Security & compliance built for enterprise recruitment
Your candidate data is privileged. We process it under GDPR, never use it to train AI, and give you full control over retention, residency, and access.
Data protection
Encryption at rest
AES-256 encryption applied to every stored CV, template, and account record.
Encryption in transit
TLS 1.3 across every API call, dashboard session, and sub-processor connection.
Hosting
Hosted on tier-1 cloud infrastructure (AWS / GCP) with regional isolation.
Backups
Encrypted daily snapshots, retained 30 days, restorable on request.
GDPR compliance
Lawful basis: legitimate interest (B2B contract with the recruitment agency)
Sub-processor list published and updated on request
Data Processing Agreement (DPA) auto-signed during signup for Agency and Enterprise plans
Right to erasure: customer-initiated deletion completes within 30 days
Data Protection Officer reachable at security@formacv.ai
Data residency
Default region
EU (Frankfurt) for European customers; US (Virginia) for North American customers.
Enterprise choice
Pick a region per customer request — UK, EU, US, or APAC available.
Data sovereignty
No cross-region replication unless explicitly enabled by your team.
AI training policy
We do not train AI models on customer CVs. This is contractually guaranteed in the Master Service Agreement.
LLM providers we use (OpenAI, Anthropic) are configured with zero-retention APIs — your CVs are not used for their training either.
Retention
Active customers
CVs retained for 90 days after processing, then auto-deleted. Configurable on Agency and Enterprise plans.
Cancelled customers
Full data wiped within 30 days of cancellation.
Audit logs
Audit logs retained 12 months to satisfy security and compliance requirements.
Access controls
Role-based access (admin, recruiter, viewer) on Team and above
SSO/SAML on Enterprise (Okta, Azure AD, Google Workspace)
2FA enforced on all admin accounts
Audit log of every CV access and download (Agency and above)
Compliance certifications
GDPR
Compliant — full DPA available
CCPA
Compliant — California consumer rights honored
SOC 2 Type II
In progress — target completion 2026
ISO 27001
On roadmap — assessment phase 2026
Sub-processors
We engage trusted vendors to operate the service. Each is contractually bound to the same data-protection standards we apply ourselves.
Sub-processor
Purpose
Region
AWS / GCP
Hosting
EU / US
OpenAI
LLM (zero-retention)
US
Anthropic
LLM (zero-retention)
US
Stripe
Payments
US (PCI-DSS)
Postmark
Transactional email
US
PostHog
Product analytics
EU
Reporting a vulnerability
Email security@formacv.ai. We commit to a 24-hour acknowledgement and a 90-day responsible-disclosure window.
Security FAQ
Is FormaCV GDPR-compliant?
Yes. We process candidate data under the legitimate interest of the recruitment agency, sign DPAs automatically with all paid plans, and offer EU data residency by default for European customers.
Do you train AI models on my candidate data?
No. We never use customer CVs to train AI models. Our LLM providers also use zero-retention APIs, so your data is not used for their training either.
Where is my data stored?
EU (Frankfurt) by default for European customers; US (Virginia) by default for North American customers. Enterprise customers can pick any region.
How quickly can I delete all my data?
Customer-initiated deletion completes within 30 days. Cancelled accounts are wiped within 30 days of cancellation.
Are you SOC 2 certified?
SOC 2 Type II is in progress with a target completion date in 2026. ISO 27001 is on the roadmap with an assessment phase planned for 2026. We are happy to share our current security questionnaire and roadmap on request.