Security Policy
Last updated: 14 April 2026
Treegarden is built on a foundation of trust. We apply rigorous technical and organisational measures to protect the confidentiality, integrity, and availability of every piece of data our customers entrust to the Platform.
1. Our Commitment
Treegarden Software Ltd ("Treegarden") maintains a security programme aligned with ISO 27001 standards. Security is embedded in every layer of the Platform — from the way we design features and review code, to the way we select vendors and respond to incidents.
This Policy applies to all Customer Data processed by the Treegarden ATS platform at app.treegarden.io, including personal data of candidates, employees, and hiring-team members. It supplements our Terms of Service, Privacy Policy, and Service Level Policy.
Treegarden Software Ltd
Company No: 17151699 · Registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom
2. Encryption & Data Protection
At Rest
All Customer Data — including database records, uploaded documents, and backups — is encrypted at rest using AES-256. Encryption keys are managed through dedicated key-management services with strict access controls and regular rotation schedules.
In Transit
Every connection to the Platform is encrypted with TLS 1.2 or higher. Legacy protocols (TLS 1.0/1.1) are disabled. HTTP Strict Transport Security (HSTS) headers are enforced to prevent downgrade attacks, and all API traffic is conducted exclusively over HTTPS.
Secrets Management
Application-level secrets (API credentials, database keys, service tokens) are stored in environment-specific configuration with restricted permissions. Secrets are never committed to version control or exposed in application logs.
3. Infrastructure & Network Security
- Dedicated hosting: The Platform runs on dedicated infrastructure with strict network segmentation. Only essential services are exposed to the public internet.
- Firewall & perimeter defence: A default-deny firewall policy ensures that all inbound traffic is blocked unless explicitly allowed. Rate limiting and request-size restrictions are applied at the network edge.
- Secure administration: Administrative access uses key-based authentication only. Password-based remote login is disabled. All administrative sessions are logged and auditable.
- Automated patching: Critical security patches are applied automatically. Infrastructure components are regularly updated to address known vulnerabilities.
- Monitoring & alerting: Infrastructure is continuously monitored for performance anomalies, error rates, and security events. Alerts are escalated to the engineering team in real time.
4. Application Security
The Platform is built on a modern, well-supported application framework with security controls applied at every layer:
- Cross-site scripting (XSS): All user-generated output is escaped by default. Content Security Policy headers restrict the execution of untrusted scripts.
- SQL injection: The data-access layer uses parameterised queries exclusively. Direct SQL string concatenation is prohibited by design.
- Cross-site request forgery (CSRF): All state-changing requests require a valid, server-generated token.
- Input validation: All user input is validated server-side before processing. Strict type and format checks are enforced on every endpoint.
- File upload controls: Uploaded files are validated against an allowlist of permitted types, scanned for malware, and stored outside the web-accessible directory. Archive formats that may conceal malicious payloads are rejected.
- Rate limiting: API and web endpoints are rate-limited to mitigate brute-force, credential-stuffing, and denial-of-service attempts.
5. Access Control & Authentication
Role-Based Access Control
The Platform enforces role-based access with distinct permission boundaries. Each user role restricts what data can be viewed, edited, or exported:
| Role | Access Level |
|---|---|
| Recruiter | Job management, candidate pipeline, interview scheduling for assigned roles |
| Hiring Manager | View and evaluate candidates for assigned jobs, provide interview feedback |
| External Collaborator | Limited view of specific candidates or jobs shared by the organisation |
| Job Seeker | Own profile, application submissions, interview schedule |
Authentication
- Single sign-on (SSO): Integration with Google, Microsoft, and LinkedIn via OAuth 2.0 for federated authentication.
- Credential security: Passwords are hashed using an industry-standard adaptive algorithm. Plaintext passwords are never stored or logged.
- Session management: Sessions use secure, HTTP-only cookies with SameSite protections. Idle sessions expire automatically.
Multi-Tenant Isolation
Each organisation's data is logically isolated at the application layer. Users can only access data belonging to their own company. Cross-tenant data access is prevented by design and validated on every request.
6. AI Governance (Edera AI)
Treegarden's AI recruitment suite ("Edera AI") assists with candidate scoring, screening question generation, and interview preparation. The following safeguards govern all AI-powered features:
Human Oversight
- No automatic rejection: AI models score and rank candidates but never automatically reject an applicant. All consequential hiring decisions require human review.
- Advisory only: AI-generated scores and recommendations are presented as decision-support tools, not as final outcomes.
- Override capability: Recruiters and hiring managers may override or disregard any AI output at any time.
Transparency & Fairness
- Audit trail: Every AI-generated decision is logged with timestamps and parameters for full traceability.
- Bias monitoring: AI outputs are monitored for demographic bias, with corrective action taken when anomalies are detected.
- Candidate rights: Candidates may request an explanation of how AI was used in their application and may opt out of AI-assisted scoring.
EU AI Act Compliance
AI systems used in recruitment are classified as high-risk under the EU AI Act (Regulation 2024/1689). Treegarden implements the applicable requirements, including risk management (Art. 9), automatic logging (Art. 12), transparency (Art. 13), human oversight (Art. 14), deployer notification (Art. 26), fundamental rights impact assessment (Art. 27), and incident reporting (Art. 73).
7. Sub-Processor Registry
Treegarden engages the following categories of third-party service providers to deliver Platform functionality. Each provider is assessed for security practices and data-protection compliance before engagement and is subject to contractual obligations.
| Category | Providers | Purpose | Data Shared |
|---|---|---|---|
| Authentication & SSO | Google, Microsoft, LinkedIn | Federated sign-in, calendar synchronisation | Email address, display name |
| AI & Machine Learning | Third-party inference providers | Candidate scoring, content generation | Job descriptions, anonymised candidate summaries |
| Email Delivery | Transactional email providers | Notification and system email delivery | Recipient address, email content |
| Calendar & Scheduling | Google Calendar, Microsoft Outlook | Interview scheduling, availability sync | Event time, attendee details |
| Cloud Infrastructure | Amazon Web Services | File storage, message queuing | Uploaded documents (encrypted) |
| Job Board Distribution | Indeed, LinkedIn Jobs, and regional boards | One-directional job listing feeds | Published job data only (no candidate data) |
| Analytics | Microsoft Clarity, Google Analytics | Usage analytics and performance monitoring | Anonymised interaction data |
| Error Monitoring | Sentry | Exception tracking and performance monitoring | Error metadata (no PII) |
A complete, up-to-date list of sub-processors is available on request by emailing [email protected]. Customers are notified at least 30 days in advance of any new sub-processor engagement.
8. Data Lifecycle & Retention
- Active subscription: Customer Data is retained and available throughout the Subscription Term.
- Post-termination: Upon termination or expiry, Customer Data is retained for 30 days to allow export. An extension of up to 30 additional days may be requested before the initial period expires.
- Permanent deletion: After the retention period, Customer Data is permanently deleted from all primary systems and backups, subject to any legal retention obligations.
- Right to erasure: Data subjects may exercise their right to erasure under GDPR Article 17. Requests are processed within 30 days.
- Data export: Customers may request a full export of their data in a machine-readable format at any time during their subscription or the post-termination retention period.
9. Incident Response
Treegarden maintains a documented incident response plan covering identification, containment, eradication, recovery, and post-incident review. Key commitments:
- Notification: Affected Customers are notified without undue delay, and in any event within 72 hours of becoming aware of a personal data breach, in accordance with GDPR Article 33.
- Supervisory authority reporting: Where required, breaches are reported to the Information Commissioner's Office (ICO) within the 72-hour window.
- Root cause analysis: Every security incident is followed by a root cause analysis and a remediation plan to prevent recurrence.
- Post-incident review: Lessons learned are documented and incorporated into security controls, training materials, and operational procedures.
10. Business Continuity
- Automated backups: Database and file-storage backups are performed daily and encrypted before transfer to geographically separate storage.
- Recovery testing: Backup restoration procedures are tested periodically to validate data recoverability and recovery time.
- Redundancy: Critical components are designed with redundancy to minimise single points of failure.
- Service level commitments: Uptime targets, maintenance windows, and service credits are detailed in the Service Level Policy.
11. Compliance & Certifications
| Framework | Status |
|---|---|
| UK GDPR & Data Protection Act 2018 | Compliant. Treegarden acts as data processor; DPA available on request. |
| EU GDPR (Regulation 2016/679) | Compliant. Standard Contractual Clauses applied for international transfers. |
| EU AI Act (Regulation 2024/1689) | Compliant. Edera AI implements high-risk AI system requirements. |
| ISO 27001 | Aligned. Security programme follows ISO 27001 controls and practices. |
| UK Bribery Act 2010 | Compliant. Anti-corruption policies and procedures in place. |
Treegarden conducts Data Protection Impact Assessments (DPIAs) for high-risk processing activities and maintains records of processing activities in accordance with GDPR Article 30. Data Processing Addenda are available by contacting [email protected].
12. Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities from the research community. If you believe you have found a vulnerability in the Treegarden platform:
- Email details to [email protected].
- Include steps to reproduce and any supporting evidence.
- Allow reasonable time for investigation and remediation before public disclosure.
Treegarden commits to acknowledging reports promptly and will not pursue legal action against researchers acting in good faith. Our machine-readable security contact is published at /.well-known/security.txt.
13. Changes to This Policy
Treegarden may update this Security Policy at any time. Material changes — including new sub-processors, changes to data-processing locations, or reductions in security controls — will be communicated to active Customers at least 30 days before taking effect.
The current version is always available at treegarden.io/security/.
14. Contact
For security enquiries, vulnerability reports, or data protection requests:
Treegarden Software Ltd
Company No: 17151699 · Registered in England and Wales
16e Railway Approach, East Grinstead, RH19 1BP, United Kingdom
Security: [email protected]
Legal: [email protected]
General: [email protected]
Website: treegarden.io