Get started

Security & Trust at Growthtastic

Your data and your applicants' data deserve the highest standards. Growthtastic is built on a privacy-first foundation - GDPR-compliant, EU AI Act aligned, encrypted at rest and in transit, and hosted on European infrastructure. The world's strictest data protection rules, applied to every customer.

GDPR compliant Hosted in the EU EU AI Act aligned Encryption at rest & in transit Multi-factor authentication

How we protect your data

Privacy and security weren't added later. They've been built into Growthtastic from day one.

GDPR by design

We only collect data we're allowed to. Applicants can view, correct, or delete their own data right in the platform - no support ticket needed.

European infrastructure

All applicant data stays on servers within the European Union. No transfers to countries with weaker data protection rules.

EU AI Act ready

AI assists - humans decide. No automated hiring decisions. Every AI suggestion is transparent, explainable, and your team can always override it.

Encryption everywhere

Every connection is encrypted. Sensitive applicant data like CVs and personal details are also stored encrypted on our servers.

Strong authentication

Multi-factor authentication for every account. Roles and permissions make sure only the right people can see applicant data.

Transparency & control

You stay in control of your data. Account and data deletion any time, no questions asked. Detailed audit logs are available for Enterprise customers on request.

Data protection

GDPR isn't a checkbox. It's our default.

Growthtastic is engineered around the GDPR's core principles - data minimization, purpose limitation, integrity, and accountability. Not patched in afterwards.

Read our Privacy Policy
  • Lawful basis documented for every category of personal data we process.
  • Documented retention policies - applicant data is deleted after defined retention periods (typically 6 months after rejection, in line with German AGG documentation requirements).
  • Data Subject Access Requests (DSARs) - applicants can request, correct, or delete their data directly.
  • Right to be forgotten honored within statutory deadlines, with cryptographic proof of deletion.
  • Data Processing Agreement (DPA) included by default - no separate contract negotiation needed.
  • Annual review of our data processing register, available to enterprise customers on request.
EU AI Act

AI prepares - you decide.

Recruiting is high-risk under the EU AI Act. Growthtastic is built so your team always remains in the driver's seat - no shadow algorithms making hiring calls.

Read our AI Transparency notes
  • No automated decision-making in the sense of GDPR Art. 22 - every shortlist, ranking, or rejection is reviewed by a human.
  • AI suggestions are explainable: matched skills, missing requirements, and reasoning are shown next to every result.
  • Bias mitigation: protected attributes (age, gender, origin, etc.) are not used as features for ranking or matching.
  • Applicants are informed transparently when AI is used to assist screening - in line with EU AI Act transparency obligations.
  • Human oversight built into the workflow - the recruiter, not the algorithm, decides who gets contacted.
  • AI models and prompts are versioned and auditable for compliance reviews.
Infrastructure

European servers. Strong encryption. No compromises.

Every byte of applicant data lives in the EU. Every connection is encrypted. Every backup is verified.

  • Hosting exclusively in EU data centers. No data transfers to non-adequate third countries.
  • TLS for all client traffic, with HSTS enforced on all production domains.
  • Sensitive applicant data like CVs, contact details, and attachments is stored encrypted on our servers.
  • Automated backups, encrypted end-to-end and stored offsite within the EU.
  • Network isolation between services - databases and internal queues are not reachable from the public internet.
  • Dependencies kept current - security advisories monitored and applied promptly.
Account security

Right access. Right people. Always.

Hiring data is sensitive. Growthtastic gives your team fine-grained control over who sees what - and forces strong authentication on every account.

  • Passwordless by design - sign in via email one-time codes, authenticator apps (TOTP), or Passkeys (WebAuthn / FIDO2). No passwords to leak, reuse, or phish.
  • Multi-factor authentication for every recruiter account, optionally enforced organization-wide.
  • Granular roles & permissions - configure who can publish jobs, view applicants, manage billing, or invite users.
  • Session management - revoke sessions remotely, see active devices, automatic logout on inactivity.
  • Rate limiting and abuse protection on all authentication endpoints.
For applicants

Applicants stay in control of their data.

Trust runs both ways. Applicants who use Growthtastic to apply have the same rights and tools as enterprise customers.

  • Clear, plain-language privacy notice at every application form.
  • Applicants can request a copy of their data, correct it, or delete it - directly from their account.
  • Granular consent for talent pool inclusion - opt-in, not buried.
  • Defined retention periods, with deletion handled in line with our GDPR-aligned policies.
  • Withdrawn applications can be permanently erased on request.

Security questions, answered.

Common questions from procurement, IT, and works councils.

Is Growthtastic GDPR compliant?
Yes. Growthtastic is built around the GDPR from the ground up. We process applicant data on a documented lawful basis, honor data subject rights via the platform, sign a Data Processing Agreement with every customer, and host all applicant data on servers within the European Union.
Where is applicant data stored?
Applicant data is stored exclusively in EU data centers - no transfers to countries with weaker data protection rules. Backups are also kept within the EU, in a different region from the primary infrastructure for resilience.
How does Growthtastic comply with the EU AI Act?
AI is used to assist - never to decide. There are no fully automated hiring decisions in the sense of GDPR Art. 22. Every AI suggestion (job match, CV analysis, ranking) is shown with its reasoning and remains overridable by a human recruiter. Applicants are informed when AI assists in screening.
Do you sign a Data Processing Agreement (DPA)?
Yes. A GDPR-aligned DPA is included by default with every Growthtastic subscription. There is no separate contract negotiation - the DPA is published in our legal section and forms part of the standard agreement.
Are AI models trained on our customer data?
No. Customer and applicant data is used only to provide the service to you. It is not used to train AI models — neither ours nor those of any AI providers we use to deliver the service.
How long is applicant data retained?
The default retention period for rejected applicants is six months after the rejection decision, in line with German AGG documentation requirements. Hired candidates' data is retained for the duration of the employment relationship, as documented in your privacy notice. Custom retention periods are available on request.
Can applicants request deletion of their data?
Yes. Applicants can request access, correction, or deletion of their data directly from their Growthtastic account or via a written request. Deletion is performed within statutory deadlines and is cryptographically verifiable.
What happens if there is a data breach?
Growthtastic operates a documented incident response process. In the case of a personal data breach, affected customers are notified without undue delay and within the timelines required by Art. 33 GDPR, with all the information needed for their own notification obligations.
Is multi-factor authentication available?
Yes. MFA is supported for every recruiter account and can be enforced at the organization level for all members of your team.

Hire with confidence. Start free.

Same security, same GDPR compliance, same EU hosting - whether you're a 5-person practice or a 500-person organization.

Get started for free Read the legal terms
✓ Free to start · ✓ GDPR-aligned DPA included · ✓ EU hosting