Security & Performance

Our approach

Security is a big deal to us at Greenhouse. Our customers entrust a lot of sensitive data to our care and we need to do our best to keep it secure. We have taken security very seriously from the beginning and the mission of keeping Greenhouse secure is the responsibility of our whole company.

Our infrastructure

Greenhouse's computing infrastructure is provided by Amazon Web Services, a secure cloud services platform. Amazon’s physical infrastructure has been accredited under ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley.


We have architected a secure multi-tier network environment on top of Amazon’s infrastructure to ensure that our applications and data are protected and always accessible. Access to our infrastructure is tightly controlled and monitored. In addition to strong security controls, Greenhouse ensures that the data it collects remains available through full, daily backups, retained for 30 days and tested weekly.

Our applications

We employ secure coding practices and ensure we’re at-minimum protected against the OWASP Top 10. All of the Greenhouse applications undergo frequent third-party white-box security assessments to catch any security bugs we may have missed. We even have a “bug bounty” program where we pay hackers to responsibly report bugs they find in our applications.

The communication between your employees and our servers is encrypted with 128-bit SSL encryption. All user passwords are securely hashed; passwords are never stored in plain text. All data access is protected by a role-based access-control mechanism, which only lets users view data for which they have permission. It’s impossible for users to view data from organizations other than their own.

Our internal processes

Only authorized employees have access to our production infrastructure, and passwords are strictly regulated. We limit access to customer data to the employees who need it to provide support and troubleshooting on our customer's behalf. Accessing customer data is done solely on an as-needed basis, and only when approved by the customer (i.e. as part of a support request), or to provide support and maintenance.

Our promise

Why take our word for it? We received our SOC 2 Type 2 audit report assuring that our controls relating to security, availability, and confidentiality are well designed and operating effectively.

 

If you’re interested in using Greenhouse and have more questions about our security we would love to share more. Just drop us a line!