPR Article 17 and equivalent global rights, you can request deletion at any time — whether you’re a customer, a candidate, or someone whose profile we’ve indexed from public sources.
Quick request
Open a pre-formatted email and we’ll handle the rest.
- 01Email us at privacy@staffer.com from the address tied to your data — or include enough identifiers for us to verify your request.
- 02We acknowledge within 72 hours and verify your identity. No automated forms — a named human handles every request.
- 03Deletion within 30 days of verification across active systems; backups purged within 90 days. We send written confirmation when complete.
Disclosure
Found something?
We want to hear.
Email security@staffer.com with the subject [VULN]. We acknowledge within 24 hours, triage within 72.