— Security & Compliance

Built for enterprise.

Defensible anywhere.

OAD.ai meets the security, privacy, and assessment standards required by the world’s most regulated industries, so your procurement team can say yes.

APA

American Psychological Association standards met

Validated

BPS

British Psychological Society Level B qualified

Certified

GDPR

EU General Data Protection Regulation compliant
EU General Data Protection Regulation compliant

Compliant

PIPEDA

Canadian Personal Information Protection Act compliant

Compliant

256-bit Encryption

At rest, with TLS 1.3 on traffic

Data Residency

US, EU, Canada available

SSO & SCIM

Enterprise provisioning

Audit Logs

Full event trail, exportable

Assessments Validated

38 years of science

APA / BPS

Assessment Science Compliance

Assessment Compliance

Built on published,
reviewed science.

OAD’s behavioral diagnostic is built on assessment methodology aligned with APA and BPS standards, the governing bodies for assessment science in the US and the UK. Documentation is available for your legal and procurement review.

Assessment Validation Summary

Fully Validated

Security Architecture Overview

Encryption & Access

AES-256 · TLS 1.3 · quarterly penetration testing

Infrastructure Security

Enterprise-grade security out of the box.

OAD.ai runs on enterprise-grade infrastructure security: encryption in transit and at rest, isolated cloud infrastructure, and independent penetration testing on a regular cadence.

GDPR / PIPEDA

Data Privacy Compliance

Data Privacy

Your candidates' data is protected.

OAD.ai is fully compliant with GDPR (EU/UK), PIPEDA (Canada), and applicable US state privacy laws. We collect only what is necessary to deliver the assessment, nothing more.

Data Handling Principles

GDPR Compliant

Enterprise Access Controls

SSO, SCIM, and role-based access.

Enterprise clients get full identity management integration, so user provisioning, deprovisioning, and access control is handled by your existing identity provider.

Single Sign-On (SSO)Available on Enterprise plans. SAML 2.0 and OIDC support. Works with Okta, Azure AD, Google Workspace, and any major identity provider. No separate OAD passwords required for your team.

SCIM ProvisioningAutomatic user provisioning and deprovisioning via SCIM 2.0. New employees get access instantly. Departing employees are deprovisioned the moment they leave your IdP.

Role-Based Access ControlRole-based permissions control who can send assessments, view profiles, access team reports, and export data. Client-configurable roles, where your admins create and edit their own roles, arrive in OAD 2.0.

Audit LogsComplete audit trail of main user actions, survey sends, profile views, data exports, and admin changes. Exportable on request.

Data SegregationEnterprise clients get logically isolated data environments. Your assessment data is never co-mingled with other clients’ data at the storage layer.

Dedicated Security ContactEnterprise clients receive a named security contact for procurement reviews, vendor questionnaires, and incident response. Average response time: under 4 business hours.

The Science Behind OAD

38 years of behavioral

performance data.

OAD’s assessment methodology has been continuously validated since 1986, across industries, geographies, and roles. No competitor has a validation dataset that comes close.

10M+

Assessments completed across 40+ countries, the largest behavioral performance dataset of its kind

38yr

Of continuous validation since 1986, more longitudinal data than any assessment competitor on the market

40+

Countries and industries in the validation dataset, covering sales, ops, support, logistics, and leadership roles

7min

The full behavioral assessment, from first question to a complete profile result

Compliance FAQ

Questions your procurement team will ask.

Can OAD be used in hiring without legal risk?OAD measures behavioral drive, not personality type, cognitive ability, or any protected characteristic, and content validity documentation is available for legal and procurement review. As with any assessment, we recommend using OAD as one structured input in your hiring process rather than a sole deciding factor. Our team can support your legal and compliance review on request.

Does OAD comply with GDPR?Yes. OAD collects explicit consent before every assessment, supports data residency in the EU (Frankfurt), provides Data Processing Agreements to all enterprise clients, and honors right-to-erasure requests within 30 days. A full GDPR compliance review is available to procurement teams on request.

Can candidates request deletion of their assessment data?Yes. Under GDPR, PIPEDA, and applicable US state privacy laws, participants have the right to access, correct, and request deletion of their assessment data. Requests are processed within 30 days and a deletion confirmation audit trail is provided to the client administrator.

Does OAD support SSO and SCIM?Yes, for Enterprise plan clients. OAD supports SAML 2.0 and OIDC for SSO with Okta, Azure AD, Google Workspace, and all major identity providers. SCIM 2.0 is supported for automated user provisioning and deprovisioning.

Is assessment data used to train AI models?No. Assessment data from OAD clients is never used to train third-party AI or machine learning models. Client data is used solely to deliver the services contracted. OAD’s own proprietary behavioral model is trained on aggregated, anonymized historical data with explicit consent provisions in place

Documentation

Everything your procurement team needs.

Validation & Science BriefOverview of OAD’s assessment methodology, content validity, and alignment with APA and BPS standards.

Security OverviewInfrastructure architecture, encryption standards, and penetration testing cadence.

Privacy & GDPR OverviewData collection practices, retention policies, participant rights, data residency options, and a summary of GDPR and PIPEDA compliance measures.Privacy & GDPR Overview
Data collection practices, retention policies, participant rights, data residency options, and a summary of GDPR and PIPEDA compliance measures.

Data Processing AgreementStandard DPA for GDPR and PIPEDA compliance. Enterprise clients receive a pre-signed DPA as part of their contract. Custom DPAs available on request.

Vendor Security QuestionnairePre-completed standard information security questionnaire covering infrastructure, access controls, data handling, and business continuity. Available on request.

Ready to put OAD through procurement?

Your Performance Director can provide all documentation, answer security questionnaires, and join procurement calls directly.