Security & compliance

Enterprise-grade from the database up.

Your data stays in its own walls. Every AI output stays a recommendation to a human. And the artifacts your auditors ask for are already in the product — built to pass a serious security review.

Request our Security & Compliance overviewTalk to us
What every buyer's security team checks first

Three commitments we hold structurally.

  1. 01

    A human stays on the decision

    Every AI output is a recommendation displayed to a person — read, weighed, acted on at their discretion. No auto-reject, no auto-advance, no auto-hire anywhere in the product. It’s an architectural constraint, not a setting that could flip off by accident.

  2. 02

    Your data is yours

    Never sold. Never pooled with another customer’s. Never used to train a shared or cross-customer model. The calibration that tunes CertAIn to your team lives in your account, on your data, isolated to your tenant.

  3. 03

    Tenant isolation is enforced at the data layer

    Isolation lives in the database itself — not just the application — so a missed filter fails closed and returns nothing rather than leaking.

NYC AEDT · Illinois AIVIA · EU AI Act

Built for the regulations your team faces.

In AI-assisted hiring the employer is the regulated party. CertAIn supports your AEDT, AIVIA, and EU AI Act review with the artifacts that work needs, shipping in the product today: a demographic-free bias-audit export your auditor can run an impact-ratio analysis against, and a tenant-editable candidate disclosure notice you deliver in your own flow. Human review is the architectural default behind all three frameworks.

We supply the human-oversight posture and the audit inputs. Attestations, conformity assessments, and final audits stay with your auditor.

The short version

How we handle your data.

  • Encrypted in transit and at rest. Integration credentials carry an extra layer of application-level encryption with key rotation.
  • Encrypted file storage, isolated per customer. Resumes and photos live on encrypted persistent disk, partitioned per tenant, validated on upload.
  • A human always decides. No AI output changes a candidate’s state on its own — acting on a recommendation is a deliberate, logged human choice.
  • US-region today. EU-region infrastructure ships with the first enterprise agreement that requires it.
Independent audit on track

SOC 2.

The controls a SOC 2 audit examines — tenant isolation, access control, audit logging, secret rotation, backup and recovery — are documented and operating now, enforced by our build pipeline rather than by memory. An independent SOC 2 Type I audit is targeted for Q3 2026, with Type II to follow after the observation window. Need the control documentation and timeline before close? We share both under NDA as part of your security review.

For security, IT, and GRC teams

The depth your reviewer needs.

When your security team goes deep, we hand them a branded Security & Compliance overview — architecture, controls, regulatory alignment, roadmap — and walk it line by line on a call. Behind an NDA sits the rest: complete security architecture, data-flow diagrams, sub-processor list, and DPA. Tell us what you're reviewing and we’ll send the overview and set up the walkthrough.
If something goes wrong

Incident response.

Confirmed security incidents are disclosed to affected tenants without undue delay, followed by a written post-mortem with corrective actions. Security contact: security@certainhr.ai — a member of the team responds directly.

Bring your toughest reviewer.

Request our Security & Compliance overviewBook a demo