Production-ready security · EU-hosted

Trust & Security

How Outsor protects your data, your candidates' data, and your partner agencies' data — written for the buyer who will hand this page to their CISO, their lawyer, and their data-protection officer.

Operator: Archie Recruitment Last reviewed: 25 May 2026 Status: Live in production
Hosting regionEU (europe-west1)Belgium · Google Cloud
Encryption · in transitTLS 1.3HSTS + HTTP/2
Encryption · at restAES-256Google-managed keys
Breach notification≤ 72 hoursGDPR Art. 33
Data retention30 days post-cancelThen permanent deletion
BackupsPITR · 7 daysRPO 24h · RTO 8h

What data we hold & for how long

Plain English — what's in our database, who can see it, when it disappears.

CategoryExamplesRetention
Candidate data Name, email, phone, CV file, voice/video intro, BSN field (NL), language levels, certifications, parsed CV fields, AI quality score Until Customer deletes the candidate, or 30 days after Customer cancellation. Withdrawn-application records purged immediately on candidate request.
Recruiter / partner accounts Name, work email, hashed password (handled by Firebase Auth), company affiliation, role, last-seen timestamp Until account deletion or 30 days after Customer cancellation.
Operational data Submissions, pipeline stages, hours-log entries, Q&A threads, internal notes, audit log Same as candidate data; audit-log entries retained 90 days for security review.
Invoices & billing Issued invoices (PDF + structured), payment status, partner identity, hours summary Retained for the 5-year period required by Polish tax law (Ordynacja podatkowa Art. 86) and any longer period required by Customer's local tax law.
Email queue (outgoingEmails) Transactional emails sent on Customer's behalf to candidates / partners (welcome, notification, drip) Retained for 30 days for delivery diagnostics, then automatically purged.
Logs & analytics Application logs (Cloud Logging), AI cost-tracking per company-month 30 days application logs · 24 months aggregated AI cost (no PII).

We do not sell, license or share Customer Data with anyone outside the sub-processors listed at outsor.work/sub-processors.html.

Security controls in production today

Every measure listed here is live in the production environment — not a roadmap promise.

TLS 1.3 in transitAll traffic to outsor.work, pickme.work and the Firebase API is TLS-encrypted with HSTS preload.
AES-256 at restFirestore data, Cloud Storage CVs and Auth secrets all encrypted with Google-managed keys.
Tenant isolationEvery Firestore query is gated by companyId checks in security rules — no cross-tenant data path exists in the production read APIs.
2-factor authenticationAvailable for all recruiter accounts via Firebase Auth (SMS or authenticator app).
Audit loggingRecruiter actions on candidate records, application status changes and admin operations land in an append-only audit_log collection.
Point-in-time recoveryFirestore PITR enabled with 7-day window; RPO 24 h, RTO 8 business hours for a full restore.
Rate limits & abuse controlsFirebase API rate-limits per user; sensitive Cloud Functions limited to authenticated invokers; admin endpoints require a secret token.
Secrets in Firebase Secret ManagerAPI keys (Anthropic, Resend) live in Google Secret Manager — never in source code, never in env files committed to git.
Storage upload validationServer-side function rejects oversize files (20 MB cap) and non-allow-listed MIME types before they hit Cloud Storage.
Email DKIM + SPFoutsor.work transactional emails signed by Resend; DNS records verified end-to-end. DMARC policy roadmapped for Q3 2026.
SCC-based EU↔US transfersAnthropic + Resend (US-headquartered) processed under the EU Commission's Standard Contractual Clauses + Transfer Impact Assessment.
AI no-training agreementAnthropic does not train its foundation models on Customer Data submitted via the Outsor API.

What we don't have yet (transparent roadmap)

If something goes wrong — incident & breach response

Our commitments per GDPR Art. 33 and Art. 28(3)(f).

Notification timeline

What Customer gets from us

Customer's own report-line

If you suspect a breach involving Outsor data, email info@archie-recruitment.com with subject "Security incident report — URGENT". Expect first response within 4 business hours during 09:00–17:00 CET; we monitor this inbox out-of-hours for the URGENT keyword.

Who can see your data inside Outsor

Customer-side access

Service Provider-side access

Regulatory compliance

GDPR / AVG

The full Data Processing Agreement at outsor.work/dpa.html sets out our Art. 28 obligations. Sub-processor changes are notified 14 days in advance with objection rights; Standard Contractual Clauses (Module 3, Processor-to-Processor) govern all non-EU sub-processors. Customer remains the Data Controller for all Personal Data uploaded; Outsor is the Data Processor.

EU AI Act (Regulation 2024/1689)

Outsor uses Anthropic Claude for CV quality scoring, summary generation and vacancy text drafting. Under the EU AI Act:

WAADI (Dutch Placement of Personnel by Intermediaries Act)

Outsor is a software platform for managing partner-sourced candidate submissions; it does not itself place workers, run payroll, or act as the contractual employer / hirer. Each Customer remains responsible for its own WAADI registration where applicable, and for verifying that each partner agency it invites is itself WAADI-registered where required. See the dedicated WAADI section at legal.html#waadi.

Polish tax law

Invoices issued by Outsor on Customer's behalf are retained for the 5-year period required by Ordynacja podatkowa Art. 86, regardless of Customer's own cancellation or deletion request (this is a legal retention obligation that overrides the standard 30-day deletion window for that category of data only).

Sub-processors at a glance

Full live list, transfer mechanisms and change-notification policy at outsor.work/sub-processors.html.

Sub-processorPurposeLocationTransfer mechanism
Google Cloud / FirebaseApplication hosting, Firestore database, Auth, Cloud Storage, Cloud FunctionsEU (europe-west1, Belgium)Intra-EU
AnthropicAI inference for CV quality scoring, summary, vacancy generationUSAEU SCCs + no-training agreement
ResendTransactional email delivery (welcome, notifications, drip)USA (data routed via Ireland region)EU SCCs + DPA
GitHubSource-code hosting (no Customer Data — code only)USAEU SCCs (no PII processed)

Talk to us

Need a signed DPA, custom security questionnaire response (SIG, CAIQ), or to flag an incident? We don't pass you to a ticket queue — you talk to the founder directly.

Security & data-protection contact

Artur Seredziuk · Founder & Data Protection Lead

info@archie-recruitment.com

Response target: 4 business hours · 9:00–17:00 CET, Mon–Fri. Mark security incidents "URGENT" in the subject line for out-of-hours monitoring.