Enterprise-grade security. Trusted by global talent teams.
ERIN is built for the security, privacy, and compliance requirements of the world's largest employers. SOC 2 Type II audited, GDPR compliant, and engineered around least-privilege access, encryption everywhere, and full auditability.
Independently audited. Continuously monitored.
ERIN's security program is mapped to the frameworks enterprise legal, privacy, and security teams require, and validated by independent auditors and penetration testers each year.
Independently audited against the AICPA Trust Services Criteria for Security, Availability, and Confidentiality. Annual Type II reports available under NDA.
Full GDPR alignment for EU and UK data subjects, Data Processing Addendum (DPA), Standard Contractual Clauses (SCCs), subject access workflows, and EU data residency.
California Consumer Privacy Act and CPRA aligned. Configurable retention, deletion, and disclosure workflows for covered consumers.
Information security management aligned to ISO/IEC 27001 controls, formal policies, risk register, and continuous monitoring.
Configurable controls and BAAs available for customers operating in healthcare. Minimum-necessary access and audit logging by default.
Audit-grade referral, source, and disposition tracking to support EEO-1 reporting and OFCCP compliance obligations.
Defense in depth, built into every layer.
TLS 1.2+ in transit. AES-256 at rest. Customer data isolated by tenant with envelope-encrypted secrets managed via AWS KMS.
SAML 2.0 single sign-on with Okta, Azure AD / Entra ID, Ping, OneLogin, and any SAML IdP. SCIM 2.0 provisioning keeps users and roles in sync automatically.
Granular RBAC with least-privilege defaults. Scoped permissions by business unit, region, and role family, enforced server-side, not by UI.
Every referral, approval, status change, payout, and admin action is logged with actor, timestamp, and policy version. Exportable for legal, finance, and security review.
Hosted on AWS in multi-AZ configurations with automated backups, point-in-time recovery, and a documented disaster recovery plan with tested RTO/RPO targets.
Choose where your data lives. EU-resident hosting available for customers operating under GDPR and EU data sovereignty requirements.
OAuth 2.0 and signed webhooks for ATS, HRIS, and payroll integrations. Scoped API tokens, IP allowlisting, and request signing on every connector.
Continuous static and dynamic application security testing, dependency scanning, and annual third-party penetration tests. Findings tracked to closure with SLAs.
24/7 on-call security rotation. Documented incident response playbook with severity-based escalation, customer notification commitments, and post-incident reviews.
Built for global privacy law.
ERIN acts as a data processor on behalf of our customers. We give you the contracts, controls, and workflows to meet GDPR, UK GDPR, CCPA/CPRA, and country-specific requirements, without slowing your recruiting program down.
GDPR-compliant DPA with SCCs available to all customers, signed at order or upon request.
Current subprocessor list maintained and disclosed. Customers are notified in advance of material changes.
Access, rectification, deletion, portability, and restriction requests handled within statutory timelines.
Tenant-level retention policies for candidate, employee, and audit data, set to match your records-management program.
Only the fields required to run referrals, sourcing, and recruitment marketing are collected. Optional fields are clearly labeled.
Hard-delete workflows remove personal data from production systems and propagate to backups on documented schedules.
A security program, not a checkbox.
- Background checks and confidentiality agreements for all personnel
- Annual security and privacy awareness training, with role-based deep dives for engineering and support
- Mandatory MFA on all internal systems and code repositories
- Secure SDLC with peer code review, automated testing, and signed deploys
- Production access restricted to a small on-call team via just-in-time, audited elevation
- Endpoint management, disk encryption, and EDR on every company device
- Vendor risk reviews before onboarding any subprocessor that touches customer data
- Annual third-party penetration test and continuous bug-bounty intake
Answers for security, legal, and procurement teams.
Yes. ERIN maintains an annual SOC 2 Type II report covering the Security, Availability, and Confidentiality Trust Services Criteria. The report is available to current and prospective customers under NDA, contact security@erinapp.com to request a copy.
Yes. ERIN offers a GDPR-compliant Data Processing Addendum with Standard Contractual Clauses, supports EU data residency, fulfills data subject access requests within statutory timelines, and maintains a published subprocessor list. We act as a data processor on behalf of our customers, who remain the controller of their employee and candidate data.
ERIN is hosted on AWS in hardened, multi-availability-zone configurations. EU-resident hosting is available for customers with data residency requirements. All data is encrypted in transit (TLS 1.2+) and at rest (AES-256).
Yes. ERIN supports SAML 2.0 single sign-on with any compliant identity provider, Okta, Microsoft Entra ID (Azure AD), Ping, OneLogin, and others, plus SCIM 2.0 for automated user and role provisioning and deprovisioning.
Every action, referral, approval, status change, payout, integration sync, and admin change, is logged with actor, timestamp, IP, and policy version. Logs are tamper-evident, retained per customer policy, and exportable for legal, finance, and security review.
All ATS, HRIS, and payroll integrations use OAuth 2.0 or scoped API tokens with least-privilege scopes. Webhooks are signed, customers can configure IP allowlists, and credentials are stored in an envelope-encrypted secrets store.
Yes. ERIN engages an independent third party for an annual application and infrastructure penetration test, runs continuous SAST, DAST, and software composition analysis, and tracks findings to closure with documented SLAs.
ERIN maintains a documented incident response plan with 24/7 on-call coverage, severity-based escalation, customer notification commitments aligned to contractual and regulatory obligations, and formal post-incident reviews.
Yes. ERIN maintains a security review package, SOC 2 Type II report, penetration test summary, security questionnaire responses, DPA, subprocessor list, and architecture overview, available to qualified prospects and customers under NDA.
Need our SOC 2 report, DPA, or pen test summary?
Our security team responds to enterprise questionnaires, due diligence reviews, and architecture deep dives. Most security packages are returned within two business days.