Security & deployment built for enterprise recruitment
Every customer runs on their own isolated infrastructural instance. Enterprise customers can deploy on-premise — candidate data never leaves their own infrastructure. Whitelabel branding, GDPR compliance, AES-256 encryption, and zero AI training on your data come standard. Used by HAYS at global enterprise scale.
Deployment options
FormaCV is not a generic shared-tenant SaaS. Every customer gets their own isolated instance, custom-onboarded by our team. Enterprise customers can take it further with whitelabel branding and on-premise deployment.
Isolated infrastructural instance per customer
Every FormaCV customer runs on their own isolated app instance. You can customize freely without affecting any other customer, and your data is segregated at the infrastructure level — not just the application level.
On-premise deployment for enterprise
For the most sensitive recruitment workflows, FormaCV can be deployed on-premise inside your own infrastructure. Candidate data never leaves your environment. This is how customers like HAYS handle data sovereignty for global enterprise recruitment.
Whitelabel option for enterprise
Enterprise customers can surface FormaCV under their own brand to internal recruiters or downstream clients — same product, your name, your domain, your visual identity.
Custom-integrated by the FormaCV team
Every customer is custom-onboarded — not dropped into a generic shared SaaS. Our team configures the integration, templates, and AI defaults to your specific workflow.
Data protection
Encryption at rest
AES-256 encryption applied to every stored CV, template, and account record.
Encryption in transit
TLS 1.3 across every API call, dashboard session, and sub-processor connection.
Hosting
Tier-1 cloud infrastructure (AWS / GCP) with regional isolation, or your own on-premise environment for enterprise.
Backups
Encrypted daily snapshots, retained 30 days, restorable on request. On-premise customers control their own backup strategy.
GDPR compliance
Lawful basis: legitimate interest (B2B contract with the recruitment agency)
Sub-processor list published and updated on request
Data Processing Agreement (DPA) auto-signed during onboarding
Right to erasure: customer-initiated deletion completes within 30 days
Data Protection Officer reachable at security@formacv.ai
On-premise customers retain full control of personal-data lifecycle within their own infrastructure
Data residency
Default region
EU (Frankfurt) for European customers; US (Virginia) for North American customers.
Choose your region
Pick a region per customer request — UK, EU, US, or APAC available on every plan.
On-premise
Enterprise customers can deploy FormaCV inside their own datacentre — no cloud region applies, data resides where you put it.
Data sovereignty
No cross-region replication unless explicitly enabled by your team.
AI training policy
We do not train AI models on customer CVs. This is contractually guaranteed in the Master Service Agreement.
LLM providers we use (OpenAI, Anthropic) are configured with zero-retention APIs — your CVs are not used for their training either.
On-premise deployments can pin LLM provider choice to providers with the strongest data-handling guarantees, including locally-hosted models for the most sensitive customers.
MCP-driven operations follow the same zero-training policy — no data leaves your isolated instance to train any model.
Retention
Active customers
CVs retained for 90 days after processing, then auto-deleted. Configurable on every plan.
Cancelled customers
Full data wiped within 30 days of cancellation.
Audit logs
Audit logs retained 12 months to satisfy security and compliance requirements. Included on every plan.
On-premise
Retention policy fully configurable — your team owns the lifecycle.
Access controls
Role-based access (admin, recruiter, viewer) on every plan
SSO/SAML on enterprise (Okta, Azure AD, Google Workspace)
2FA enforced on all admin accounts
Audit log of every CV access, edit, and download — included on every plan
MCP token scoping per user / branch / company for AI-driven operations
Compliance certifications
GDPR
Compliant — full DPA available, on-premise option for full data sovereignty
CCPA
Compliant — California consumer rights honored
SOC 2 Type II
In progress — target completion 2026
On-premise deployment
Available for enterprise — eliminates third-party data residency questions entirely
Sub-processors
For cloud customers, we engage trusted vendors to operate the service. Each is contractually bound to the same data-protection standards we apply ourselves. On-premise customers can pin or replace any of these per their own security requirements.
Sub-processor
Purpose
Region
AWS / GCP
Hosting (cloud customers only)
EU / US / APAC
OpenAI
LLM (zero-retention)
US
Anthropic
LLM (zero-retention)
US
Stripe
Payments
US (PCI-DSS)
Postmark
Transactional email
US
PostHog
Product analytics
EU
MCP & AI workflow security
FormaCV exposes a Model Context Protocol (MCP) server so recruitment teams can drive CV operations from their own AI infrastructure (Claude Desktop, Cursor, internal copilots). The same security model applies to MCP-driven operations.
MCP tokens are scoped per user, branch, or company; revoke at any time
Every MCP-driven operation is logged in the same audit log (included on every plan)
Zero AI training on data flowing through MCP — same contractual guarantee as the rest of the product
On-premise customers can run MCP-driven workflows entirely inside their own network boundary
Reporting a vulnerability
Email security@formacv.ai. We commit to a 24-hour acknowledgement and a 90-day responsible-disclosure window.
Security FAQ
How does the per-customer isolated infrastructure work?
Every FormaCV customer runs on their own isolated app instance — segregated at the infrastructure level, not just the application database. You can customise your app freely without affecting any other customer, and there is no shared compute or storage with other tenants.
Can FormaCV be deployed on-premise?
Yes — for enterprise customers. The full FormaCV stack is deployed inside your own infrastructure (cloud or on-premise datacentre), so candidate data never leaves your environment. This is how HAYS and other enterprise recruitment customers handle data sovereignty.
Is there a whitelabel option?
Yes — for enterprise customers. Surface FormaCV under your own brand, with your domain and visual identity, to internal recruiters or downstream clients.
Is FormaCV GDPR-compliant?
Yes. We process candidate data under the legitimate interest of the recruitment agency, sign DPAs automatically with all paid plans, and offer EU data residency by default for European customers. For full data sovereignty, enterprise customers can deploy on-premise.
Do you train AI models on my candidate data?
No. We never use customer CVs to train AI models. Our LLM providers also use zero-retention APIs, so your data is not used for their training either. MCP-driven operations follow the same policy.
Where is my data stored?
On the standard cloud product, EU (Frankfurt) by default for European customers; US (Virginia) by default for North American customers, with UK and APAC available on every plan. On-premise customers store data in their own infrastructure.
How quickly can I delete all my data?
Customer-initiated deletion completes within 30 days. Cancelled accounts are wiped within 30 days of cancellation. On-premise customers control their own deletion lifecycle.
Are you SOC 2 certified?
SOC 2 Type II is in progress with a target completion date in 2026. For customers where formal certification is a procurement requirement today, on-premise deployment offers an alternative path: data sovereignty by deployment topology rather than by external attestation.
Who else uses FormaCV at enterprise scale?
HAYS — the global recruitment enterprise — runs FormaCV at scale across their recruiter base. Reference customers across executive search, IT staffing, and high-volume staffing agencies are available on request.