Our customers trust us with their sensitive data, and we take keeping it safe seriously.
This article serves as an overview of security practices on Greenhouse and can help to address questions you may have about data security or the processes we employ to maintain and grow the hiring software.
Product
How does Greenhouse protect user accounts from invalid logins?
All passwords are stored as a salted BCrypt hash with a large work factor that is not susceptible to offline brute-force attacks.
To protect users from online brute force attacks we have user-specific lockouts and rate-limiting in place. We have additional controls to reduce the effects of credential stuffing attacks by performing IP-based rate-limiting and blocking if an IP address is found to have too many failed login attempts against our services.
Does Greenhouse support single sign-on?
Yes, Greenhouse supports SAML 2.0-based single sign-on and Google Login.
Read more here: Single sign-on overview.
Does Greenhouse verify user email addresses?
Yes. We verify all email addresses of Greenhouse Recruiting users by sending a verification email upon registration. The user will not have access to the hiring software until they have clicked the verification link.
Read more here: Add email address to personal user account.
Is user activity in Greenhouse tracked for auditing purposes?
Most user activity is tracked in Greenhouse Recruiting. There are two places where you can see a list of actions performed by users:
- on a candidate's Activity Feed;
- on the organization-level Change Log (where we log user permissions changes, configuration edits, job application updates, etc.).
Additionally, Expert tier customers can purchase the audit log add-on for additional records of important user activity.
How does Greenhouse Technical Support access our account data?
Greenhouse has an internal application that allows a carefully restricted subset of employees to log in as any user if granted access by the customer. This functionality is only used for Technical Support and Professional Services.
Read more here: Grant Greenhouse Technical Support team temporary account access.
Every one of these logins are recorded in an easily accessible audit log. All users with this level of access must have received manager approval, completed a background check, and signed our production data access policy. Access to this internal dashboard is protected behind Greenhouse's Single Sign-On (SSO) and device certificates.
Does Greenhouse scan files uploaded during the candidate application submission?
All documents received from public users (such as resumes, cover letters, portfolios, and take home tests) are scanned for potential malware. Greenhouse Recruiting will warn the user if any document was flagged as malicious. Greenhouse Recruiting customers have the option to accept the risk and proceed to download the file.
All file attachments sent through Greenhouse Recruiting are scanned for malware. If an attachment is found to be malicious, Greenhouse will not submit the email until the attachment has been removed. This is done to ensure that we do not negatively impact Greenhouse's or our customer's email reputation.
Email security
How does Greenhouse send emails on behalf of our domain?
When Greenhouse Recruiting is configured to send emails on behalf of your organization, you must version authorize ownership of the domain address. This verification process is performed with our email sub-processor Mailgun by setting SPF, DKIM, MX, and CNAME records for your domain name.
By enabling these, the organization authorizes Greenhouse and our Mailgun account to send emails on behalf of organization emails without getting marked as spam. Greenhouse performs authorization checks within the application to ensure emails are only sent by authorized users. All email addresses added to the system must first undergo verification before we allow any emails to get sent. The email verification process is performed by sending a secure link to the added email address.
Read more here:
Note: This feature is not available in Greenhouse Onboarding.
Can we use our own SMTP servers instead of Mailgun?
For customers that do not want to use our Mailgun service, we provide the ability for all email to get sent using custom SMTP servers. Customers can provide Greenhouse with the hostname, port number, and login credentials to their SMTP server. Additionally, organizations will need to allowlist a set of IP addresses that we provide to allow us to connect to the SMTP server. Customer SMTP credentials are stored encrypted at the application server before being stored in our database. Access to these credentials is protected using the same security controls as all other secret data stored by our application.
Read more here: Custom SMTP.
Data
What confidential or personally identifiable information (PII) data do you collect?
As candidates apply, and prospects are entered by sourcers, various personally identifiable information (PII) is collected. PII stored within Greenhouse may include: full name, email address, phone number, social media usernames, gender, race, current/desired salary, offer data, answers to any custom questions you may ask in job applications, and notes taken by users during interviews.
How is data protected that is sent to and from the client?
HTTPS (SSL/TLS) is mandatory for in-app requests and job application form submissions. We also set the secure flag on the user session cookie to prevent session-hijacking attacks.
Is data encrypted at rest?
Greenhouse encrypts the database and S3 buckets at rest using Amazon Web Service's (AWS) Key Management System (KMS).
Can I securely delete my company's data from Greenhouse?
You are able to delete individual candidate records at any time. These are hard deletes from the production database. However, we do maintain database backups for 30 days which are not purged of deleted-candidate data. We also have 'versioning' enabled in S3, so any files deleted from S3 as a result of candidate deletion will remain as a historical version of the file for 30 days as well.
On the 31st day after the candidate record has been deleted, it will be completely purged from our systems. At the request of a departing organization, Greenhouse will delete the entire organization's tree of data from the production database, though the aforementioned remnants will still exist in our systems after an account-level deletion until the backups have expired.
Can we delete specific data, versus deleting all the data?
Yes. Most data that can be created in Greenhouse can be hard-deleted by users, with the caveats listed in the previous answer (regarding database backups and versioned S3 files).
How can I remove a user from Greenhouse Recruiting?
While it isn't possible to delete a user, Greenhouse Recruiting does allow for users to be deactivated (and re-enabled).
Read more here: Deactivate user.
If the user logs in with SSO, their SSO privileges must be deactivated from the SSO's dashboard in addition to the user account in Greenhouse Recruiting. At the request of an organization, we may be able to perform a hard delete on a user—however, we would encourage organizations against this practice, as any notes or scorecards created by that user will also be deleted if a user is hard deleted.
Does sensitive customer data ever leave the production environment?
Greenhouse has strict process controls regarding employee access to customer data. Personally identifiable information only persists in the production environment and in production database backups.
Does Greenhouse integrate with any third-party service providers?
Greenhouse has a very large number of integration partners.
Each of these integration partners has to be authorized by the customer in order to access any customer data. Customers choosing to use an integration must work with the integration partner to purchase their solution and activate the integration with Greenhouse.
Read more here: Greenhouse > integrations.
How do integration partners deal with their security?
For more details, please see the security page for any integration partner that you wish to connect to Greenhouse. Greenhouse does not claim responsibility for the security of our integration partners, and customers must do their own vetting of an integration partner's security before sharing their data.
Will third-parties have access to my data?
Greenhouse does not sell any customer data to any third-party. Only data that you explicitly authorize and send to a third-party (such as an HRIS integration or a job board posting) will ever leave Greenhouse. Greenhouse will only share customer data with our authorized sub-processors. A full list of Greenhouse's subprocessors is available on our marketing site. Read here
How does Greenhouse assess security vulnerabilities?
Greenhouse performs periodic white-box security and infrastructure audits with an outside penetration testing firm. We also run a bug bounty program through HackerOne and award bounties to security researchers who find any verifiable vulnerabilities.
Read more here: HackerOne > Greenhouse.
All accepted vulnerabilities on our bug bounty follow our typical vulnerability remediation guidelines for patching.
Under NDA, Greenhouse will share a customer letter written by the penetration testing firm that includes the scope of the assessment and the issue counts per vulnerability severity level that were identified during the assessment.
What is Greenhouse's policy for notifying customers about security incidents?
In the event of a significant security incident, notifications are made within the timeframe specified in your customer license agreement and are dependent upon the nature of the incident. We strive for transparency and clear communication, especially during security incidents. We will update you on the nature of the incident, what we are doing to resolve it, and an estimated resolution time.
What third-party security and privacy attestations does Greenhouse have?
Greenhouse undergoes annual SOC 1 Type 2, SOC 2 Type 2, ISO 27001:2013, and ISO 27701:2019 audits performed by a licensed CPA firm. The audits verified the proper design and effectiveness of our controls around security, confidentiality, and availability, and that our Privacy and Information Security Management System is designed and operating within the ISO 27001:2013 and ISO 27701:2019 standards respectively.
If you would like a copy of our SOC 1 Type 2, SOC 2 Type 2 report, or ISO 27001:2013/ISO 27701:2019 certification, please reach out to Greenhouse Technical Support through the Get help widget in Greenhouse Recruiting.
Is Greenhouse PCI-DSS compliant?
Greenhouse does accept credit card data within certain features on Greenhouse Recruiting. We utilize Recurly as our credit card processor and use their SDK to prevent credit card data from passing through any Greenhouse infrastructure. Recurly is PCI DSS Level 1 compliant, which is the highest level of PCI compliance. Greenhouse is only obligated to complete a PCI Self Assessment Questionnaire (SAQ) for compliance. Our PCI SAQ is available under NDA by contacting your sales or Customer Success Manager.
Infrastructure
How does Greenhouse host application infrastructure?
Physical infrastructure is run atop Amazon Web Services (AWS). Virtualized infrastructure runs within our AWS Virtual Private Cloud. All files (such as resumes and cover letters) are stored using Amazon S3 and are encrypted at rest.
Where is Greenhouse infrastructure hosted?
All physical infrastructure is U.S.-based. Our application is hosted in Amazon's US-East-1 region, with warm-standby infrastructure in the US-West-2 region for disaster recovery.
Greenhouse also provides customers the option to host their data on European-hosted AWS data centers. We utilize the EU-Central-1 region, with warm-standby infrastructure in the EU-West-1 region for disaster recovery.
Is access to Greenhouse infrastructure limited to authorized personnel?
All access to physical infrastructure is managed by AWS (Amazon Web Services) in accordance with their security policies.
Read more on AWS: AWS Compliance.
A very limited subset of users such as Service Reliability Engineers (SREs) or Production Engineering Support (Prod Support) is given this level of access to our production infrastructure. They require this level of access to troubleshoot and resolve production-level incidents. Access to our production infrastructure requires manager approval, completion of a background check, and the signing of our production data access agreement.
Which third-party services does Greenhouse use to support the application?
A list of our data sub-processors and details of the purpose of their processing is provided to customers as part of our Data Processing Agreement (DPA). Greenhouse performs annual security reviews on all of our data sub-processors to ensure they are maintaining their security program and data privacy posture. Greenhouse also requires all of our sub-processors to sign a Data Processing Agreement. Read more: Subprocessors in use, data processing addendum
Code base and testing
What is Greenhouse's change management process?
All requests for application or infrastructure changes are tracked and planned using our ticketing system. All code changes require a code review and approval by one additional engineer. All code changes are scanned for code quality and security issues as part of the code review process. All code changes are run through our extensive test suite to proactively identify issues prior to release. Greenhouse engineers are required to create test plans and test changes prior to releasing changes above a certain risk tier. Greenhouse utilizes feature flags to perform controlled releases for major application features.
How does Greenhouse test their changes?
Changes are always first tested within a non-production environment before being released to production. Major changes undergo testing and 'bake-in' periods to identify any issues before being promoted to production.