Security FAQ

Q1: After plan cancellation, how long do you retain our information, how do you securely delete it, and do you provide proof of secure deletion?


Answer:


We retain customer data for 6 months following account cancellation to allow for account reactivation if needed. After this retention period, we perform complete deletion of all account information including:


  • All customer data from production databases
  • Backup systems and archives
  • Log files containing personally identifiable information


Our deletion process includes:

  • Irreversible removal from all systems
  • Purging from backup retention cycles
  • Verification of complete data removal


Upon request, we can provide a certificate of data destruction confirming secure deletion has been completed.




Q2: Before deletion, what is the process that will allow us to retrieve our information before the account is closed?


Answer:


Customers can export their data at any time before or during the 6-month retention period:


Self-Service Export:

  • Customers can export all candidate-related data directly from the Candidates page


Additional Data Request:

For data not covered by self-service export tools, customers can request a full data archive from our support team. This service is provided on an hourly rate basis as additional service work. Pricing and timeline are available upon request from support.


We recommend using the self-service export functionality regularly to maintain your own backup copies of data.




Q3: What is your supplier security process to ensure the third-parties you use comply with security and confidentiality requirements?


Answer:


We maintain a minimal third-party footprint and only use reputable, certified vendors for essential services:


Vendors with Access to Customer Data:

  • Cloud Infrastructure: Amazon Web Services (AWS), Google Cloud Platform, Microsoft Azure - SOC2 Type II certified
  • Email Delivery: Postmark - Hosted on SOC2 Type II certified infrastructure (AWS)
  • SMS/Text Messaging: Twilio - SOC2 Type II certified
  • Payment Processing: Paddle - PCI-DSS SAQ A compliant
  • Video Conferencing: Zoom - SOC2 Type II certified (for interview scheduling integration)
  • HR & Payroll Integration: Gusto - SOC2 Type II certified (for candidate onboarding)


Service Providers Without Customer Data Access:

  • Job Posting Platforms: We distribute public job descriptions to Indeed, Glassdoor, LinkedIn, ZipRecruiter, Google Jobs, Monster, Talent.com, Jooble, Adzuna, Jora, Trovit, Jobisjob, and Careerjet. These platforms receive only public job posting information, not candidate or customer data.


Vendor Security Requirements:

  • All vendors with access to customer data maintain SOC2 Type II, ISO 27001, or equivalent certification
  • Vendors without appropriate security certifications do not receive access to customer data
  • All vendors handling customer data must sign Data Processing Agreements (DPAs)
  • We conduct security reviews before vendor approval
  • Annual review of critical vendor security posture


Data Protection:

Customer and candidate data is only transmitted to certified vendors with appropriate security controls. Job boards receive only public job posting information without any personally identifiable information.




Q4: What security measures do you have in place to protect customer data (encryption, access control, etc.)?


Answer:


We implement comprehensive security measures across multiple layers:


Encryption:

  • Data in Transit: TLS 1.2+ encryption for all network communications
  • Data at Rest: AES-256 encryption for database storage
  • SSL/TLS Certificates: Valid SSL certificates for all web services
  • Secure Connections: All API and application connections encrypted


Access Control:

  • SSH key-based authentication (password authentication disabled)
  • Multi-factor authentication for security-sensitive systems
  • Network firewall with strict port controls
  • Role-based access control with principle of least privilege


Monitoring & Security:

  • Intrusion prevention and detection systems (fail2ban)
  • Real-time monitoring and alerting (Grafana)
  • Comprehensive security event logging with 90-day retention
  • Regular security assessments and vulnerability management
  • Network segmentation between environments




Q5: Do you specify that disclosure and misuse of customer data is prohibited?


Answer:


Yes, we have multiple mechanisms in place to prohibit disclosure and misuse of customer data:


Legal & Contractual:

  • Employee Agreements: All employees sign confidentiality and non-disclosure agreements upon hiring that explicitly prohibit unauthorized disclosure or misuse of customer data. These obligations survive termination of employment.
  • Vendor Contracts: All third-party vendors sign agreements with strict confidentiality clauses and data protection requirements
  • Data Processing Agreements: Available to customers upon request


Policy Framework:

  • Privacy Policy: Publicly available policy explicitly prohibits unauthorized use or disclosure of customer information
  • Terms of Service: Clear data protection commitments and prohibited uses
  • Internal Security Policies: Documented data handling procedures and acceptable use policies


Enforcement:

  • Training: Regular security awareness training for all employees
  • Monitoring: Access logging and review to detect unauthorized access
  • Consequences: Disciplinary measures up to and including termination for policy violations
  • Breach Notification: Procedures for incident response and customer notification


All personnel with access to customer data are contractually bound to maintain confidentiality and face consequences for violations.




Q6: What is your process around notifying customers of information misuse, security breaches, and changes to your service offerings?


Answer:


We maintain transparent communication processes for all security-related events and service changes:


Security Incident & Breach Notification:

  • Detection & Investigation: Immediate investigation upon detection of potential security incidents
  • Timeline: Customer notification within 72 hours of confirmed data breach via email to registered contact
  • Notification Contents:
  • Nature and scope of the incident
  • Data potentially affected
  • Timeline of the incident
  • Immediate actions taken
  • Mitigation steps implemented
  • Recommendations for customer action
  • Follow-up: Detailed incident report provided within 7 days


Service & Feature Changes:

  • Major Changes: 30-day advance notice via email for significant service modifications
  • Emergency Changes: Immediate notification with explanation when security requires urgent action


Terms of Service Changes:

  • Advance Notice: Minimum 30 days notice via email before changes take effect
  • Change Summary: Clear explanation of what's changing and why
  • Version History: Previous versions archived and accessible


Communication Channels:

  • Primary: Email to registered account contact
  • Support Portal: Detailed changelog and update history


All critical security notifications are sent to ensure customers are promptly informed of any issues affecting their data.




Q7: What access control measures have you put in place to prevent unauthorized access to customer information?


Answer:


We implement comprehensive access control measures across technical and administrative layers:


Technical Controls:


  • SSH Key Authentication:
  • SSH key-based authentication exclusively - password authentication completely disabled
  • Private key infrastructure for all server access
  • Keys rotated regularly and upon personnel changes


  • Firewall & Network Security:
  • Network firewall with strict allow-list rules
  • All ports secured except public web ports (80/443)
  • "Deny all by default" policy on network devices
  • Network segmentation between production and non-production environments


  • Multi-Factor Authentication (MFA):
  • Required for all administrative functions
  • Implemented across security-sensitive systems
  • Required for all vendor and third-party access


  • Application Security:
  • Role-based access control (RBAC) within applications
  • Session Management:
    • Regular user sessions: Extended persistence to optimize user experience
    • Administrative/privileged sessions: 30-minute timeout after inactivity for enhanced security
    • All sessions encrypted and monitored for suspicious activity
  • Account lockout after failed login attempts
  • Encrypted password storage using industry-standard hashing


Administrative Controls:


  • Principle of Least Privilege: Users granted minimum access necessary for job functions
  • Access Reviews: Quarterly review of user access rights
  • Provisioning/De-provisioning:
  • Formal approval process for access requests
  • Immediate access revocation upon termination
  • Regular audit of active accounts


  • Monitoring & Logging:
  • Comprehensive logging of all access attempts (successful and failed)
  • Real-time monitoring with Grafana
  • Intrusion prevention with fail2ban
  • Security event alerting for suspicious activities
  • Log retention minimum 90 days with restricted access to modify logs


  • Physical Security:
  • Physical access controls and monitoring


All access is logged, monitored, and regularly reviewed to prevent and detect unauthorized access attempts.




Q8: Do you have a documented incident response plan, disaster recovery plan, and business continuity plan?


Answer:


Yes, we maintain documented procedures for operational continuity:


Incident Response:

  • Security incident detection and response procedures
  • Customer notification process (72-hour breach notification)
  • Escalation and communication protocols


Disaster Recovery:

  • Automated backup procedures with regular testing
  • System restoration processes
  • Database and application recovery procedures


Business Continuity:

  • Service continuity procedures during disruptions
  • Critical system dependencies documented
  • Vendor failover contingencies


These procedures are reviewed and updated regularly to ensure effective response to incidents and service continuity.




Q9: Do you permit customers to perform periodic reviews, due diligence and audit reviews as needed?


Answer:


Yes, we support security assurance activities for Enterprise customers:


For Enterprise Customers:

  • Security Questionnaires: We respond to enterprise customer security assessments and due diligence questionnaires
  • Documentation Review: Security policies and procedures available for review under mutual NDA
  • Evidence Sharing: We provide evidence of security controls upon request (screenshots, configurations, sample logs)
  • Virtual Security Reviews: Security review calls with our technical team available
  • Audit Support: We cooperate with customer security audits and provide necessary documentation


Process:

  1. Enterprise customer submits security review request to account manager
  2. We provide requested documentation under appropriate confidentiality agreements
  3. Follow-up calls scheduled as needed to address questions
  4. Ongoing availability for periodic reviews (annual or as needed)


For Standard Customers:

This comprehensive SOC2 security documentation is available for your review. You may use this information to complete your own internal security assessments and questionnaires.


We understand the importance of security transparency and work collaboratively with our Enterprise customers to address their security assurance requirements.




Q10: Do you have cybersecurity or any other insurance coverage that ensures the protection of customer information?


Answer:


We are currently evaluating cyber insurance options as part of our risk management strategy. In the meantime, we maintain robust security measures and reserved funds to address potential security incidents. Our multi-layered technical controls (encryption, firewalls, intrusion prevention) and documented incident response procedures ensure customer data protection and rapid response to any security events.




Q11: What is your process for providing information regarding service and term changes to customers?


Answer:


We maintain transparent communication for all service and terms changes:


Terms of Service Changes:

  • Advance Notice: Minimum 30 days advance notice via email before any changes take effect
  • Change Summary: Clear, plain-language explanation of what's changing and why
  • Version Control: Previous versions of terms archived and accessible for reference
  • Acceptance: Continued use constitutes acceptance, with option to cancel if unacceptable


Major Service Changes:

  • 30-Day Notice: Advance notification via email for significant feature changes or service modifications
  • Impact Assessment: Clear communication of how changes affect customer usage
  • Migration Support: Assistance provided for any required customer actions


Minor Service Updates:

  • In-App Notifications: Updates displayed within the application
  • Changelog: Detailed changelog maintained and accessible
  • Release Notes: Documentation of new features and improvements


API and Integration Changes:

  • 90-Day Deprecation Notice: Extended notice period for API changes affecting integrations
  • Developer Documentation: Updated technical documentation
  • Migration Guides: Step-by-step guidance for required changes


Emergency Changes:

  • Immediate Notification: Prompt communication when security or critical issues require urgent action
  • Explanation: Clear reasoning for emergency changes
  • Follow-up: Detailed information provided as soon as available


Communication Channels:

  • Primary: Email to registered account administrator
  • Secondary: In-application notifications
  • Status updates: Service status page for operational changes


All customers receive timely, clear communication about changes that may affect their use of our services, with adequate time to review and respond to significant changes.




Q12: What background screening process do you have for employees and contractors?


Answer:


Yes, we perform comprehensive background screening for all new hires and contractors before granting access to systems and data. Our screening process includes:


  • Criminal background checks
  • Civil litigation and media research checks
  • Resume and curriculum vitae verification
  • Right-to-work verification checks


All personnel with access to customer data must successfully complete background screening before being granted system access.




Q13: What are your vulnerability remediation timelines for security issues?


Answer:


We maintain strict remediation timelines based on vulnerability severity:


  • Critical Issues: Immediate remediation within 24 hours
  • High Severity: Fixed within 7 days
  • Medium Severity: Remediated within 30 days
  • Low Severity: Addressed within 90 days


Vulnerability Scanning Coverage:

  • Infrastructure security scanning
  • Application-level vulnerability assessments
  • Network security reviews
  • Periodic manual security assessments and penetration testing


Tools Used: Periodic manual security checking, fail2ban for real-time threat detection, Grafana for continuous monitoring.




Q14: Describe your logging and monitoring capabilities.


Answer:


We maintain comprehensive logging and monitoring infrastructure:


Event Logging:

  • Administrator and security event logs for all systems
  • Log retention: Minimum 90 days
  • Access to modify logs is strictly restricted
  • Logs capture critical security events including access attempts, account changes, and privileged activities


Monitoring Tools:

  • Grafana for centralized monitoring and real-time alerting
  • fail2ban for security event detection and automated response
  • Logs available to customers upon request




Q15: How is multi-factor authentication implemented in your environment?


Answer:


Multi-factor authentication (MFA) is enabled for all security-sensitive parts of our system:


Coverage Areas:

  • Administrative access to all systems
  • Critical application functions
  • Third-party vendor access points
  • Remote access to infrastructure
  • Access to customer data repositories


MFA is mandatory for all privileged accounts and enforced across security-sensitive operations to prevent unauthorized access.




Q16: What security practices do you follow in software development?


Answer:


We implement security throughout the software development lifecycle:


Automated Security Testing:

  • Source code security scanning tools integrated into development workflow
  • Automated vulnerability detection during code commits
  • Dependency vulnerability scanning


Pre-Production Security:

  • All identified security issues must be remediated before production release
  • Security review required for all code changes
  • No deployment to production with known security vulnerabilities


Testing and Quality Assurance:

  • Security testing integrated into CI/CD pipeline
  • Code review process includes security considerations
  • Penetration testing performed on application updates




Summary of Key Points


Data Protection:

  • 6-month retention post-cancellation
  • Complete data deletion with proof available
  • Self-service candidate data export available from Candidates page
  • Additional data services available on hourly rate basis


Security Measures:

  • TLS 1.2+/AES-256 encryption
  • SSH keys + MFA for all security-sensitive systems
  • Firewall + intrusion prevention (fail2ban)
  • Grafana monitoring + 90-day log retention
  • All ports secured except 80/443
  • DKIM, SPF, DMARC configured


Access Control:

  • Multi-factor authentication on critical systems
  • "Deny all" by default firewall policy
  • Comprehensive event logging
  • Background checks for all personnel


Vulnerability Management:

  • Periodic security assessments
  • Defined remediation timelines (Critical: 24hrs, High: 7 days)
  • Infrastructure, application, and network scanning
  • Pre-production security remediation


Third-Party Management:

  • 6 vendors with customer data access (all SOC2/PCI-DSS certified)
  • Job boards receive only public job postings (no customer data)
  • DPAs required for all vendors with data access
  • Annual vendor security reviews


Incident Response:

  • 72-hour breach notification
  • Security incident procedures documented
  • Email + support portal communication
  • 30-day advance notice for service changes


Customer Assurance:

  • Security questionnaires answered (Enterprise customers)
  • Documentation available under NDA (Enterprise customers)
  • Audit support and security reviews (Enterprise customers)
  • SOC2 documentation available for all customers


Insurance:

  • Evaluating cyber insurance options
  • Strong technical/operational controls in place
  • Reserved incident response funds




Updated on: 21/11/2025

Was this article helpful?

Share your feedback

Cancel

Thank you!