Do you train AI models on customer data?

Never. Customer data is contractually excluded from model training. Per-tenant inference uses customer prompts only at request-time and is not retained for training.

What happens if there's an incident?

Notification within 24 hours per our DPA. Public status page + incident postmortem. SOC 2 incident response procedures audited annually.

How long do you retain candidate data?

Default: 18 months. Configurable per workspace, per role, or per candidate. Candidates can request deletion via a self-serve portal.

Are sub-processors transparent?

Yes -- full sub-processor list public on our trust page, with 30-day advance notice of changes.

NEWNow live in ChatGPT — drive hiring from any LLMSee how

Trust & security

Built for compliance from day one.

SOC 2 Type II, with HIPAA BAA available on request. Single-tenant deployment available for enterprise customers in US, EU, UK, and APAC.

Download our trust brief

Certifications & compliance

Every framework that matters to your legal team.

🛡

SOC 2 Type II

Annual audit by an independent CPA firm. Report available under NDA.

🇪🇺

GDPR

EU-data-residency, full DPA, candidate data subject rights portal.

🇺🇸

CCPA

California consumer privacy compliant. Candidate portal for requests.

🤖

EU AI Act

Designed to meet high-risk AI system requirements. Conformity statement available.

⚖

NYC LL144

Annual bias audit conducted by independent auditor. Audit summary public.

⚕

HIPAA BAA

BAAs available for healthcare customers. PHI redaction in transit.

Infrastructure

Single-tenant deployment, anywhere.

Enterprise customers can deploy RightMatch in their own AWS, GCP, or Azure tenancy in US, EU, UK, or APAC. Your data, your encryption keys, your retention policy.

Encrypted in transit (TLS 1.3) and at rest (AES-256)

Customer-managed encryption keys via AWS KMS / Azure Key Vault

99.95% uptime SLA with credits for enterprise

SAML SSO + SCIM provisioning + IP allowlists

Per-customer model-version pinning for AI traceability

Quarterly third-party penetration testing

US East

us-east-1

US West

us-west-2

Frankfurt

eu-central-1

London

eu-west-2

Singapore

ap-southeast-1

Sydney

ap-southeast-2

Customer security controls

You're in control of every flow.

🔑

Customer-managed keys

Bring your own KMS / Key Vault. Rotate, revoke, and audit access independent of RightMatch.

🚪

SSO + SCIM

SAML 2.0 / OIDC SSO with Okta, Azure AD, Google Workspace, JumpCloud, OneLogin. SCIM auto-provisioning.

🧾

Audit log export

Every action -- recruiter, AI, system -- timestamped and exportable. Stream to Splunk, Datadog, or your SIEM of choice.

📡

IP allowlists

Restrict API + UI access to your corporate IP ranges. Per-environment and per-role.

🧬

Data residency

Pin a workspace to US, EU, UK, or APAC. Data never leaves your chosen region.

📜

Per-customer DPA

EU + UK standard contractual clauses, retention windows, deletion SLA -- all configurable.

Trust · FAQ

Common compliance & security questions.

Yes. We have a standard DPA pre-approved by 200+ enterprise legal teams, and we can negotiate around your MSA. Median enterprise legal review: 4-6 weeks.

Find your Right match.

Start free. Connect your ATS in two clicks — or talk to your LLM. Hire your next teammate before the end of the month.

Try it for free Book a demo

Try it for free