Data Security in Applicant Tracking Systems: A Complete Guide

Applicant Tracking Systems contain some of the most sensitive information an organization collects, including home addresses, Social Security numbers, compensation history, disability disclosure, background check results, and, in some cases, biometric identifiers.

This guide tackles ATS data security from the ground up: types of data at risk, technical controls needed, industry- and region-specific compliance frameworks, vendor security assessments, integration vulnerabilities, and incident response.

Understanding ATS Data Security: Scope and Risk Landscape

ATS prioritizes Data Security with scope and risk-

Types of Sensitive Data in ATS Platforms

Not all ATS data secure carries the same risk level. Understanding the data taxonomy helps prioritize security controls and compliance obligations. The highest-risk data categories are those that create identity theft exposure or trigger specific regulatory requirements. Governments and organizations must comply with data privacy laws such as GDPR and CCPA, necessitating strict data protection measures.

Direct PII

Includes full name, address, phone number, email address, date of birth, and Social Security Number. This data poses significant privacy and identity theft risks and is regulated by laws such as GDPR and CCPA.

Financial Data

Covers salary history, compensation expectations, and banking details collected during onboarding. Exposure of this information can lead to financial fraud and compliance risks.

Protected Characteristics

Includes race, gender, disability status, and veteran information collected for EEOC compliance. Improper access or misuse can lead to serious discrimination and legal liability.

Assessment and Screening Data

Includes interview evaluations, background check reports, and reference feedback. This category requires strict confidentiality due to potential legal and reputational risks.

Biometric Data

Covers facial recognition, voiceprints, and other biometric identifiers used in video interviews or authentication systems. This data is highly sensitive and regulated under laws such as Illinois BIPA and GDPR Article 9.

Behavioral Data

Includes application behavior patterns, click tracking, and time spent on pages during the hiring process. While considered medium risk, organizations must still justify their collection and use under privacy regulations such as GDPR.

Core Security Threats to ATS Platforms

ATS security threats fall into three categories. Understanding which is most relevant to your organization determines where controls should be prioritized. Compliance with data protection laws and regulations, such as GDPR and CCPA, involves implementing technical, physical, and administrative safeguards to secure sensitive information and ensure that recruitment processes respect individuals' privacy rights.

1. External cyberattacks: Credential stuffing (using leaked username/password combinations against ATS login pages), SQL injection targeting to protect candidate data security, and ransomware attacks that encrypt ATS data are the most common external threats. ATS software that hold millions of candidate records are high-value targets.
2. Insider threats: Recruiters, HR administrators, and IT staff with overprivileged access represent the most common source of data exposure. Insider incidents are rarely malicious; most involve accidental sharing, incorrect permissions, or the export of secure data to personal devices for 'convenience.'
3. Third-party and integration vulnerabilities: Every integration point, job boards, background check services, HRIS, payroll, and video interviewing platforms are potential attack vectors. Data shared with an insecure third party is effectively unprotected.

Real-World Consequence: One Breach Can End a Recruitment Business

A single data breach at a mid-size recruitment data agency exposed thousands of candidate records, resulting in client departures, regulatory scrutiny, and lasting reputational damage that the company never fully recovered from. ATS security failures are not IT problems. They are business continuity problems.

Key ATS Security Measures

• Encryption Norms- Encryption is the starting point, not the endpoint. Every ATS vendor will list encryption as a feature. The question is whether they are doing it right in all data states.
• Encryption at Rest: AES-256 (or higher) is the minimum acceptable standard for encrypting data stored in ATS databases. Specifically ask vendors if encryption to restrict access applies to all data retention policy stores, including backups, log files, and temporary files, not just the main database.
• Encryption in transit: Minimum of TLS 1.2, TLS 1.3 preferred for all data integrity in transit between Applicant Tracking System ATS and connected systems, job boards, and user browsers. Ensure that older TLS versions are explicitly disabled.
• Key management : Where are your encryption keys stored? Keeping keys in the same system as the data they protect is the lowest level of security protocols. Ask vendors if they use a Hardware Security Module (HSM) or a dedicated key management service.
• End-to-end encryption for integrations - Data exchanged with HRIS, background check providers, and job boards should be encrypted in transit with mutual authentication, not just HTTPS.

Authentication and Role-Based Access Control

ATS insider incidents are primarily caused by misconfigured access controls. The principle of least privilege, where every user has access only to the data storage required by their role, is simple in theory but poorly implemented in practice. Regularly rotating encryption keys every 90 days limits exposure if a key is compromised. Conducting regular security assessments, including penetration testing and vulnerability scans, helps identify and patch hidden risks.

• Multi-factor authentication: require MFA for all ATS users, not just high-risk users. SMS-based MFA is better than nothing, but an authenticator app or hardware key is much better. Centralized multi-factor authentication (MFA) is enforced through single sign-on (SSO) integrated with your identity provider (Okta, Azure AD, Google Workspace).
• Session management: Automatic expiry of inactive sessions (15-30 minutes). Unauthorized access is still occurring through open ATS sessions on unattended workstations.
• Privileged Access Review: Review user permissions quarterly. The most frequent failure in access control is that former employees or employees in changed roles still have permissions they no longer need.

Security Monitoring and Audit Logs

Security investigation and compliance verification are founded on audit logs. If your ATS doesn’t track every safeguarding data access, export, and permission change, you can’t show compliance, and you can’t investigate an incident. Maintaining detailed audit trails logs tracks who accessed or modified protected data and supports accountability.

• What to log: All logins (successful and failed), all views of candidate records, all potential data breaches, exports, all permission changes, all bulk actions, all API calls from integrations.
• Log Retention: Under GDPR and most industry frameworks, logs should be retained for at least 1 year. 2 years for federal contractor EEOC obligations, and for most breach investigation timeframes.
• Create alerts on large data exports (more than 100 records in a single session), failed logins (more than 5 in 10 minutes), permission escalations, access from unrecognized IP addresses, or access from unrecognized locations.

ATS Vendor Security Assessment Framework

Most ATS buyers evaluate vendors on features and price. Security due diligence before signing is far less expensive than a breach response after. Use this framework before committing to any ATS vendor. Implementing advanced security technologies, such as secure coding practices and regular security testing, minimizes vulnerabilities in applicant tracking systems.

15-Question Vendor Security Questionnaire

Certifications and compliance:

• Do you hold a current SOC 2 Type II certification? What is the last audit date?
• Are you ISO 27001 certified? What is the certification scope?
• Do you have a current penetration test report available under NDA?

Data handling:

• Where is candidate data stored? What countries/regions do your data centers operate in?
• Do you offer EU data residency for GDPR compliance?
• What is your data retention and deletion policy? Can we trigger deletion on demand?
• Do you sell or share candidate data with any third parties, including analytics or advertising partners?

Incident response:

• What is your breach notification timeline? (GDPR requires 72 hours to the supervisory authority)
• Have you experienced a data breach in the last 3 years? If so, what was the scope and resolution?
• Do you carry cyber threats liability insurance? What is the coverage limit?

Technical controls:

• What encryption standard is used for data at rest and in transit?
• Do you support SSO and enforce MFA for all user roles?
• How are third-party integrations authenticated? Do you use OAuth 2.0 or API keys?
• What is your patch management cycle for security vulnerabilities?

ATS Integration Security and Third-Party Risk

Any systems that connect to your ATS are an extension of your attack surface. The security of your ATS is only as strong as the system it connects to, which has the least amount of security. Most organizations secure the ATS itself and neglect security at the integration level. Regular training sessions should cover topics such as recognizing phishing attempts, creating strong passwords, and understanding data privacy regulations to empower employees to handle sensitive information responsibly.

HRIS integration

New hire data flowing from ATS to HRIS should be done using API authentication (OAuth 2.0 preferred over API keys), encrypted transport, and field-level validation. An HRIS sync failure should trigger an alert, not a silent failure.

Background Checks Services

Background check companies get the most sensitive candidate data: SSN, date of birth, and address history. Verify that the provider is SOC 2 compliant before integrating. Ensure that the results of background checks are sent directly to the ATS and not stuck on the provider platform forever.

Job boards

Indeed, LinkedIn and Glassdoor applications include source data that may contain tracking identifiers. Confirm that your ATS removes third-party tracking parameters from the data that comes in with applications.

Video interviewing platforms

If your ATS integrates with a video interviewing tool that uses AI analysis (tone, facial expression, keyword scoring), the biometric data collection obligations of Illinois BIPA and GDPR Article 9 are triggered whether you configured the feature intentionally or not.

Emerging ATS Security Threats and Future Considerations

Establishing a culture of security awareness within an organization involves conducting regular training sessions, encouraging open communication about security issues, and recognizing employees who demonstrate strong security practices.

Zero Trust Architecture for ATS Environments

Zero Trust security operates on the principle of 'never trust, always verify'; no user, device, or system is trusted by default, even inside the network perimeter. Academic research identifies Zero Trust as a critical solution for protecting HR tech from deepfake resumes, credential fraud, and insider threats.

• Identity verification at every access point: Every ATS session requires identity verification, not just at login, but at each sensitive action (bulk export, permission change, integration configuration).
• Device trust: ATS access from unmanaged personal devices is a Zero Trust violation. Configure your identity provider to enforce device compliance checks before granting ATS access.
• Micro-segmentation: Separate recruiter access, hiring manager access, and admin access at the network level, not just at the application permission level.

AI Screening Security Risks

AI-driven data processing creates risks of data breaches, unauthorized access, and privacy violations that standard ATS security frameworks don't address. As machine learning-powered adaptive security measures are being developed specifically for HR tech, organizations must understand both the attack surface AI creates and the security tools AI enables.

• Training data exposure: AI screening models trained on historical candidate data can inadvertently encode PII from training records. Ask vendors specifically whether candidate data is used to train their AI models and whether you can opt out.
• Model manipulation: Adversarial inputs designed to game AI screening algorithms are an emerging threat. Monitor for unusual patterns in application data that suggest coordinated manipulation.
• Deepfake candidate fraud: Video interviewing platforms using AI identity verification face deepfake attacks. AI-generated video of a fake candidate passing as a real applicant data. This is a documented threat in high-competition technical hiring.

ATS Data Retention and Security

Data you don't need is data you're responsible for. “By holding onto candidate data longer than required by law, the breach surface is expanded without any compliance benefit. Regular security audits are essential for maintaining data security in applicant tracking systems, helping to identify vulnerabilities and ensure compliance with data protection regulations.

• EEOC minimum retention: 1 year from date of personnel action (private employers), 2 years for federal contractors. This is the floor, not the target.
• GDPR deletion requirement: Candidate data has to be deleted when the purpose for which it was collected has been achieved, and there is no other legal basis for keeping the data. This is typically 6-12 months after rejection for rejected candidates, as detailed in your Privacy Notice.
• Deletion verification: Deleting a candidate record in the ATS interface does not ensure that it has been deleted from backups, log files, or systems that are connected to the ATS. Confirm with your vendor that the deletion is propagated to all data stores, including disaster recovery backups.
• Candidate deletion requests: The GDPR right to erasure and CCPA deletion rights require a documented process for responding to candidate deletion requests within 30 days. Not all ATS platforms support this. Check that yours does.

Conclusion

ATS data security is not a vendor feature; it is an organizational responsibility. The vendor provides the infrastructure, the certification, and the technical controls. The employer decides who gets access, what data is collected, how long it is retained, and how breaches are dealt with.

It’s not the organizations with the most sophisticated security tools that avoid costly incidents. They got the access controls right the first time, checked them regularly, and knew exactly what data they had and where it was when the question came up. Begin there. Check the current ATS user permissions. Pull a data map of what your ATS gathers and where it goes. SOC 2 status of your vendor - check! Create a schedule, and you can add technical controls incrementally, but the foundational decisions determine whether they matter.

FAQs

What data security measures should an ATS provider have?

An ATS provider should, at a minimum, offer SOC 2 Type II certification, ISO 27001 compliance, AES-256 encryption at rest, TLS 1.3 encryption in transit, SSO, and enforced MFA for all users. It should also support GDPR-compliant data residency, provide a clear Data Processing Agreement (DPA), carry cyber liability insurance, and maintain a documented breach notification process with GDPR-aligned reporting timelines.

ATS data security: Who owns it- the vendor or the employer?

ATS security is a shared responsibility. The vendor is responsible for security, such as infrastructure, encryption, system patching, and compliance certifications. The employer acts as a data controller.

How long is candidate data stored in an ATS?

For US private employers, they usually need to keep candidate records for at least one year as required by the EEOC. However, federal contractors have to keep those records for two years. When a candidate is not selected, their information is kept for 6 to 12 months after they are rejected, as stated in the company’s Privacy Notice, and then it is removed.

What is Zero Trust, and why is it important for ATS security?

Zero Trust is a security concerns framework that assumes no user, device, or network should be automatically trusted. In an ATS environment, this includes mandatory MFA for every session, blocking access from unmanaged devices, re-authentication for sensitive actions like bulk exports, and continuous logging of user activity. This approach helps reduce unauthorized access and data breach risks.

Does GDPR apply to US companies using an ATS?

Yes. GDPR applies to any company collecting or processing data from EU residents, regardless of where the company is located. A US company hiring candidates from EU countries must comply with GDPR requirements such as data minimization, purpose limitation, right to erasure, lawful processing, data residency, and breach notification obligations.