iCIMS Vendor Risk Assessment — Full Report

Key Findings

• The domain has been registered since 1999 and archived since 2000, demonstrating over 25 years of continuous online presence — a strong indicator of organizational stability.
• Infrastructure is minimal and well-controlled: only 2 open ports (80 and 443) detected, zero known CVEs, and a clean IP reputation with 0 abuse reports. This represents a significantly below-average exposure footprint compared to the SaaS industry norm of 8–12 open ports.
• Domain reputation is clean with no listings on SURBL, Spamhaus DBL, or URLhaus, and Malware detection service reports no threats.
• Sanctions screening across OFAC, EU, and UN lists returned zero matches.
• iCIMS maintains a dedicated trust center at trust.icims.com, claiming SOC 2 Type 2, SOC 1, ISO 27001:2022, ISO 27701, HIPAA, GDPR, CCPA, CSA STAR Level 1, and additional frameworks including EU-US Data Privacy Framework and TX-RAMP. The SOC 2 claim is further supported by a Drata-hosted trust report, which is a stronger signal than a website claim alone.
• No adverse media was found in either recent or historical searches, and no SEC enforcement filings were identified. Areas requiring attention include the following:
• Seven certifications are vendor-attested from the trust page but could not be independently verified through public registries. ISO 27001 was not found on the IAF CertSearch registry, and HITRUST returned an unconfirmed possible match requiring manual verification. Independent verification or direct report delivery is required.
• A subprocessor page exists at icims.com/subprocessors but could not be parsed by automated tools, leaving the vendor's third-party supply chain unassessed for this investigation.
• The vendor's AI data usage policy page (icims.com/ai) does not clearly state whether customer data is used for AI model training, nor does it specify data retention periods for AI processing. This is a material gap for buyers with data governance obligations.
• The TLS certificate on the primary domain expires in 63 days, and the presence of 57 distinct certificate authorities across the infrastructure suggests inconsistent certificate lifecycle management.
• The adverse media scan from one data source was unavailable during this investigation, leaving a partial gap in recent media coverage. Overall, iCIMS presents as a mature, established vendor with a credible compliance program and strong infrastructure hygiene. The Tier 3 rating reflects the gap between the vendor's compliance claims and independently verified evidence, combined with the unresolved AI data governance question. Conditional approval is appropriate pending delivery of verified audit reports and clarification of AI data handling practices.