Trust & Security
How Outsor protects your data, your candidates' data, and your partner agencies' data — written for the buyer who will hand this page to their CISO, their lawyer, and their data-protection officer.
What data we hold & for how long
Plain English — what's in our database, who can see it, when it disappears.
| Category | Examples | Retention |
|---|---|---|
| Candidate data | Name, email, phone, CV file, voice/video intro, BSN field (NL), language levels, certifications, parsed CV fields, AI quality score | Until Customer deletes the candidate, or 30 days after Customer cancellation. Withdrawn-application records purged immediately on candidate request. |
| Recruiter / partner accounts | Name, work email, hashed password (handled by Firebase Auth), company affiliation, role, last-seen timestamp | Until account deletion or 30 days after Customer cancellation. |
| Operational data | Submissions, pipeline stages, hours-log entries, Q&A threads, internal notes, audit log | Same as candidate data; audit-log entries retained 90 days for security review. |
| Invoices & billing | Issued invoices (PDF + structured), payment status, partner identity, hours summary | Retained for the 5-year period required by Polish tax law (Ordynacja podatkowa Art. 86) and any longer period required by Customer's local tax law. |
| Email queue (outgoingEmails) | Transactional emails sent on Customer's behalf to candidates / partners (welcome, notification, drip) | Retained for 30 days for delivery diagnostics, then automatically purged. |
| Logs & analytics | Application logs (Cloud Logging), AI cost-tracking per company-month | 30 days application logs · 24 months aggregated AI cost (no PII). |
We do not sell, license or share Customer Data with anyone outside the sub-processors listed at outsor.work/sub-processors.html.
Security controls in production today
Every measure listed here is live in the production environment — not a roadmap promise.
What we don't have yet (transparent roadmap)
- ISO 27001 / SOC 2 Type II — both planned once Outsor passes 25 paying customers. We will share interim self-assessment artifacts on request from any Customer.
- External pen-test report — first pen test scheduled for Q4 2026, results shareable under NDA.
- DMARC enforcement policy — currently SPF + DKIM are live; DMARC will move from
p=nonetop=quarantinein Q3 2026. - Customer-managed encryption keys (CMEK) — not currently offered; available on Enterprise pick.me plan only after 2027.
If something goes wrong — incident & breach response
Our commitments per GDPR Art. 33 and Art. 28(3)(f).
Notification timeline
- 0 – 24 hours — confirmed personal-data breach affecting Customer Data is triaged internally; severity and scope assessed.
- Within 72 hours — Customer's named billing contact is notified by email with: nature of the breach, categories and approximate number of data subjects/records affected, likely consequences, measures taken or proposed.
- Within 7 days — written post-incident report shared, including root-cause analysis and remediation plan.
What Customer gets from us
- Direct email to the billing contact (not a generic status page) within 72 hours.
- Full cooperation with Customer's own GDPR Art. 33 notification to the supervisory authority where Customer is the controller.
- Forensic access to relevant audit-log entries on request.
- No charge for incident-response time or follow-up calls.
Customer's own report-line
If you suspect a breach involving Outsor data, email info@archie-recruitment.com with subject "Security incident report — URGENT". Expect first response within 4 business hours during 09:00–17:00 CET; we monitor this inbox out-of-hours for the URGENT keyword.
Who can see your data inside Outsor
Customer-side access
- Recruiters on Customer's account see only data within their company tenant (enforced by Firestore security rules).
- Partner-agency users invited by Customer see only candidates they themselves submitted and the vacancies Customer explicitly shared with them — they cannot enumerate Customer's other candidates or partners.
- Candidates (if they hold a public-portal account) see only their own profile and application status — never Customer's internal notes or other candidates.
Service Provider-side access
- Single platform owner (Artur Seredziuk, founder) has elevated access for production support, restricted to one allow-listed admin email checked in code and security rules.
- Admin access is used only for: provisioning new Customer accounts, investigating reported security incidents, restoring data on Customer request.
- Every admin operation is logged in an immutable audit collection.
- Sub-processors have no human access to Customer Data — they process it through their APIs only (no support staff browses Customer records).
Regulatory compliance
GDPR / AVG
The full Data Processing Agreement at outsor.work/dpa.html sets out our Art. 28 obligations. Sub-processor changes are notified 14 days in advance with objection rights; Standard Contractual Clauses (Module 3, Processor-to-Processor) govern all non-EU sub-processors. Customer remains the Data Controller for all Personal Data uploaded; Outsor is the Data Processor.
EU AI Act (Regulation 2024/1689)
Outsor uses Anthropic Claude for CV quality scoring, summary generation and vacancy text drafting. Under the EU AI Act:
- All AI outputs are advisory only — no automated decision having legal or similarly significant effect on a candidate is taken by the Service (Art. 22 GDPR safeguard).
- Customer's recruiters retain full human review and decision authority on hire, reject and pipeline-stage changes.
- Transparency obligation: every Customer and User is informed at signup and in the legal hub that AI is used; AI features can be disabled per Customer at any time.
- No training: Anthropic does not use Customer Data submitted via the Outsor API to train its foundation models.
WAADI (Dutch Placement of Personnel by Intermediaries Act)
Outsor is a software platform for managing partner-sourced candidate submissions; it does not itself place workers, run payroll, or act as the contractual employer / hirer. Each Customer remains responsible for its own WAADI registration where applicable, and for verifying that each partner agency it invites is itself WAADI-registered where required. See the dedicated WAADI section at legal.html#waadi.
Polish tax law
Invoices issued by Outsor on Customer's behalf are retained for the 5-year period required by Ordynacja podatkowa Art. 86, regardless of Customer's own cancellation or deletion request (this is a legal retention obligation that overrides the standard 30-day deletion window for that category of data only).
Sub-processors at a glance
Full live list, transfer mechanisms and change-notification policy at outsor.work/sub-processors.html.
| Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google Cloud / Firebase | Application hosting, Firestore database, Auth, Cloud Storage, Cloud Functions | EU (europe-west1, Belgium) | Intra-EU |
| Anthropic | AI inference for CV quality scoring, summary, vacancy generation | USA | EU SCCs + no-training agreement |
| Resend | Transactional email delivery (welcome, notifications, drip) | USA (data routed via Ireland region) | EU SCCs + DPA |
| GitHub | Source-code hosting (no Customer Data — code only) | USA | EU SCCs (no PII processed) |
Talk to us
Need a signed DPA, custom security questionnaire response (SIG, CAIQ), or to flag an incident? We don't pass you to a ticket queue — you talk to the founder directly.
Security & data-protection contact
Artur Seredziuk · Founder & Data Protection Lead
Response target: 4 business hours · 9:00–17:00 CET, Mon–Fri. Mark security incidents "URGENT" in the subject line for out-of-hours monitoring.