Your recruiting software is exposing candidate data.
You do not know it. But your recruiting tool is storing candidate data insecurely.
Candidate applies. Data is stored in database. Database is not encrypted. Database is not backed up properly. Database is accessible to hackers.
Hacker breaks in. Steals 50,000 candidate records (names, emails, phone numbers, resumes with personal information).
Hacker sells data on dark web.
Your company finds out (breach notification required by law). You have to:
- Notify 50,000 candidates (expensive)
- Notify regulators (GDPR, state AGs)
- Hire lawyers
- Pay fines ($100K-$20M depending on company size)
- Pay breach settlements ($50K-$500K+)
- Restore reputation (extremely hard)
Total cost: $500K-$50M+.
All because recruiting software had poor security.
Evidence:
- 35% of recruiting tools are not GDPR compliant (legal liability)
- 40% of recruiting tools are not CCPA compliant (legal liability)
- 25% of recruiting tools have had data breaches (50%+ in past 5 years)
- Average cost of data breach: $4.5M (includes notifications, fines, settlements, legal)
- GDPR fines: Up to €20M ($22M USD) or 4% of revenue (whichever is larger)
- CCPA fines: $2.5K-$7.5K per violation
- SOC 2 certification: <50% of recruiting tools have it (most are not audited)
- EvexAI: SOC 2 certified, GDPR/CCPA compliant, zero breaches, 99.99% uptime
- Competitors: Many lack SOC 2, missing compliance, breach history
This is the definitive guide to recruiting software security. What risks exist. What compliance is required. How to vet vendors. And how to protect candidate data.
The Security Risk Problem
Recruiting Software Security Vulnerabilities
| Vulnerability | % of Tools Affected | Risk Level | Cost If Breach |
|---|---|---|---|
| Not GDPR compliant (storing EU candidate data improperly) | 35% | CRITICAL (legal liability) | €20M fine or 4% revenue |
| Not CCPA compliant (storing CA candidate data improperly) | 40% | CRITICAL (legal liability) | $2.5K-$7.5K per violation |
| No encryption (candidate data stored in plain text) | 20% | CRITICAL (hackers can read data) | $4.5M average breach cost |
| No data backup (no disaster recovery) | 15% | HIGH (data loss risk) | Candidates' data permanently lost |
| No access controls (anyone can view candidate data) | 25% | HIGH (internal threats) | Employee sells candidate data |
| No audit logs (cannot track who accessed what) | 30% | MEDIUM (cannot investigate breaches) | Cannot prove breach origin |
| No SOC 2 certification (not independently audited) | 50% | MEDIUM (security practices not verified) | Unknown vulnerabilities |
| Had data breach in past 5 years | 25% | CRITICAL (proven vulnerability) | Proven hackers can breach |
| No incident response plan | 40% | HIGH (slow response to breach) | Breach lasts longer, more damage |
| Stores passwords insecurely | 10% | CRITICAL (accounts compromised) | Hackers access all customer data |
Detailed explanation of each vulnerability:
Let me walk through the main security vulnerabilities:
Not GDPR compliant (35% of tools):
GDPR is EU law protecting EU candidate data. Requires:
- Consent before collecting data
- Data minimization (collect only necessary data)
- Right to deletion ("right to be forgotten")
- Data processor agreements (with third-party vendors)
- Data breach notification (within 72 hours)
If tool is not GDPR compliant and you store EU candidate data, you violate GDPR.
Fine: Up to €20M ($22M USD) or 4% of revenue (whichever is larger).
For company with $100M revenue: Fine could be $4M.
Not CCPA compliant (40% of tools):
CCPA is California law protecting California candidate data. Requires:
- Transparency (tell candidates what data you collect)
- Right to access (candidates can download their data)
- Right to deletion (candidates can request deletion)
If tool is not CCPA compliant and you store California candidate data, you violate CCPA.
Fine: $2.5K per violation, up to $7.5K for intentional violations.
For company with 1,000 California candidates with violations: $2.5M fine possible.
No encryption:
Candidate data is stored in plain text (not encrypted).
If hacker breaks in, they can read all data: names, emails, phone numbers, resume text (including SSN, address, personal details).
With encryption, hacker sees gibberish (cannot read).
No data backup:
If data center fails, candidate data is lost permanently.
No backup = no recovery = data permanently gone.
No access controls:
Any employee can access all candidate data (not restricted).
Disgruntled employee steals data. Sells to competitors.
With access controls: Only recruiting team can access candidate data.
No audit logs:
Cannot track who accessed what data, when, from where.
If breach happens, cannot investigate: "Who stole the data? How?"
With audit logs: Can see exactly who accessed what, when.
No SOC 2 certification:
SOC 2 is independent security audit. Certifies tool meets security standards.
50% of recruiting tools are not SOC 2 certified (not independently audited).
You do not know if security practices are good (no third-party verification).
Had data breach in past 5 years (25% of tools):
If tool had breach before, likely has same vulnerabilities today.
Proven: Hackers can breach this tool.
No incident response plan:
When breach happens (when, not if), how does vendor respond?
No plan = slow, chaotic response = longer breach = more damage.
Stores passwords insecurely:
If passwords are not hashed, hackers can steal them.
All user accounts compromised.
Compliance Requirements
Legal Requirements for Recruiting Software
| Law | Requirement | Applies If | Penalty |
|---|---|---|---|
| GDPR (General Data Protection Regulation, EU) | Cannot store EU candidate data without compliance: consent, minimization, deletion, breach notification, DPA | Storing data of EU residents | €20M or 4% revenue (whichever larger) |
| CCPA (California Consumer Privacy Act) | Cannot store CA candidate data without compliance: transparency, access, deletion | Storing data of California residents | $2.5K-$7.5K per violation |
| PIPEDA (Canada Privacy Law) | Cannot store Canadian candidate data without compliance: consent, minimization, security, breach notification | Storing data of Canadian residents | CAD $10M-$15M fines possible |
| SOC 2 Type II (Service Organization Control) | Annual security audit. Certifies tool meets security standards. (Optional but recommended for enterprise tools) | Storing sensitive data (candidates' personal info) | Not required by law, but contractual requirement for many enterprises |
| HIPAA (Health Insurance Portability) | If storing health-related data (unlikely in recruiting unless healthcare focus) | Recruiting in healthcare sector storing health data | Up to $1.5M per violation |
| State breach notification laws | Must notify residents within 30-60 days if breach affects their data | Any breach of resident data | Up to $100K fines + settlements |
Detailed explanation of each law:
These are the main laws affecting recruiting software:
GDPR (EU):
Applies if you store data of EU residents (even if company is not in EU).
Key requirements:
- Get explicit consent before storing data ("User consents to privacy policy")
- Store only necessary data (don't store all resume text if only need name/email)
- Allow deletion on request ("right to be forgotten")
- Have data processing agreement (DPA) with vendor
- Notify breach within 72 hours
Penalty: €20M or 4% of revenue. Huge.
CCPA (California):
Applies if you store data of California residents.
Key requirements:
- Be transparent about data collection ("we collect X data for Y purpose")
- Allow candidates to download their data
- Allow deletion on request
Penalty: $2.5K-$7.5K per violation. For 1,000 violations, $2.5M-$7.5M fine.
PIPEDA (Canada):
Similar to GDPR but for Canada.
Applies if storing Canadian resident data.
Penalty: $10M-$15M fines possible.
SOC 2 Type II (Optional but recommended):
Not required by law but enterprises often require it contractually.
Annual audit certifies: Tool has security controls, logs, incident response, etc.
Shows: Tool is professionally maintained with independent oversight.
State breach notification laws:
If you have breach affecting residents of state X, must notify within 30-60 days.
Notification costs money ($10+ per notification for 50,000 people = $500K+).
How to Vet Recruiting Software for Security
Security Vetting Checklist
| Security Question | Good Answer | Red Flag Answer | Action |
|---|---|---|---|
| Are you GDPR compliant? | "Yes, we are fully GDPR compliant. Here is our DPA (Data Processing Agreement)." | "We are GDPR compliant" (vague, no proof). Or "We are not GDPR compliant." | If no proof, red flag. Request DPA. If no DPA, do not use. |
| Are you CCPA compliant? | "Yes, we comply with CCPA. Candidates can download/delete data." | "We are working on CCPA compliance." Or "Not sure." | If not sure, red flag. Do not use if storing CA data. |
| Are you SOC 2 Type II certified? | "Yes, here is our SOC 2 report." (Provide recent report, <1 year old) | "We are SOC 2 Type I" (weaker, only point-in-time audit). Or "No SOC 2." | If SOC 2 Type I or none, red flag for enterprise. Weaker security. |
| How is candidate data encrypted? | "Data encrypted at rest (AES-256) and in transit (TLS 1.2+)." | "Data is encrypted." (Vague on method). Or "We don't encrypt." | If vague, red flag. If not encrypted, critical red flag. Do not use. |
| How is data backed up? | "Daily backups, geographically redundant (multiple data centers), tested quarterly." | "We backup data." (Vague). Or "No formal backup process." | If vague or no backups, red flag. Request backup documentation. |
| Who can access candidate data? | "Only recruiting team. Access logged. Audit trail available." | "Our team can access." (Vague on who). Or "Anyone in company can access." | If anyone can access, red flag (internal threat). |
| What is your incident response plan? | "We have documented incident response plan. Incident team. 24/7 response. Notification within 72 hours." | "We will respond if breach happens." (Vague). Or "No formal plan." | If no formal plan, red flag. Slow response increases damage. |
| Have you had a data breach? | "No data breaches in company history." (Verify with research) | "Yes, we had a breach in 20XX." Or "We don't disclose that information." | If breach history, red flag. Proven vulnerable. If won't disclose, red flag (hiding breach). |
| What is your uptime SLA? | "99.9% uptime SLA (supported by monitoring, compensation if missed)." | "We try to have good uptime." (Vague). Or "No SLA." | If no SLA, red flag. No accountability. |
| What certifications do you have? | "SOC 2 Type II, ISO 27001, GDPR/CCPA compliant, HIPAA eligible." | "We are secure." (Vague). Or only one or two certifications. | If few certifications, red flag. More certifications = more robust. |
Detailed explanation of vetting process:
Use this checklist to vet recruiting software security before buying.
Cost of Data Breach
Data Breach Financial Impact
| Cost Component | Cost Per Item | Example (50K Candidates) |
|---|---|---|
| Breach notification (letter/email to each person) | $10-$20 per person | $500K-$1M |
| Credit monitoring (offer 2 years credit monitoring) | $5-$15 per person | $250K-$750K |
| Legal fees (lawyers, litigation) | $100K-$500K total | $100K-$500K |
| Fines (GDPR, CCPA, state laws) | $2.5K-$20M per violation category | $100K-$10M (depending on law) |
| Settlements (lawsuits from candidates) | $1K-$10K per person | $50K-$500M (class action lawsuits) |
| Business interruption (recruiting halts, productivity loss) | $10K-$50K per day | $500K-$5M (depending on duration) |
| Reputational damage (lost candidates, lost brand value) | Hard to quantify | $1M-$50M+ (lost future hires) |
| Incident response (forensics, investigation, remediation) | $50K-$500K | $50K-$500K |
| TOTAL (conservative estimate) | $1.5M-$20M+ |
Detailed explanation of breach costs:
Data breach is extremely expensive. Here is breakdown:
Breach notification ($500K-$1M):
You have to notify 50,000 candidates that their data was stolen.
Cost: $10-$20 per notification (certified mail, email, phone calls).
Total: $500K-$1M.
Credit monitoring ($250K-$750K):
You have to offer 2 years of free credit monitoring to each candidate (their identity might be stolen).
Cost: $5-$15 per person per year.
Total for 50K people × 2 years: $500K-$1.5M.
Legal fees ($100K-$500K):
You need lawyers to handle breach, negotiate settlements, respond to regulators.
Expensive: $500/hour × 200-1000 hours = $100K-$500K.
Fines ($100K-$10M):
GDPR fines: Up to €20M ($22M) or 4% of revenue.
CCPA fines: $2.5K-$7.5K per violation × 50K violations = $125M-$375M (yes, extremely expensive).
In practice, regulators usually settle for $500K-$10M.
Settlements ($50K-$500M):
Candidates sue for identity theft, emotional distress, time to fix credit.
Class action lawsuits can be $1M-$500M+ (Equifax paid $700M settlement).
Business interruption ($500K-$5M):
While dealing with breach, recruiting stops. Candidates cannot be hired. Revenue is lost.
Assuming $100K average salary × 100 hires lost = $10M revenue lost.
Reputational damage ($1M-$50M+):
Your company is known as "the company that had a data breach."
Candidates avoid applying. Employees leave. Brand is damaged.
Long-term impact: Lost hires, lost revenue, lost reputation.
Total breach cost: $1.5M-$20M+ (or more for large companies).
This is why security matters.
EvexAI Security Advantage
Security Comparison
| Security Feature | Greenhouse | Workday | HireVue | EvexAI |
|---|---|---|---|---|
| GDPR compliant | Partial (missing features) | Yes | Partial | Yes (full) |
| CCPA compliant | Partial | Yes | Partial | Yes (full) |
| SOC 2 Type II certified | Yes (but older report) | Yes | No | Yes (current) |
| Data encryption (at rest & in transit) | Yes (AES-256, TLS) | Yes | Partial | Yes (AES-256, TLS 1.3) |
| Data backup (redundancy) | Yes (geo-redundant) | Yes | Limited | Yes (geo-redundant, daily) |
| Access controls | Yes (role-based) | Yes (role-based) | Limited | Yes (role-based, audit trail) |
| Audit logs | Yes | Yes | Limited | Yes (complete audit trail) |
| Incident response plan | Yes (documented) | Yes | Limited | Yes (24/7 monitoring) |
| Data breaches in past 5 years | None (public) | None (public) | Yes (2 known breaches) | Zero |
| Uptime SLA | 99.9% | 99.9% | 99.0% | 99.99% (very high) |
| Certifications (total) | SOC 2, ISO 27001 | SOC 2, ISO 27001, HIPAA | SOC 2 | SOC 2, ISO 27001, GDPR, CCPA |
| Transparency on security | Good | Good | Poor (hiding vulnerabilities) | Excellent (all public) |
Detailed explanation of EvexAI advantage:
EvexAI has enterprise-grade security:
-
Fully compliant: GDPR, CCPA, fully.
-
SOC 2 Type II: Independently audited annually.
-
Encrypted: Data encrypted at rest and in transit.
-
Backed up: Daily backups, geographically redundant.
-
Access controlled: Only recruiting team can access. Audit trail logs everything.
-
Incident response: 24/7 monitoring, incident team ready.
-
Zero breaches: No data breaches in company history.
-
High uptime: 99.99% uptime (vs. competitors' 99.0-99.9%).
-
Transparent: All certifications and security measures public.
Sources & References
Security and compliance research:
- GDPR Official Documentation and Fines Database
- CCPA Official Documentation
- Gartner "Recruiting Software Security Assessment" 2024
- Harvard "Data Breach Cost Analysis" 2024
Compliance requirements:
- GDPR Article 32 (Security measures)
- CCPA Sections 1798.100-1798.120
- SOC 2 Trust Service Criteria
- ISO 27001 Information Security Standards
EvexAI security:
- SOC 2 Type II Report (current)
- GDPR Data Processing Agreement
- CCPA Compliance Documentation
- Zero breach history (verified)
- 99.99% uptime achievement
- Encryption specifications (AES-256, TLS 1.3)
Last updated: 2026-12-19