Security & Compliance

Security is not optional. It isn’t with us either.

talenttrends is built from the ground up for enterprise security requirements — with documented technical and organisational measures, clearly governed data processing and a subprocessor stack that matches your hosting choice. This page gives you the information you need for procurement, legal and InfoSec.

talenttrends logo horizontal light gray

Data residency

You decide where your data is processed

tal­ent­trends process­es per­son­al data exclu­sive­ly in the regions you choose. Cross-region data flows do not take place as a mat­ter of prin­ci­ple — the only excep­tion is LLM infer­ence, which can be con­fig­ured separately.

SaaS with talessio

Host­ing in Azure Ger­many West Cen­tral (Frank­furt, DE) or STACKIT (Schwarz Dig­its, DE). Both exclu­sive­ly in the EU. Schrems II risk addressed: STACKIT ful­ly (no US par­ent), Azure via the Microsoft EU Data Res­i­den­cy pro­gramme and con­trac­tu­al Stan­dard Con­trac­tu­al Clauses.

In your cloud

Data res­i­den­cy fol­lows your cloud sub­scrip­tion. You con­trol region, net­work and encryp­tion. We deliv­er the plat­form, you pro­vide the environment.

On-Premises

Full data res­i­den­cy in your data cen­tre. No cross-cloud data flows, no exter­nal sub­proces­sors — except for LLM infer­ence, if Ask is active.

LLM infer­ence (for tal­ent­trends Ask) con­fig­urable sep­a­rate­ly: AWS Bedrock (Frank­furt, eu-cen­tral‑1, stan­dard, EU data res­i­den­cy), Azure AI Foundry (Swe­den Cen­tral, EU region), Your own mod­el (BYOL) with a hyper­scaler of your choice or on-premises.

Details on host­ing choice, migra­tion paths and respon­si­bil­i­ties can be found under Cloud & On-Premis­es.

Data processing agreement

A DPA under Art. 28 GDPR incl. a trans­par­ent sub­proces­sor list

We pro­vide a stan­dard data pro­cess­ing agree­ment (DPA) under Art. 28 GDPR, sup­ple­ment­ed by tech­ni­cal and organ­i­sa­tion­al mea­sures, a sub­proces­sor list and data pro­tec­tion impact assess­ment input. The DPA is well estab­lished in the DACH mar­ket and open to adjust­ments, inso­far as they fit the cho­sen host­ing model.

Sub­proces­sors per host­ing model

Function
SaaS Azure
SaaS STACKIT
In your cloud
On-Premises
Platform hosting

Microsoft Ire­land Oper­a­tions Ltd.

Schwarz Dig­its KG (GmbH & Co.)

Your cloud provider

None

LLM inference (talenttrends Ask)

Ama­zon Web Ser­vices EMEA SARL (Bedrock Frank­furt) and/​or Microsoft Ire­land (Azure OpenAI)

Ama­zon Web Ser­vices EMEA SARL (Bedrock Frank­furt) and/​or Microsoft Ire­land (Azure OpenAI)

Either the same or your own model

Either the same or your own model

Email sending

Microsoft Ire­land Oper­a­tions Ltd.

Provider of your choice

Provider of your choice

Provider of your choice

What the DPA cov­ers: Pur­pos­es of the pro­cess­ing, data cat­e­gories, cat­e­gories of data sub­jects, stor­age loca­tions and peri­ods, tech­ni­cal and organ­i­sa­tion­al mea­sures (TOMs), sub­proces­sor autho­ri­sa­tion pro­ce­dures, rights and oblig­a­tions of both par­ties, noti­fi­ca­tion oblig­a­tions for per­son­al data breaches.

TOMs

Mea­sures that Art. 32 GDPR expects — and more

The tech­ni­cal and organ­i­sa­tion­al mea­sures (TOMs) fol­low the require­ments of Art. 32 GDPR and are aligned with the state of the art. They are described in full in our DPA and are reviewed and updat­ed at least annually.

Encryption in transit

All exter­nal con­nec­tions via TLS 1.2 or high­er. HTTP Strict Trans­port Secu­ri­ty enabled. No plain­text end­points for plat­form access.

Encryption at rest

Cus­tomer cre­den­tials and sen­si­tive data fields are encrypt­ed with AES-256 at appli­ca­tion lev­el — in addi­tion to the encryp­tion of the host­ing infra­struc­ture. Keys are man­aged in ded­i­cat­ed key man­age­ment ser­vices (Azure Key Vault, STACKIT Vault).

Access and authorisation control

Manda­to­ry login with mul­ti-fac­tor authen­ti­ca­tion for admin­is­tra­tive access. Autho­ri­sa­tion con­cept with role sep­a­ra­tion. Zero-trust net­work access for oper­a­tions staff.

Separation of processing

Ten­ant iso­la­tion at data lev­el — every record car­ries a ten­ant iden­ti­fi­er, requests see only the data of the request­ed ten­ant. Sep­a­rate data­bas­es per tenant.

Input and processing audit

All admin­is­tra­tive actions and data access­es by end users are ful­ly logged — with user, time­stamp, action, result. Reten­tion as per contract.

Data protection incidents

Estab­lished response process incl. 72-hour noti­fi­ca­tion under Art. 33 GDPR. Foren­sics pro­ce­dures doc­u­ment­ed, lessons-learned loop established.

Identity

Authen­ti­ca­tion via the meth­ods you already oper­ate today

tal­ent­trends inte­grates into your exist­ing iden­ti­ty land­scape. We don’t bring our own iden­ti­ty provider and don’t require shad­ow admin­is­tra­tion — we use what you have.

Cornerstone

Micro Apps are authen­ti­cat­ed via Cor­ner­stone OAuth 2.0 — the same login the user uses for Cor­ner­stone itself. No sec­ond login, no sec­ond password.

Enterprise SSO

SAML 2.0 and OpenID Con­nect for admin­is­tra­tion and plat­form con­fig­u­ra­tion. Con­nec­tion to Microsoft Entra ID (Azure AD), Okta, oth­er IdPs on request.

Multi-factor authentication

Time-based one-time pass­words (TOTP), authen­ti­ca­tor apps, WebAu­thn /​ passkeys for admin­is­tra­tive accounts. Enforce­able per role.

Per­mis­sion pass-through: Per­mis­sions from Cor­ner­stone are ful­ly enforced in the Micro Apps and tal­ent­trends Ask requests. Any­one who is not allowed to see cer­tain data in Cor­ner­stone will not see it in a Micro App or a tal­ent­trends Ask answer either.

AI security

What your LLM sees, what it does not see and how you can ver­i­fy it

tal­ent­trends Ask and oth­er LLM-pow­ered fea­tures work on a firm­ly defined data inter­face — not on free access to your HR data. What the LLM process­es is trans­par­ent and traceable.

Permission-based data view

Every request against the tal­ent­trends Ask data foun­da­tion is exe­cut­ed with the per­mis­sions of the request­ing user. Any­one who may only see their direct reports in the Cor­ner­stone por­tal will also only see their direct reports in tal­ent­trends Ask.

PII protection

Per­son­al­ly iden­ti­fi­able fields are clas­si­fied sep­a­rate­ly. Requests that would deliv­er such fields unag­gre­gat­ed are reject­ed with a clear mes­sage to the user. You can con­fig­ure the pro­tec­tion per column.

No model training with your data

Con­trac­tu­al­ly exclud­ed — both with AWS Bedrock and with Azure Ope­nAI /​ Anthrop­ic. Your HR data is not used to improve third-par­ty models.

EU AI Act: In our assess­ment, Ask is no High-risk AI sys­tem with­in the mean­ing of the EU AI Act — the appli­ca­tion makes no auto­mat­ed per­son­nel deci­sions. The trans­paren­cy oblig­a­tion under Art. 50 (users know they are inter­act­ing with AI) is met.

Compliance

Who is cer­ti­fied, who is com­pli­ant, and what that means for you.

Com­pli­ance state­ments have to be hon­est to hold up. Here is what you actu­al­ly get — dif­fer­en­ti­at­ed by the stan­dards that pro­cure­ment or legal expects from us.

Standard
Status
Path
GDPR

tal­ent­trends is set up to be GDPR-com­pli­ant as data processing.

DPA under Art. 28 GDPR, TOMs under Art. 32, noti­fi­ca­tion process under Art. 33, right to be for­got­ten under Art. 17 imple­ment­ed, pri­va­cy-friend­ly default settings.

ISO/​IEC 27001

Com­pli­ant via the STACKIT host­ing path.

Schwarz Dig­its holds the ISO 27001 cer­ti­fi­ca­tion; audit report on request.

BSI C5

Com­pli­ant via the STACKIT host­ing path.

Schwarz Dig­its holds the BSI C5 attes­ta­tion; audit report on request.

SOC 2 Type II

Com­pli­ant via the Azure host­ing path.

Microsoft holds the SOC 2 Type II cer­ti­fi­ca­tion; report avail­able via Microsoft Ser­vice Trust.

EU AI Act (Art. 50)

Com­pli­ant.

Trans­paren­cy oblig­a­tion met; high-risk clas­si­fi­ca­tion, in our assess­ment, not applicable.

20230323 131718 087 talessio scaled

Interested?

Talk to your InfoS­ec and our team together

One day, struc­tured. We bring all the doc­u­ments — DPA, TOM descrip­tion, sub­proces­sor list, audit reports from our host­ing providers — and go through all the knock-out ques­tions with your InfoS­ec team. Until noth­ing is left open.

Arrange a call

hello@​talessio.​com