Trust & Security Center

Your hire data is safe with us.

We are a B2B platform processing the personal data of your new hires. We treat that responsibility seriously — with EU-hosted infrastructure, encryption at rest and in transit, GDPR compliance, and a UK legal entity you can sign a contract with.

GDPR & UK GDPR compliance

We are fully compliant with both the EU General Data Protection Regulation (GDPR) and the UK GDPR. In our model your company acts as the Data Controller and onboarding.team acts as the Data Processor: we only process hire data on your documented instructions.

  • You own your data. We do not sell or monetise it.
  • Right to be forgotten — deleting a hire permanently removes their personal data within 30 days.
  • Data export and access controls are built into the platform.
Read Privacy Policy →View Data Processing Agreement →

Infrastructure & hosting

The platform runs on world-class EU-region cloud infrastructure with strong physical and network security.

  • EU-region data centres (no transfer outside the EEA by default).
  • Encryption at rest (AES-256) and in transit (TLS 1.2+).
  • Automated rolling backups and disaster-recovery procedures.
  • Production access limited to a small number of authorised engineers, with audit logging on administrative actions.

Authentication & SSO

Single Sign-On is included on every paid plan — not gated to Enterprise.

  • Google Workspace and Microsoft 365 (OIDC).
  • Custom IdPs over SAML 2.0 / OIDC.
  • Role-based access for managers, mentors, and hires.
  • Optional 2FA on the admin role.

Secure payments via Stripe

We use Stripe — the industry standard for online payments — to process every paid subscription. We do not see, store, or process your card details directly.

  • Stripe is certified to PCI-DSS Service Provider Level 1, the most stringent level.
  • All payment data is encrypted and securely transmitted.
  • Automated VAT / sales-tax compliance via Stripe Tax.

Sub-processors

We engage a small set of vetted sub-processors. Each is bound by a written data-processing agreement requiring at least the same level of protection we provide.

  • EU-region cloud hosting (compute, storage, backups).
  • Stripe — payment processing.
  • Plausible — cookie-less marketing analytics.
  • Transactional email provider for trial / account / security emails.

The current sub-processor list is also documented in our Data Processing Agreement. The full version with provider names and regions is available on request.

UK legal entity

onboarding.team is operated by FRANCHISE FAMILY LTD, registered in the United Kingdom. We operate under the jurisdiction of England and Wales — a strong, transparent, and globally recognised legal framework for B2B relationships.

Read Terms of Service →

Responsible disclosure

Found a security issue? Please email hello@onboarding.team with the subject “Security disclosure”. We acknowledge reports within 2 business days and will keep you updated until the issue is resolved. Please do not publicly disclose the issue until we have had a reasonable chance to fix it.