Trust & compliance

Built for the people-data your customers trust you with

Enough to clear a security review. Certificates, DPA and the security questionnaire are available once you sign in.

ISO 27001
Certified information-security management.
GDPR co-controller
Thomas processes assessment data; you control your candidates’ access. Clear shared-responsibility split.
EU AI Act ready
Bias testing, human oversight and transparency documentation for high-risk people decisions.
EU data residency
Hosted in the EU on Microsoft Azure (West Europe). The full sub-processor list and the DPA are available at sign-in.
Minimal data
Emails (or an opaque partner reference) + profile insights, never raw scoring, never the item bank. Scoring + items never leave Thomas.

Data handling

Thomas operates a strict minimal-data egress policy. Three tiers define what may cross the boundary — and what never does:

  • Emails + job-role scores — shared with HR systems where configured.
  • Connection results — at insight level only, never raw scores.
  • Raw scoring + assessment items — these never leave Thomas.

Scoring + items never leave Thomas.

This is an architectural boundary, not a policy choice. The raw item bank and individual scoring data remain exclusively within the Thomas platform.

Downloadable certificates, the security questionnaire, and the Data Processing Agreement (DPA) are available in the logged-in portal.

For partners

Building a partnership, not just an integration?

This portal is the technical front door. For the commercial side (how the partnership works, what you can offer your own customers, and the model), talk to our partnerships team. No code required.