EU primary data hosting, ISO 27001 certified, GDPR data-subject rights on every candidate profile, named US sub-processors. The trust centre at trust.join.com has the auditor-ready detail.
Join's primary candidate database is hosted in the EU. Two named US sub-processors handle specific subsystems: Recall.ai for the interview-notetaker (recording, transcription) and WorkOS for the auth surface. Both are GDPR-aligned providers with EU-compliant data-processing terms. The full sub-processor list lives on trust.join.com, updated when anything changes.
Primary candidate database hosted in the EU
Two named US sub-processors: Recall.ai and WorkOS
Full sub-processor list published and updated on trust.join.com
02
GDPR data-subject rights, on every candidate profile.
On every candidate profile: consent status at the top, plus one-click controls for the GDPR actions you'll be asked for. Data export (machine-readable JSON + PDF) for Article 15. Redaction (replace personal fields with placeholders, keep the hiring record) for Article 16. Full erasure for Article 17. Withdraw consent and Join propagates the change: pause screening, archive the profile, or delete on schedule per your rules.
One-click data export (JSON + PDF) for Article 15 requests
Redaction replaces personal fields while keeping the hiring record
Full erasure propagated across backups under GDPR Article 17
03
ISO 27001 certified. Trust centre at trust.join.com.
Join is ISO 27001 certified, with the certificate, sub-processor list, and security questionnaire response published on the public trust centre. Customers' legal and security teams can pull what they need without waiting on a sales call. SOC 2 Type II and the formal EU AI Act high-risk audit are in progress on the compliance roadmap.
Certificate, sub-processor list, and security Q&A published publicly
Legal teams pull what they need without waiting on a sales call
SOC 2 Type II and EU AI Act audit in progress
WHAT YOU CAN DO
Controls your DPO will actually use.
Article 15 data export
Export a candidate's full record as machine-readable JSON plus PDF, in one click from the profile. Satisfies the right of access in minutes.
Article 16 redaction
Replace personal fields with redacted placeholders while keeping the hiring record intact for aggregate analytics.
Article 17 erasure
Full profile deletion. Join propagates the deletion across backups and downstream systems per workspace policy.
Consent withdrawal propagation
When a candidate withdraws consent, Join pauses screening, archives or deletes the profile per your rules. No manual chase across systems.
GDPR & EU AI Act compliance FAQ
Where is candidate data stored?
Join's primary candidate database (profiles, CVs, application answers, screening data) is hosted in the EU. Two specific subsystems use named US sub-processors: Recall.ai handles interview recording and transcription for the notetaker, and WorkOS handles authentication. Both have GDPR-aligned data-processing terms and appear in our published sub-processor list on trust.join.com.
What GDPR rights does Join support on a candidate profile?
Article 15 (data export, JSON + PDF), Article 16 (redaction), and Article 17 (erasure), all available from the data-rights panel on the candidate's profile. Consent status is visible at the top of every profile; withdrawing consent propagates across Join automatically.
Is Join ISO 27001 certified?
Yes. The current ISO 27001 certificate is published on trust.join.com, alongside the sub-processor list and our security questionnaire response. SOC 2 Type II and the formal EU AI Act high-risk audit are in progress; the trust centre will be updated as those land.
How is Join preparing for the EU AI Act?
The AI Act's high-risk-system requirements for employment AI take full effect in August 2026. Join is working through the classification and audit work ahead of that deadline. The current state and the timeline are tracked on trust.join.com; we'll publish the formal audit when it's complete.
Does Join offer a Data Processing Agreement?
Yes. The standard DPA is available on request and signs at workspace creation; sub-processor list, transfer impact assessment, and security questionnaire response are all on trust.join.com.
