Security Policy
Last updated: 14 April 2026
Treegarden is built on a foundation of trust. We apply rigorous technical and organisational measures to protect the confidentiality, integrity, and availability of every piece of data our customers entrust to the Platform.
1. Our Commitment
Treegarden Software Ltd ("Treegarden") maintains a security programme aligned with ISO 27001 standards. Security is embedded in every layer of the Platform — from the way we design features and review code, to the way we select vendors and respond to incidents.
This Policy applies to all Customer Data processed by the Treegarden ATS platform at app.treegarden.io, including personal data of candidates, employees, and hiring-team members. It supplements our Terms of Service, Privacy Policy, and Service Level Policy.
Treegarden Software Ltd
Company No: 17151699 · Registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom
2. Encryption & Data Protection
At Rest
All Customer Data — including database records, uploaded documents, and backups — is encrypted at rest using AES-256. Encryption keys are managed through dedicated key-management services with strict access controls and regular rotation schedules.
In Transit
Every connection to the Platform is encrypted with TLS 1.2 or higher. Legacy protocols (TLS 1.0/1.1) are disabled. HTTP Strict Transport Security (HSTS) headers are enforced to prevent downgrade attacks, and all API traffic is conducted exclusively over HTTPS.
Secrets Management
Application-level secrets (API credentials, database keys, service tokens) are stored in environment-specific configuration with restricted permissions. Secrets are never committed to version control or exposed in application logs.
3. Infrastructure & Network Security
- Dedicated hosting: The Platform runs on dedicated infrastructure with strict network segmentation. Only essential services are exposed to the public internet.
- Firewall & perimeter defence: A default-deny firewall policy ensures that all inbound traffic is blocked unless explicitly allowed. Rate limiting and request-size restrictions are applied at the network edge.
- Secure administration: Administrative access uses key-based authentication only. Password-based remote login is disabled. All administrative sessions are logged and auditable.
- Automated patching: Critical security patches are applied automatically. Infrastructure components are regularly updated to address known vulnerabilities.
- Monitoring & alerting: Infrastructure is continuously monitored for performance anomalies, error rates, and security events. Alerts are escalated to the engineering team in real time.
4. Application Security
The Platform is built on a modern, well-supported application framework with security controls applied at every layer:
- Cross-site scripting (XSS): All user-generated output is escaped by default. Content Security Policy headers restrict the execution of untrusted scripts.
- SQL injection: The data-access layer uses parameterised queries exclusively. Direct SQL string concatenation is prohibited by design.
- Cross-site request forgery (CSRF): All state-changing requests require a valid, server-generated token.
- Input validation: All user input is validated server-side before processing. Strict type and format checks are enforced on every endpoint.
- File upload controls: Uploaded files are validated against an allowlist of permitted types, scanned for malware, and stored outside the web-accessible directory. Archive formats that may conceal malicious payloads are rejected.
- Rate limiting: API and web endpoints are rate-limited to mitigate brute-force, credential-stuffing, and denial-of-service attempts.
5. Access Control & Authentication
Role-Based Access Control
The Platform enforces role-based access with distinct permission boundaries. Each user role restricts what data can be viewed, edited, or exported:
| Role | Access Level |
|---|---|
| Recruiter | Job management, candidate pipeline, interview scheduling for assigned roles |
| Hiring Manager | View and evaluate candidates for assigned jobs, provide interview feedback |
| External Collaborator | Limited view of specific candidates or jobs shared by the organisation |
| Job Seeker | Own profile, application submissions, interview schedule |
Authentication
- Single sign-on (SSO): Integration with Google, Microsoft, and LinkedIn via OAuth 2.0 for federated authentication.
- Credential security: Passwords are hashed using an industry-standard adaptive algorithm. Plaintext passwords are never stored or logged.
- Session management: Sessions use secure, HTTP-only cookies with SameSite protections. Idle sessions expire automatically.
Multi-Tenant Isolation
Each organisation's data is logically isolated at the application layer. Users can only access data belonging to their own company. Cross-tenant data access is prevented by design and validated on every request.
6. AI Governance (Edera AI)
Treegarden's AI recruitment suite ("Edera AI") assists with candidate scoring, screening question generation, and interview preparation. The following safeguards govern all AI-powered features:
Human Oversight
- No automatic rejection: AI models score and rank candidates but never automatically reject an applicant. All consequential hiring decisions require human review.
- Advisory only: AI-generated scores and recommendations are presented as decision-support tools, not as final outcomes.
- Override capability: Recruiters and hiring managers may override or disregard any AI output at any time.
Transparency & Fairness
- Audit trail: Every AI-generated decision is logged with timestamps and parameters for full traceability.
- Bias monitoring: AI outputs are monitored for demographic bias, with corrective action taken when anomalies are detected.
- Candidate rights: Candidates may request an explanation of how AI was used in their application and may opt out of AI-assisted scoring.
EU AI Act Compliance
AI systems used in recruitment are classified as high-risk under the EU AI Act (Regulation 2024/1689). Treegarden implements the applicable requirements, including risk management (Art. 9), automatic logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), deployer notification (Art. 26), fundamental rights impact assessment (Art. 27), and incident reporting (Art. 73).
7. Sub-Processor Registry
Treegarden engages the following categories of third-party service providers to deliver Platform functionality. Each provider is assessed for security practices and data-protection compliance before engagement and is subject to contractual obligations.
| Provider | Purpose | Data Location | Certifications |
|---|---|---|---|
| OVHcloud (OVH Groupe SAS) | Cloud infrastructure, data storage, backups | EU (Poland) | ISO/IEC 27001, SOC 1 & 2 Type II, HDS |
| Stripe | Payment processing, invoicing | EU (Ireland) / USA | PCI DSS Level 1, SOC 1/2, ISO 27001 |
| OAuth SSO, Google Analytics | Global / USA | ISO 27001/27017/27018, SOC 1/2/3 | |
| Microsoft | OAuth SSO, Microsoft Clarity analytics | USA (Azure) / Ireland | ISO 27001/27701, SOC 1/2/3, CSA STAR |
| OAuth SSO | USA / Ireland | ISO 27001, ISO 22301, SOC 2 | |
| Mailgun (Sinch) | Transactional email delivery | EU (configured) / USA | SOC 2 Type II, ISO 27001 (Sinch group) |
| Let’s Encrypt (ISRG) | SSL/TLS certificate issuance | USA | WebTrust for CAs |
| Sentry | Error monitoring, performance tracking | USA | SOC 2 Type II |
The complete, up-to-date list of sub-processors with detailed data processing descriptions is published in our Data Processing Agreement (Annex C). Customers are notified at least 30 days in advance of any new sub-processor engagement.
8. Data Lifecycle & Retention
- Active subscription: Customer Data is retained and available throughout the Subscription Term.
- Post-termination: Upon termination or expiry, Customer Data is retained for 30 days to allow export. An extension of up to 30 additional days may be requested before the initial period expires.
- Permanent deletion: After the retention period, Customer Data is permanently deleted from all primary systems and backups, subject to any legal retention obligations.
- Right to erasure: Data subjects may exercise their right to erasure under GDPR Article 17. Requests are processed within 30 days.
- Data export: Customers may request a full export of their data in a machine-readable format at any time during their subscription or the post-termination retention period.
9. Incident Response
Treegarden maintains a documented incident response plan covering identification, containment, eradication, recovery, and post-incident review. Key commitments:
- Notification: Affected Customers are notified without undue delay, and in any event within 72 hours of becoming aware of a personal data breach, in accordance with GDPR Article 33.
- Supervisory authority reporting: Where required, breaches are reported to the Information Commissioner's Office (ICO) within the 72-hour window.
- Root cause analysis: Every security incident is followed by a root cause analysis and a remediation plan to prevent recurrence.
- Post-incident review: Lessons learned are documented and incorporated into security controls, training materials, and operational procedures.
10. Business Continuity
- Automated backups: Database and file-storage backups are performed daily and encrypted before transfer to geographically separate storage.
- Recovery testing: Backup restoration procedures are tested periodically to validate data recoverability and recovery time.
- Redundancy: Critical components are designed with redundancy to minimise single points of failure.
- Service level commitments: Uptime targets, maintenance windows, and service credits are detailed in the Service Level Policy.
11. Compliance & Certifications
| Framework | Status |
|---|---|
| UK GDPR & Data Protection Act 2018 | Compliant. Treegarden acts as data processor; DPA available on request. |
| EU GDPR (Regulation 2016/679) | Compliant. Standard Contractual Clauses applied for international transfers. |
| EU AI Act (Regulation 2024/1689) | Compliant. Edera AI implements high-risk AI system requirements. |
| ISO 27001 | Aligned. Security programme follows ISO 27001 controls and practices. |
| UK Bribery Act 2010 | Compliant. Anti-corruption policies and procedures in place. |
Treegarden conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintains records of processing activities in accordance with GDPR Article 30. Our Data Processing Agreement is publicly available and includes detailed Technical and Organisational Measures (Annex B) and a complete list of sub-processors (Annex C).
12. Physical Security
Treegarden’s production infrastructure is hosted in OVHcloud data centres (Warsaw, Poland) that implement the following physical security measures, verified through their ISO/IEC 27001 and SOC 2 Type II certifications:
Access Control
- RFID technology and biometric systems restrict entry to authorised personnel only
- Every access event is electronically recorded with time-stamped logs
- Visitors permitted entry only when accompanied by authorised OVHcloud staff
- Multi-zone access control with escalating security levels for sensitive areas
Surveillance and Fire Protection
- Video surveillance covering external perimeters and security-relevant internal areas
- Data centres divided into fire compartments with gas extinguishing systems
- Automatic fire alarm systems connected to local fire and rescue coordination centres
Power and Environmental Controls
- N+1 redundant uninterruptible power supply (UPS) systems for continuous operation
- Diesel-powered emergency generators for extended power interruptions
- Redundant air conditioning systems maintaining optimal operating conditions
- Environmental monitoring with automated alerting for out-of-range conditions
13. Personnel Security
- Least privilege: All access governed by the principle of least privilege; no shared accounts permitted.
- Access reviews: Personnel access reviewed periodically and revoked promptly upon role change or departure.
- Confidentiality: All personnel with access to personal data subject to contractual confidentiality obligations. NDAs in place for third-party contractors.
- Security awareness: Personnel trained on data protection obligations under UK GDPR and EU AI Act responsibilities for high-risk systems, including bias awareness and human oversight.
- Administrative access: Requires multi-factor authentication and is traceable to named individuals.
14. Vulnerability Management
Dependency Scanning
- PHP dependencies scanned using
composer audit; JavaScript dependencies scanned usingnpm audit - Critical and high vulnerabilities addressed within the current development cycle
- Dependency lock files committed to version control for reproducible, auditable builds
Patch Management
- OS security patches applied automatically through unattended-upgrades
- Application framework and runtime updates evaluated and applied within 30 days for security-relevant releases
- Emergency patches for actively exploited vulnerabilities applied within 24 hours
Application Security Testing
- Code review for all changes affecting authentication, authorisation, data access, or AI decision logic
- Security-specific test suites covering rate limiting, 2FA, security headers, and integration security
- Configuration scanning to detect misconfigurations and security weaknesses
15. Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities from the research community. If you believe you have found a vulnerability in the Treegarden platform:
- Email details to [email protected].
- Include steps to reproduce and any supporting evidence.
- Allow reasonable time for investigation and remediation before public disclosure.
Treegarden commits to acknowledging reports promptly and will not pursue legal action against researchers acting in good faith. Our machine-readable security contact is published at /.well-known/security.txt.
16. Changes to This Policy
Treegarden may update this Security Policy at any time. Material changes — including new sub-processors, changes to data-processing locations, or reductions in security controls — will be communicated to active Customers at least 30 days before taking effect.
The current version is always available at treegarden.io/security/.
17. Contact
For security enquiries, vulnerability reports, or data protection requests:
Treegarden Software Ltd
Company No: 17151699 · Registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom
Security: [email protected]
Legal: [email protected]
General: [email protected]
Website: treegarden.io