Security Policy
Last updated: 16 May 2026
Treegarden is built on a foundation of trust. We apply technical and organisational measures designed to protect the confidentiality, integrity, and availability of Customer Data processed by the Platform.
1. Our Commitment
Treegarden Software Ltd ("Treegarden") maintains a security programme aligned with recognised information-security practices, including ISO 27001 control areas. Security is considered throughout product design, vendor review, operational monitoring, and incident response.
This Policy applies to all Customer Data processed by the Treegarden ATS platform at app.treegarden.io, including personal data of candidates, employees, and hiring-team members. It supplements our Terms of Service, Privacy Policy, and Service Level Policy.
Treegarden Software Ltd
Company No: 17151699 · Registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom
2. Encryption & Data Protection
At Rest
Customer Data is encrypted at rest using industry-standard encryption. Access to encryption material is restricted to authorised systems and personnel, with key-management controls reviewed as part of our security programme.
In Transit
Platform traffic is protected in transit using HTTPS with modern TLS configurations. Security headers and transport protections are applied to reduce downgrade and interception risks.
Secrets Management
Application secrets are managed through restricted environment-specific controls. Treegarden applies access controls and operational procedures intended to keep secrets out of source code and routine logs.
3. Infrastructure & Network Security
- Infrastructure controls: The Platform runs on managed production infrastructure with network controls intended to limit public exposure to required services.
- Perimeter defence: Firewalling, traffic controls, and rate-limiting are applied to reduce common abuse, brute-force, and denial-of-service risks.
- Secure administration: Administrative access is restricted to authorised personnel and protected through strong authentication, least-privilege access, and audit logging.
- Patch management: Infrastructure components are monitored and updated based on severity, exposure, and operational risk.
- Monitoring & alerting: Production systems are monitored for availability, performance anomalies, error rates, and security-relevant events.
4. Application Security
The Platform is built on a supported application framework and uses layered application-security controls:
- Output and browser protections: User-supplied content is handled through framework-level escaping and browser security controls.
- Data-access controls: Database access is mediated through application data-access layers designed to reduce injection risk.
- Request protection: State-changing requests use anti-forgery controls and session protections appropriate to the request type.
- Input validation: User input and uploaded content are validated server-side before processing.
- File upload controls: Uploaded files are restricted to permitted document types and processed using protected server-side handling controls.
- Rate limiting: API and web endpoints use rate-limiting and abuse controls to mitigate common attack patterns.
5. Access Control & Authentication
Role-Based Access Control
The Platform enforces role-based access with distinct permission boundaries. Each user role restricts what data can be viewed, edited, or exported:
| Role | Access Level |
|---|---|
| Recruiter | Job management, candidate pipeline, interview scheduling for assigned roles |
| Hiring Manager | View and evaluate candidates for assigned jobs, provide interview feedback |
| External Collaborator | Limited view of specific candidates or jobs shared by the organisation |
| Job Seeker | Own profile, application submissions, interview schedule |
Authentication
- Single sign-on (SSO): Integration with Google, Microsoft, and LinkedIn via OAuth 2.0 for federated authentication.
- Credential security: Passwords are hashed using an industry-standard adaptive algorithm. Plaintext passwords are never stored or logged.
- Session management: Sessions use secure, HTTP-only cookies with SameSite protections. Idle sessions expire automatically.
Multi-Tenant Isolation
Each organisation's data is logically isolated at the application layer. Access controls are designed to restrict users to data belonging to their own company and are reviewed through application testing and operational monitoring.
6. AI Governance (Edera AI)
Treegarden's AI recruitment suite ("Edera AI") assists with candidate scoring, screening question generation, and interview preparation. The following safeguards govern all AI-powered features:
Human Oversight
- No automatic rejection: AI models score and rank candidates but never automatically reject an applicant. All consequential hiring decisions require human review.
- Advisory only: AI-generated scores and recommendations are presented as decision-support tools, not as final outcomes.
- Override capability: Recruiters and hiring managers may override or disregard any AI output at any time.
Transparency & Fairness
- Audit trail: AI-assisted actions and relevant review context are logged for auditability and traceability.
- Bias monitoring: AI outputs are monitored for demographic bias, with corrective action taken when anomalies are detected.
- Candidate rights: Candidates may request an explanation of how AI was used in their application and may opt out of AI-assisted scoring.
EU AI Act Compliance
AI systems used in recruitment may be classified as high-risk under the EU AI Act (Regulation 2024/1689). Treegarden designs Edera AI controls to support applicable requirements, including risk management, automatic logging, transparency, human oversight, deployer notification, support for fundamental rights impact assessments, and incident reporting.
7. Sub-Processor Registry
Treegarden uses carefully selected third-party service providers to deliver hosting, payments, identity, analytics, communications, certificate management, workspace integrations, and operational monitoring. Each provider is assessed for security and data-protection practices before engagement and is subject to contractual obligations.
The current authorised sub-processor list, including processing purposes, transfer details, and notice commitments, is published in our Data Processing Agreement (Annex C). Procurement teams may request additional vendor-security detail during commercial review.
8. Data Lifecycle & Retention
- Active subscription: Customer Data is retained and available throughout the Subscription Term, subject to customer-configured candidate-retention settings and applicable legal obligations.
- Post-termination: Upon termination or expiry, Customer Data is retained for 30 days to allow export. An extension of up to 30 additional days may be requested before the initial period expires.
- Deletion: After the retention period, Customer Data is deleted from primary systems and aged out of backups according to applicable backup-retention schedules, subject to any legal retention obligations.
- Right to erasure: Data subjects may exercise their right to erasure under GDPR Article 17. Requests are handled within applicable statutory timelines.
- Data export: Customers may request a full export of their data in a machine-readable format at any time during their subscription or the post-termination retention period.
9. Incident Response
Treegarden maintains an incident response process covering identification, containment, recovery, communication, and post-incident review. Key commitments:
- Notification: Affected Customers are notified without undue delay where a personal data breach or material security incident requires customer communication.
- Regulatory reporting: Where required, breaches are assessed and reported to the relevant supervisory authority within applicable legal timelines.
- Incident review: Material security incidents are reviewed to identify contributing factors and remediation actions.
- Continuous improvement: Lessons learned are incorporated into security controls, training materials, and operational procedures where appropriate.
10. Business Continuity
- Backups: Database and file-storage backups are performed regularly and protected using encryption and access controls.
- Recovery testing: Backup restoration procedures are tested periodically to validate data recoverability and recovery time.
- Resilience: Critical platform components are designed with resilience controls appropriate to their role in the service.
- Service level commitments: Uptime targets, maintenance windows, and service credits are detailed in the Service Level Policy.
11. Compliance & Certifications
| Framework | Status |
|---|---|
| UK GDPR & Data Protection Act 2018 | Supported. Treegarden acts as data processor for Customer Data and publishes a DPA. |
| EU GDPR (Regulation 2016/679) | Supported where applicable. Standard Contractual Clauses and supplementary safeguards are applied for restricted transfers. |
| EU AI Act (Regulation 2024/1689) | Designed to support applicable high-risk AI obligations for Edera AI recruitment workflows. |
| ISO 27001 | Aligned. Security programme maps to recognised ISO 27001 control areas. |
| UK Bribery Act 2010 | Supported by internal anti-corruption policies and procedures. |
Treegarden maintains data-protection documentation for high-risk processing activities and records of processing activities where required. Our Data Processing Agreement is publicly available and includes Technical and Organisational Measures (Annex B) and the authorised sub-processor list (Annex C).
12. Physical Security
Treegarden production systems are hosted in certified data-centre environments operated by third-party infrastructure providers. Physical security, environmental protection, power resilience, and facility access controls are assessed through provider due diligence, contractual commitments, and independent assurance materials where available.
13. Personnel Security
- Least privilege: Access is governed by the principle of least privilege and reviewed against role requirements.
- Access reviews: Personnel access reviewed periodically and revoked promptly upon role change or departure.
- Confidentiality: All personnel with access to personal data subject to contractual confidentiality obligations. NDAs in place for third-party contractors.
- Security awareness: Personnel receive training on data-protection obligations and security responsibilities relevant to their role.
- Administrative access: Administrative access is protected through strong authentication and auditability controls.
14. Vulnerability Management
Security Monitoring
- Application dependencies, infrastructure configuration, and platform components are reviewed using automated and manual checks.
- Identified vulnerabilities are prioritised based on severity, exploitability, exposure, and potential customer impact.
- Security findings are tracked through remediation and reviewed as part of release and operational processes.
Patch Management
- Operating system, application framework, runtime, and dependency updates are evaluated and applied based on risk and operational impact.
- Security-relevant updates are prioritised where exposure or active exploitation materially increases customer risk.
- Emergency remediation procedures are available for critical issues requiring accelerated response.
Application Security Testing
- Security-sensitive changes are subject to code review and targeted testing.
- Automated and manual tests cover authentication, authorisation, data access, security headers, and integration risks where relevant.
- Configuration reviews are performed to reduce misconfiguration and deployment risk.
15. Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities from the research community. If you believe you have found a vulnerability in the Treegarden platform:
- Email details to [email protected].
- Include steps to reproduce and any supporting evidence.
- Allow reasonable time for investigation and remediation before public disclosure.
Treegarden commits to acknowledging reports promptly and will not pursue legal action against researchers acting in good faith. Our machine-readable security contact is published at /.well-known/security.txt.
16. Changes to This Policy
Treegarden may update this Security Policy at any time. Material changes — including new sub-processors, changes to data-processing locations, or reductions in security controls — will be communicated to active Customers at least 30 days before taking effect.
The current version is always available at treegarden.io/security/.
17. Contact
For security enquiries, vulnerability reports, or data protection requests:
Treegarden Software Ltd
Company No: 17151699 · Registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom
Security: [email protected]
Legal: [email protected]
General: [email protected]
Website: treegarden.io