Security & Trust

Enterprise-grade protection
for your recruitment data

Built on EU Poland and US Central infrastructure. Engineered for compliance. Designed to meet the rigorous standards of regulated industries — from healthcare to finance.

Transparent practices, honest commitments, and a clear roadmap. Here is exactly how we protect your data.

GDPR Compliant
TLS 1.3 + AES-256
EU Poland & US Central
72-hr Breach Notification
Role-Based Access Control
Daily Encrypted Backups
Section 01

Infrastructure

EU & US Data Residency
Primary servers in EU Poland and US Central.
ISO 27001 Data Centres
Physical security, environmental controls, and 24/7 monitoring at tier-rated, certified facilities.
Isolated Environments
Network-level isolation separates production, staging, and backups. Least-privilege access enforced between systems.
Data residency is a firm commitment: All customer data is stored exclusively in your chosen region — EU Poland or US Central. Data is never transferred outside your selected region without explicit consent.
Section 02

Encryption at Every Layer

All data is encrypted both in transit and at rest. There are no unencrypted pathways in Treegarden's production environment.

In Transit

  • All connections secured with TLS 1.2 and TLS 1.3. Legacy protocols (SSL 3.0, TLS 1.0/1.1) are permanently disabled.
  • HTTPS enforced across all endpoints. HTTP Strict Transport Security (HSTS) headers prevent protocol downgrade attacks.
  • Certificates issued with automated renewal and short certificate lifetimes.

At Rest

  • All stored data — candidate records, CVs, attachments, database dumps — encrypted using AES-256.
  • Sensitive fields receive additional encryption at the database layer, in addition to full-disk encryption on underlying storage volumes.
  • File uploads (CVs, documents) validated, sanitised, and stored on encrypted volumes with strict access controls.

Key Management

  • Encryption keys are managed separately from the data they protect, with restricted access and documented rotation policies.
  • Application-level secrets (API credentials, database keys, service tokens) are stored in environment-specific configuration with restricted permissions. Secrets are never committed to version control or exposed in logs.
Section 03

Granular Access Control & Secure Authentication

Role-Based Access Control (RBAC)

Treegarden enforces five distinct user roles, each scoped to the minimum permissions required for its function. Users can only access data belonging to their own organisation — cross-tenant access is prevented by design and validated on every request.

Role Access Scope
HR Manager Full recruitment and HR module access; user management within the organisation
Recruiter Job management, candidate pipeline, interview scheduling for assigned roles
Hiring Manager View and evaluate candidates for assigned jobs; provide interview feedback
External Collaborator Limited view of specific candidates or jobs explicitly shared by the organisation

Authentication

  • Multi-Factor Authentication (MFA): MFA is supported to add a second layer of protection beyond passwords.
  • Current SSO: Federated login available today via Google OAuth and LinkedIn OAuth.
  • Credential security: Passwords hashed using an industry-standard adaptive algorithm. Plaintext passwords are never stored or logged.
  • Session management: Secure, HTTP-only cookies with SameSite protections. Sessions expire on inactivity. Server-side invalidation on logout.

Enterprise SSO — On Roadmap: SAML 2.0 and Azure Entra ID (formerly Azure AD) integration is in active development, enabling centralised identity management, provisioning, and enforcement of your organisation's existing authentication policies. We are happy to discuss your specific Entra/SAML requirements as part of an enterprise engagement. Contact [email protected].

Section 04

GDPR Compliance & Data Privacy

Treegarden is fully GDPR-compliant, built from the ground up to meet EU data protection obligations as both a data processor and controller where applicable.

  • Data Processing Agreement (DPA): A DPA is available on request to support your compliance and procurement processes. It includes detailed Technical and Organisational Measures (Annex B) and a complete sub-processor list (Annex C).
  • Right to erasure: Candidates and customers can exercise their right to be forgotten. Data is permanently deleted upon validated request in line with GDPR Article 17, within 30 days.
  • Data minimisation: We collect and retain only the data necessary to deliver the service. Defined data retention policies apply automated cleanup of records beyond their retention window.
  • Configurable retention periods: You can align Treegarden's retention settings with your own internal data governance and regulatory requirements.
  • Data export: Customers may request a full machine-readable export of their data at any time during their subscription or post-termination retention period.
  • DPIAs: Data Protection Impact Assessments are conducted for high-risk processing activities. Records of processing activities are maintained per GDPR Article 30.
  • International transfers: Where data is processed by US-based sub-processors, EU Standard Contractual Clauses with the UK Approved Addendum apply. Full transfer mechanisms are documented in the DPA.
The full DPA, including sub-processor registry and technical measures, is available at /dpa/ or on request from [email protected].
Section 05

Incident Response & Breach Notification

Treegarden maintains a documented incident response plan covering identification, containment, eradication, recovery, and post-incident review. Key commitments:

  • 72-hour breach notification: In the event of a personal data breach, Treegarden will notify affected customers without undue delay and within 72 hours, in accordance with GDPR Article 33.
  • Supervisory authority reporting: Where required, breaches are reported to the Information Commissioner's Office (ICO) within the 72-hour window.
  • Root cause analysis: Every security incident is followed by a root cause analysis and remediation plan to prevent recurrence.
  • Post-incident review: Lessons learned are documented and incorporated into security controls, training materials, and operational procedures.

Severity Levels

Priority Condition Response
P0 Critical Active breach or full service outage Immediate all-hands response; customer notification within 24 hours
P1 High Significant security or availability impact Urgent remediation; customer notification within 72 hours
P2 Medium Limited-scope issue with a workaround Scheduled remediation within current sprint
P3 Low Minor issue, no material security or availability impact Triaged and addressed in standard release cycle
Report a suspected incident: Contact [email protected] immediately. Mark the subject line URGENT for P0/P1 issues.
Section 06

Proactive Vulnerability Management

Dependency Scanning

  • Server-side and client-side dependencies are scanned regularly for known vulnerabilities.
  • We track upstream security advisories for our framework and third-party libraries, applying security patches promptly.
  • Critical and high-severity vulnerabilities are addressed within the current development cycle. Emergency patches for actively exploited vulnerabilities are applied within 24 hours.

Application Security

  • Code review: All changes affecting authentication, authorisation, data access, or file handling undergo security-focused peer review.
  • Automated scanning: Security scanning integrated into the development pipeline to catch known issues before production.
  • Input validation: Parameterised queries throughout the data-access layer. All user input validated server-side. Strict type and format checks on every endpoint.
  • File upload controls: Uploaded files validated against an allowlist of permitted types. Archive formats that may conceal malicious payloads are rejected. Files stored outside the web-accessible directory.
  • Hardening: Path traversal protection, strict file-type validation, and command execution timeout controls on all processing operations.

Responsible Disclosure

We welcome reports from security researchers. Vulnerabilities can be disclosed responsibly via [email protected]. Include steps to reproduce and allow reasonable time for investigation before public disclosure. Treegarden will not pursue legal action against researchers acting in good faith. Our machine-readable security contact is published at /.well-known/security.txt.

Section 07

Backups & Disaster Recovery

  • Daily automated backups of all production databases and customer data, performed on a scheduled cadence with no manual intervention required.
  • 30-day retention of backups, enabling point-in-time recovery within the full retention window.
  • Backups are stored on geo-redundant EU infrastructure, isolated from the primary production environment, and encrypted before transfer.
  • Recovery testing: Backup restoration procedures are periodically validated to confirm data recoverability and measure recovery time.
  • Redundancy: Critical components are designed with redundancy to minimise single points of failure. Uptime targets are published in the Service Level Policy.

Recovery targets (RTO/RPO): We maintain defined Recovery Time Objective and Recovery Point Objective targets to bound data loss and downtime in a recovery scenario. Specific RTO/RPO commitments can be detailed under an enterprise agreement — contact [email protected] to discuss your requirements.

Section 08

Compliance & Certifications

We commit to honesty about our certification status: where a standard is in progress, we say so explicitly. We do not claim certifications we have not earned.

Framework Status Notes
GDPR (EU Regulation 2016/679) Confirmed Architecture, hosting, and processes fully aligned. DPA available.
UK GDPR & Data Protection Act 2018 Confirmed Treegarden acts as data processor. SCCs + UK Approved Addendum applied.
Responsible Disclosure Policy Live Published and machine-readable at /.well-known/security.txt.
ISO 27001 Aligned Security programme follows ISO 27001 controls. Treegarden-level certification under evaluation. Data centres in EU Poland and US Central are ISO 27001-certified facilities.
SOC 2 Type II In Progress Planned as part of enterprise readiness roadmap. Not currently attested — we will not represent it as complete until independently verified.
Our data centres in EU Poland and US Central operate under ISO 27001-certified facilities. Their certifications cover physical security, environmental controls, and availability — extending baseline assurance to all data stored on their infrastructure.
Security Documentation

Request Our Security Documentation

Evaluating Treegarden for your organisation? Our security team is ready to support your review. We work directly with your IT and security stakeholders.

Available on request
  • Data Processing Agreement (DPA) with full technical and organisational measures
  • Architecture overview and infrastructure documentation
  • Custom security questionnaire responses (vendor risk assessments)
  • Enterprise SSO (SAML 2.0 / Azure Entra ID) implementation discussion

We typically respond to security inquiries within two business days. For incident reporting, mark your email URGENT in the subject line.