ATS Security and Data Privacy: What to Check Before Trusting a Platform with Candidate Data

What Your ATS Actually Stores — And Why It Matters

Most HR professionals think of their ATS primarily as a workflow tool — a system for moving candidates through a pipeline, scheduling interviews, and communicating with hiring managers. What they less often consider is the cumulative value and sensitivity of the data that accumulates in that system over time.

An active ATS at a company hiring 50 to 100 people per year will accumulate tens of thousands of candidate records within a few years of operation. Each record may contain: a CV with full employment history and education details; contact information including home address, phone number, and personal email; interview notes containing evaluators' assessments and opinions; psychological assessment results or technical test scores; salary expectations and negotiation history; and in some cases, sensitive category data if equality monitoring information was collected.

This is a significant dataset by any measure — the kind of data that would attract significant regulatory scrutiny in the event of a breach and cause real harm to the individuals affected. Yet ATS security is rarely given the same due diligence as, say, financial systems or customer data platforms. The assumption that "it's just a recruitment tool" consistently leads companies to underweight the security and privacy requirements that should apply to candidate data systems.

The GDPR makes the legal position clear: candidate data is personal data subject to the full protections of the regulation. The companies that collect and process it are data controllers with obligations to protect it. The ATS vendors that store and process it on their behalf are data processors with their own obligations. Choosing an ATS without rigorous security evaluation is choosing to expose your company — and the candidates who trusted you with their information — to avoidable risk.

10 Security Questions to Ask Any ATS Vendor

Evaluating ATS security does not require deep technical expertise. It requires asking the right questions and knowing what answers constitute acceptable responses. Here are the ten questions that should be on your security evaluation checklist for any ATS platform you are considering.

1. Where is candidate data stored, and in which jurisdictions? For European companies, data should be stored within the EEA or under adequate safeguards (Standard Contractual Clauses, adequacy decisions). Ask specifically about the cloud infrastructure used — AWS, Google Cloud, Azure — and the data centre regions involved. "Globally distributed" is not an acceptable answer for a European data controller.

2. What encryption standards are applied to data at rest and in transit? AES-256 is the standard for data at rest; TLS 1.2 or higher for data in transit. Any vendor unable to confirm these standards clearly is a concern. Ask specifically whether encryption keys are managed by the vendor or can be customer-managed (the latter is preferable for sensitive data environments).

3. What certifications does the platform hold? ISO 27001 certification indicates a systematic approach to information security management. SOC 2 Type II provides independent audit assurance of security and availability controls. For European deployments, ask about GDPR compliance documentation and the vendor's Data Processing Agreement (DPA). A vendor who cannot produce a DPA is not compliant with GDPR requirements for data processor relationships.

4. How is access to candidate data controlled within the platform? Role-based access control (RBAC) should allow you to limit which users can see which data. A recruiter should not necessarily have access to salary negotiation notes visible to the HR director. External collaborators (hiring managers, panel interviewers) should see only what is relevant to their specific evaluation tasks. Ask for a detailed explanation of the permission model and test it during your trial period.

5. What is the vendor's process for security incidents and breach notification? Under GDPR, data processors must notify data controllers of a personal data breach "without undue delay" — in practice, within 24 to 72 hours of becoming aware of it. Ask for the vendor's documented incident response procedure and their contractual commitment to breach notification timescales. A vendor with no documented procedure is a red flag.

6. How is candidate data deletion handled? GDPR mandates that data is retained only for as long as necessary for the purpose for which it was collected. Your ATS must support automated data retention and deletion workflows — the ability to set retention periods, flag records approaching deletion, and process deletion requests from individual candidates. Verify that deletion is permanent and complete, including backups.

7. Does the vendor conduct regular penetration testing? Reputable ATS vendors commission independent penetration testing at least annually. Ask for evidence of recent testing and — where possible — for the remediation summary. Vendors who cannot provide evidence of recent penetration testing have an unverified security posture.

8. How are integrations with third-party systems secured? Your ATS will likely integrate with job boards, calendar systems, video interview platforms, and communication tools. Each integration is a potential attack surface. Ask how API keys and OAuth tokens are managed, whether third-party integrations undergo security review, and what data is shared with each connected system.

9. What is the data portability and export capability? You should be able to export your complete candidate data at any time, in a usable format. Vendor lock-in combined with poor data portability creates a situation where you cannot migrate away without losing your historical data — a data governance concern as well as a commercial one. Verify export capabilities during evaluation.

10. What is the vendor's sub-processor list, and how are changes managed? Under GDPR, data processors who engage sub-processors must disclose them and obtain data controller approval for new sub-processors. Ask for the vendor's sub-processor list — every company that processes your candidate data on the vendor's behalf — and ask how you will be notified of changes. A vendor who does not maintain or disclose this list is not operating a compliant data processing relationship.

Your Obligations as a Data Controller Using an ATS

Choosing a secure, compliant ATS vendor is necessary but not sufficient. Your company, as the data controller in the ATS relationship, has obligations that no vendor can fulfil on your behalf.

The most fundamental is the legal basis for processing. Under GDPR, you must have a lawful basis for processing each candidate's personal data. In the context of recruitment, the most common and appropriate basis is legitimate interests — the company's legitimate interest in evaluating candidates for employment. Some companies use consent, but this creates practical complications because consent must be freely given, and the power imbalance in a recruitment context makes the voluntary nature of consent questionable. Your legal basis should be documented in your privacy policy and clearly communicated to candidates at the point of application.

Candidate-facing privacy notices must explain what data is collected, for what purpose, how long it is retained, and what rights the candidate has. These notices should be visible and accessible at every point where candidate data is collected — the career page, the application form, and any direct sourcing outreach. Failing to provide adequate notice at the point of collection is one of the most commonly cited GDPR violations in recruitment contexts.

Data minimisation is another controller obligation often overlooked in recruitment. GDPR requires that only the personal data necessary for the specific purpose is collected. Collecting data "just in case it's useful" or including equality monitoring fields that are not connected to any specific, documented legitimate purpose creates both compliance risk and data management complexity. Review your application forms and data collection practices to ensure you are genuinely collecting only what you need.

Access Control and Internal Security Practices

Some of the most significant data risks in recruitment come not from external attackers but from inadequate internal access controls. When every employee in the company can see every candidate's salary expectations and interview notes, the risk of inappropriate disclosure — whether malicious or accidental — is substantially elevated.

Role-based access control should be implemented at a level of granularity that reflects actual business need. A hiring manager reviewing candidates for their team needs access to CVs, interview notes, and assessment scores for candidates in their specific pipeline. They do not need access to candidates interviewing for roles in other departments. An external interviewer on a panel needs access to the candidate's CV and the interview scorecard. They do not need access to salary negotiation history or notes from previous application attempts.

Single sign-on (SSO) integration with your company's identity provider ensures that ATS access is tied to your central identity management system. When an employee leaves the company, their ATS access is revoked automatically with their main account, rather than persisting in a separate system that may be overlooked in off-boarding. This is both a security control and a practical necessity for companies with significant team turnover.

Audit logging — the ability to see who accessed which candidate record and when — is an important accountability control. In the event of a suspected inappropriate disclosure, audit logs enable you to investigate what happened and demonstrate compliance to a supervisory authority. Ask any ATS vendor whether comprehensive audit logging is available and how long logs are retained.

Evaluating Vendor Security Posture in Practice

Security claims made in sales conversations are only as valuable as the evidence that supports them. During any ATS evaluation, security verification should be a structured process rather than a checkbox exercise.

Request the vendor's most recent penetration test report summary and evidence of ISO 27001 or SOC 2 Type II certification. Certification documents should include valid dates — a certificate that expired two years ago is not evidence of current security management. Ask for the vendor's data breach history: have they experienced any breaches in the last three years? If so, how were they handled and what improvements were made? A vendor who responds to this question with denial or evasion rather than factual disclosure is not a trustworthy security partner.

Review the vendor's privacy policy and terms of service carefully before signing. Pay particular attention to: who owns the data stored in the system (it should be you, the customer); whether the vendor retains any right to use your data for their own purposes such as product improvement or analytics; and what happens to your data when the contract ends. Data deletion upon contract termination should be contractually guaranteed, with a defined timeframe and confirmation process.

For higher-risk environments — companies in regulated industries, companies processing large volumes of sensitive candidate data, or companies subject to sector-specific data protection requirements — a formal information security assessment or vendor risk questionnaire is appropriate. Many companies now include HR technology vendors in their annual third-party risk assessments, applying the same rigour to ATS security as to any other system that processes personal data.

Building a Compliant Recruitment Data Framework

Security and compliance in recruitment data management is ultimately a combination of the right technology, the right processes, and the right culture. The ATS is the technological foundation, but it must be supported by documented policies and a team that understands and applies them consistently.

Core policy documents for any company processing candidate data at scale include: a recruitment privacy policy (candidate-facing); an internal data retention and deletion policy for recruitment data; an access control policy specifying who can access candidate data at each level; and an incident response procedure for suspected data breaches involving recruitment data.

These policies should be reviewed annually and updated whenever there is a material change to your processing activities — a new ATS, a new integration, a new data collection practice, or a relevant change in regulatory guidance. They should also be integrated into recruiter and hiring manager training so that the people who handle candidate data daily understand their obligations and the reasons behind them.

The companies that handle recruitment data well are not those who see it as a compliance burden. They are those who understand that treating candidate data with respect is both a legal obligation and a reflection of their values as an employer. Candidates who trust you with their personal information — their career history, their salary expectations, their personal contact details — deserve to have that trust honoured with genuine care and appropriate security. An ATS that enables that care is not just a compliance tool. It is a component of your employer brand.

Frequently Asked Questions

What certifications should an ATS have for security?

For European companies handling candidate data, the most relevant security certifications are ISO 27001 (information security management) and SOC 2 Type II (security, availability, and confidentiality controls). ISO 27001 certification indicates that the vendor has implemented a systematic, audited approach to managing sensitive information. SOC 2 Type II provides independent assurance of control effectiveness over a sustained period. Any ATS you consider for European operations must also be able to provide a Data Processing Agreement and demonstrate GDPR compliance as a data processor. Request current, dated certification evidence rather than accepting verbal assurances.

Where should candidate data be stored — EU or non-EU servers?

For companies operating under GDPR, candidate data should ideally be stored on servers located within the European Economic Area. Transferring personal data outside the EEA is permissible under specific conditions — Standard Contractual Clauses or adequacy decisions — but adds compliance complexity and risk. When evaluating ATS platforms, ask specifically where data is stored at rest, where it is processed during normal operations, and what legal mechanisms govern any cross-border transfers. EU-based data storage on all primary systems is the simplest and most defensible position for European companies and eliminates a class of compliance questions entirely.

Can candidates request deletion of their data from an ATS?

Under GDPR Article 17, candidates have the right to erasure in specific circumstances, including when data is no longer necessary for the purposes for which it was collected. A GDPR-compliant ATS must support data deletion at the individual record level, encompassing CVs, interview notes, assessment results, and all associated personal data. Your ATS should provide a workflow for processing deletion requests, and your company must have a documented process for responding within the 30-day statutory timeframe. Deletion must be permanent, verifiable, and extend to backups within a reasonable period. Verify deletion capabilities in any ATS before committing to a contract.