WorkSignal handles sensitive candidate data - voice recordings, resumes, assessments. Here is exactly how we protect it.
All data is encrypted in transit using TLS 1.2+ and at rest using industry-standard AES-256 encryption. Voice recordings, transcripts, resumes, and assessment data are all encrypted at the storage level.
All primary data processing and storage happens in Canada. Our infrastructure runs on DigitalOcean's Toronto (TOR1) data center region, keeping candidate data within Canadian jurisdiction.
Access to production systems is restricted to authorized personnel only. Every access attempt is logged and reviewed. Customer data is isolated at the organization level with tenant-scoped queries enforced at the model layer.
Candidate data sent to AI providers is covered by data processing agreements. AI-generated outputs are recommendations only - humans make all final hiring decisions. Your candidate data is never used to train third-party models.
WorkSignal collects explicit consent before any AI interaction. The consent requirements adapt based on the candidate's jurisdiction - Ontario, Illinois, Texas, NYC, and others each have different rules. Our system applies the right ones automatically.
AI disclosure shown on the job posting. Candidate agrees to data processing when applying.
Jurisdiction-specific consent collected before scheduling. AI screening, recording, and biometric consent where required.
AI identifies itself at the start of every call. Recording notice and opt-out option provided verbally.
Human reviews all AI assessments. Candidates can request human review if they believe the AI assessment was unfair.
These are the third-party services that process customer or candidate data on our behalf. Each operates under a data processing agreement.
| Provider | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud infrastructure and data storage | Toronto, Canada |
| Stripe | Payment processing (PCI DSS compliant) | United States |
| ElevenLabs | AI voice screening calls | United States |
| Retell AI | AI voice screening calls (backup provider) | United States |
| OpenAI | Resume analysis and candidate assessment | United States |
| Anthropic | AI-powered candidate evaluation | United States |
| Resend | Transactional email delivery | United States |
| Twilio | SMS notifications and phone number verification | United States |
| Umami | Privacy-focused analytics (no cookies, no PII) | Self-hosted, Canada |
We retain data only as long as needed to provide the service and meet legal obligations.
Duration of active account + 90 days after closure
Duration of recruiter's active account
Up to 1 year, or until recruiter deletes - whichever is sooner
3 years minimum (Ontario Bill 149 record retention requirement)
7 years (CRA requirement)
Up to 90 days
We are building toward formal certifications alongside our existing compliance infrastructure.
Canadian federal privacy law. Express consent for sensitive data, implied for less-sensitive. In effect.
AI disclosure, salary validation, content scanning, 45-day notification tracking. Live and enforced in-product.
Jurisdiction-aware consent collection covering Ontario, Quebec, BC, Illinois, Texas, NYC, California, and GDPR. Live.
Planned. Formal observation period and audit to follow in 2026-2027.
Need a Data Processing Agreement (DPA)? Contact us below.
For security inquiries, vulnerability reports, DPA requests, or to request our security questionnaire responses, contact us at:
security@worksignal.com