# Trust & compliance

Built for the people-data your customers trust you with. Enough to clear a security review.
Certificates, the DPA and the security questionnaire are available once you sign in.

## Compliance posture

- **ISO 27001** — certified information-security management.
- **GDPR co-controller** — Thomas processes assessment data; you control your candidates'
  access. A clear shared-responsibility split.
- **EU AI Act ready** — bias testing, human oversight and transparency documentation for
  high-risk people decisions.
- **EU data residency** — hosted in the EU on Microsoft Azure (West Europe). The full
  sub-processor list and the DPA are available at sign-in.
- **Minimal data** — emails (or an opaque partner reference) plus profile insights, never
  raw scoring, never the item bank.

## Data handling

Thomas operates a strict minimal-data egress policy. Three tiers define what may cross the
boundary — and what never does:

- **Emails + job-role scores** — shared with HR systems where configured.
- **Connection results** — at insight level only, never raw scores.
- **Raw scoring + assessment items** — these never leave Thomas.

**Scoring + items never leave Thomas.** This is an architectural boundary, not a policy
choice. The raw item bank and individual scoring data remain exclusively within the Thomas
platform.

Downloadable certificates, the security questionnaire and the Data Processing Agreement
(DPA) are available in the logged-in portal.

## For partners

This portal is the technical front door. For the commercial side (how the partnership
works, what you can offer your own customers, and the model), talk to our partnerships
team via our [contact page](https://www.thomas.co/contact-us). No code required.

## Where next

- [Concepts](/concepts.md)
- [Overview](/overview.md)
