Greenhouse security overview

We care about security

Our customers trust us with their sensitive data and we take keeping it safe seriously. Greenhouse is ISO 27001 certified and undergoes a SOC 2 Type 2 audit annually. Achieving both ISO 27001 and SOC 2 provides assurance, verified by third-party auditors, that Greenhouse has an effective security program — meaning your data is always protected.

View our ISO 27001 certificate
Greenhouse security certification

Our infrastructure

Greenhouse’s computing infrastructure is provided by Amazon Web Services, a secure cloud services platform. Amazon’s physical infrastructure has been accredited under ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate and Sarbanes-Oxley.

We created a secure multi-tier network environment on top of Amazon’s infrastructure to make sure our applications and data are protected and always accessible. Access to our infrastructure is tightly controlled and monitored. In addition to strong security controls, We make sure that the data we collect remains available through full, daily backups, and is retained for 30 days and tested weekly.

Greenhouse complies with its obligations as a data processor under the GDPR – read this support article to learn more.


Our applications

We use secure coding practices and ensure we’re, at minimum, protected against the OWASP Top 10. All Greenhouse applications undergo frequent third-party security assessments to catch any missed security bugs. We even have a “bug bounty” program in which we pay hackers to responsibly report bugs they find in our applications.

The communication between your employees and our servers is encrypted with 128-bit SSL/TLS encryption. All user passwords are securely hashed; passwords are never stored in plain text. All data access is protected by a role-based access-control mechanism, which only lets users view data for which they have permission. It’s impossible for users to view data from organizations other than their own.


Our internal processes

Only authorized employees have access to our production infrastructure and require strong authentication. We limit access to customer data to the employees who need it to provide support and troubleshooting on the customer’s behalf. Accessing customer data is done solely on an as-needed basis, and only when approved by the customer (e.g. as part of a support request), or to provide proactive support and maintenance.