Security & compliance
Built for industries where trust is non-negotiable.
Cleo handles government-issued identity documents, biometric liveness signals, and GPS location data on behalf of real people applying for real jobs. We take that responsibility seriously — not because compliance requires it, but because the 80 million frontline workers who use products like Cleo deserve it.
Compliance status
Where we are and where we're headed.
We're a pre-seed company building in public. Here's an honest, current snapshot — no vague reassurances.
Live
Data encryption
All candidate data encrypted in transit (TLS 1.2+) and at rest (AES-256). Applies to all PII including screening responses, verification results, and FitScore data.
Live
Access controls & audit logging
Role-based access controls limit who on the Cleo team can access candidate data. All data access events are logged with timestamps and user attribution.
Live
ID document handling policy
Raw government ID images are processed for verification only and immediately discarded. Cleo retains only the verification result (pass/fail) — never the document image itself.
Live
Connect your postings
Candidate data rights enforced for California residents. Cleo does not sell data. Disclosure provided at point of collection.
Live
SOC 2 Type II
SOC 2 Type II audit in progress. Expected completion: Q3 2026. Security documentation available for enterprise evaluations on request.
In progress
Connect your postings
Link your current job board or ATS. Cleo picks up your open reqs and starts screening immediately — no migration, no downtime.
In progress
Penetration testing
Third-party penetration test scheduled for Q2 2026. Internal vulnerability scanning runs continuously. Results shared under NDA with enterprise customers.
Legal & regulatory compliance
Designed for regulated industries.
EEOC
Identity verification ≠ background screening
Cleo's ID verification confirms a candidate is who they say they are — it does not assess criminal history, credit, or any protected characteristic. Cleo does not produce background check reports.
CCPA / CPRA
California candidate rights enforced
Candidates in California are provided notice at collection, right to access, right to deletion, and right to opt out of any data sale. Cleo does not sell candidate data.
BIPA consideration
Liveness data handling — Illinois
Cleo's liveness detection processes a real-time signal to confirm a live person is present. Raw biometric identifiers are not collected or stored. Employers in Illinois should contact us for a current compliance summary.
Infrastructure
How the platform is built.
Cloud hosting
Hosted on AWS infrastructure in US-East regions. No candidate data leaves the United States.
Encryption standards
TLS 1.2+ in transit. AES-256 at rest. Database-level encryption with key rotation.
Third-party subprocessors
Identity verification powered by a SOC 2 Type II certified subprocessor. Full list available on request.
Uptime & availability
99.9% uptime SLA for employer-facing services. Planned maintenance communicated 48 hours in advance.
Candidate rights
Candidate rights
How the platform is built.
General privacy
privacy@cleohr.com
Security disclosures
security@cleohr.com
Enterprise reviews
Request via demo call
Data deletion requests
privacy@cleohr.com
Enterprise security review?
We'll walk your IT or legal team through our controls, subprocessor list, and compliance roadmap.
