Data Security and Compliance Whitepaper

Introduction

Over the past two decades, the ways people are using information has significantly changed, in light of the rapid technological development. With this respect, legislators have realized that current data privacy laws fail to problems, and above all, limitations of privacy, associated with the “Digital Age”.


That is why European Union adopted the privacy reform package that sets a new bar globally for privacy rights, security and compliance. One of these legislative acts is the European Regulation (EU) 2016/679 (“GDPR”) and ePrivacy Regulation.


Amazing Hiring has devoted its time and efforts to assess whether its Information Security practices meet the new regulatory requirements and identify technical and organizational measures that must be taken to ensure compliance with the new data protection rules.

Commitment to GDPR Compliance

Amazing Hiring acknowledges its responsibilities under the GDPR and commits to ensure GDPR compliance prior to its entry into force on 25th of May 2018. Amazing Hiring has defined awareness raising routines and rendered data security a priority and a vital criterion in its service design and security.


Scope

This whitepaper outlines privacy practices of Amazing Hiring with respect to its services and systems. This whitepaper will be divided into two main sections: Regulatory Compliance and Information Security. Regulatory Compliance reflects Amazing Hiring’s approach to compliance requirements, in terms of Data Processor/Controller role, protection Data Subject’s privacy, and awareness. The Information Security includes details on data access controls and operational security controls applied by Amazing Hiring.

Regulatory Compliance

Amazing Hiring recognizes its role under the GDPR as both, Data Controller and Data Processor. Therefore, Amazing Hiring must ensure the highest level of security for the data it controls and procure that its vendors and service providers process data in conformity with the applicable data protection rules.


Considering the number of processing activities carried out by Amazing Hiring, such as, (i) collection; (ii) storage; (iii) transmission; (iv) and making personal data available to third parties, Amazing Hiring considerably improved its security practices and redesigned its processes and documentation to reflect the principles of secure data processing.


In order to align our data security to the new regulatory requirements, Amazing Hiring has applied guidelines adopted by Article 29 Working Party, including but not limited to, Guidelines on Automated decision – making, Guidelines on Consent, Guidelines on Privacy Impact Assessment, Guidelines on Personal data breach notification, Guidelines on Transparency, Guidelines on the right to data Portability.


Amazing Hiring established a strong governance and appointed a Data Protection Officer to handle data security related requests from data authorities, customers and data subjects.

Amazing Hiring as a Data Controller

Amazing Hiring acts as a search engine for sourcing IT professionals and is therefore directly engaged in the personal data processing.


Amazing Hiring processes personal data by collecting data from third party data providers that are considered public web sources (“Public Sources”). Public sources enter into agreements with data subjects, in which Data Subject consents in making its profile visible to the search engines and third parties, provided, however, that third parties have a clearly defined purpose of processing (“purpose limitation”) and ensure lawful, transparent and secure processing.


When Amazing Hiring collects publicly available data for its own business purposes, Amazing Hiring acts as a Data Controller by defining the processing means that is compatible with the purposes for which the Data Subject allowed his/her data to be processed.

Amazing Hiring as a Data Processor

When customer is using Amazing Hiring as its trusted sourcing partner, customer instructs Amazing Hiring to search for candidates on its behalf, based on individual criterions set forth by the customer. When conducting the candidate search, Amazing Hiring assess the qualification and eligibility of a candidate to match the Customer’s criterions. Subsequent access and use of personal data made visible to customer must be carried out solely upon having a valid legal ground, such as legitimate interest (Article 6 of the GDPR). In this case, customer becomes a Data Controller and must take the appropriate technical and organizational measures to safeguard the personal data it controls. Controller is responsible for demonstrating compliance with the GDPR (principle of “accountability”).

Third Party Processors

Amazing Hiring may engage a third-party service providers and vendors (“Service Provider”). All existing Service Providers were subject to data security evaluation and had to fill Information Security Controls (“ISCD”) assessment questionnaire to measure the security level appropriate to the data access and the scope of services provided. Upon completion of questionnaire and following the risk assessment, Data Protection Officer decides to either renew or terminate the service contract.


All new Service Providers that comply with ISCD requirements, enters into data processing agreement that contains the mandatory requirements governed by Article 28 (3) of the GDPR, accept privacy terms and other rules associated with data security. Amazing Hiring applies strict contractual rules to strengthen responsibilities for data breach, notification and data transfers outside EU/EEA. When the solution is set-up it must continuously conform to the requirements of Amazing Hiring’s Control objectives and security standard regarding access control and operational security.

Transfer to third countries

European Union has approved Model Clauses for personal data transfer outside EU, to ensure that personal data protection requirements are applied contractually for the recipients of data outside EU and EEA. Amazing Hiring includes Model Clauses to its Data Processing Agreement, if the personal data is transferred outside of EU/EEA to both non-EU/EEA Controllers and Processors.

Data Subject’s Privacy

Amazing Hiring values protection of Data Subject’s rights, hence, is committed to making sure Data Subjects can exercise their rights effectively and free of charge. Amazing Hiring will ensure each Data Subject request to be reviewed in a timely fashion.


Right to Access. Data Subject can request access to his/her personal data and obtain a copy of such personal data in a format acceptable to the Data Subject (e.g. pdf, word.) Data Subject can submit a request form online via www.amazinghiring.com/gdpr/form After the form is submitted, our privacy team reviews the form and conducts requestor’s identity verification without undue delay. Upon successful verification, Data Subject is provided with a copy of his/her personal data.


Right to Data Portability.Amazing Hiring ensures Data Portability in a manner that if a Data Subject is willing to transfer its data to another service provider we provide such Data Subject with data in a structured, commonly used and machine-readable format.


Right to Erasure (“Right to be forgotten”) and Right to Rectification. Data Subjects are entitled to request Erasure or Rectification of their data by filing an appropriate request via www.amazinghiring.com/gdpr/form. Amazing Hiring has a process in place for handling requests for data to be rectified or deleted, unless there is a legal requirement that prohibits such request to be fulfilled. When request is fulfilled, Data Subject will be informed that his/her data is changed or erased and is not-longer collected, however, to fulfill our legal requirements Amazing Hiring will store information about each requestor for the purposes of providing an evidence that a request has been fulfilled.


Right to Object. At all times, Data Subject is entitled to object to processing of personal data concerning him or her. Right to Object can be exercised by submitting a form at www.amazinghiring.com/gdpr/form. Upon receipt of the form Amazing Hiring ceases the processing, unless there is a legal or statutory ground for such processing.


Right to be informed. If Data Subject is inquiring about processing activities conducted with respect to his/her personal data, Amazing Hiring, without undue delay, will provide information about: (i) purposes of processing; (ii) categories and types of personal Data; (iii) retention period; (iv) source of the relevant personal data; (v) privacy rights and information on data portability. Moreover, all information about the categories of personal data and processing operational conducted by Amazing Hiring is available at the www.amazinghiring.com/privacy.


Notification Requirements. Amazing Hiring disclaims an ownership of personal data. By making candidate profile available to the Customer, profile may contain references to the Public Source where the contact details of candidates are visible. Contact details are used to contact a candidate and exercise legitimate interest. When the candidate is reached, Customer must comply with the Article 14 Information to be provided where personal data have not been obtained from the data subject.

Privacy Awareness

All employees of Amazing Hiring that are involved in the data processing must undergo data privacy trainings. In addition, all employees must adhere to internal Data Protection Policy which is by reference included in the Code of Conduct.


Upon conducting initial employee onboarding, employees must take privacy training that includes information on how to protect personal information and reduce the risk of a privacy breach.


Amazing Hiring will ensure the continuous training opportunities for its employees, and will emphasize the importance of a data privacy to its customers and service providers. Amazing Hiring requires all persons involved in designing the product and/or implementing new features to have a detailed knowledge of system vulnerability, malware and other security related topics. Most of all, Amazing Hiring encourages security by design for its systems and services. To have appropriate controls, Amazing Hiring has an internal audit team that reviews compliance practice against the applicable laws and Good Industry Practice.


Record of processing activities. Amazing Hiring keeps “data map” i.e. record on processing activities to the extent such “data map” shows: (i) categories of data subjects; (ii) categories of recipients; (iii) transfers to third countries; (iv) processing operational; (v) retention; (vi) description of technical and organization measures taken.


Breach notification. To comply with Article 33. of the GDPR and Guidelines on Personal data breach notification under Regulation 2016/679 of the Article 29 Working Party, Amazing Hiring has developed a process for notification of supervisory authority upon becoming aware of the personal data breach.


Data Minimization Principle and Retention Period. Upon creating a profile, Amazing Hiring will (by the means of system configuration) ensure that processing is minimized to what is necessary for the recruitment purposes. Therefore, for EU data subjects Amazing Hiring will only process information that is justifiably related to employment and is derived from the data sources that corresponds with the sourcing opportunities.

In addition, minimization routines will be introduced to make sure that we keep information in a minimized fashion.

Information Security

We have significantly improved our Information Security Policy and Information Security Management System with respect to the following controls: operational security, access control, and physical security. We have reviewed our processes and procedures in accordance with the ISO 27001 requirements.


Amazing Hiring applies the number of technical and organizational measures to protect its data from unauthorized access, alteration, use, disclosure, or destruction.


Access Control

To manage the access to its data Amazing Hiring has applied the access controls to ensure that:
- access to information resources is controlled through processes that address authorization, modification, revalidation and revocation of information system privileges.
- access is strictly limited to appropriate individuals on a "need to know" and "least privilege" basis;
- access revocation due to resignation, termination or transfer, is conducted in a timely manner;
- users of Amazing Hiring’s information resources (a) are accountable for all actions performed under their User ID and (b) are responsible for protecting and managing the confidentiality of their passwords and log-in credentials;
- connections to Amazing Hiring's information resources from remote or mobile computing facilities, use multifactor authentication;
- access to documents and removable media containing sensitive information is controlled.

Physical Access Control

To restrict the access to premises that may contain data processing equipment Amazing Hiring is using, without limitation, the following:
- Alarm systems;
- Automatic access control system;
- Movement detectors;
- Physical protection for protection against physical breaches and fire;
- Physical separation of data carriers from those used to provide service to external parties.

Operational Security

Amazing Hiring has applied the following security standards on production information resources, routine system operations, segregation of duties, malware protection, backup and recovery, monitoring and logging, protecting sensitive media, system configuration, and maintenance activities, to ensure:
- necessary organizational arrangements for managing systems exist and that they are supported by accurate, up-to-date documentation;
- prevention of unauthorized disclosure, modification, removal or destruction of assets, and interruption to business activities;
- correct and secure operation of Amazing Hiring’s information processing facilities and to minimize the risk of systems failures;
- protection and maintenance of the integrity and availability of software, information and information processing environment;
- necessary arrangements (e.g. people, processes, technology) needed to log, review logs and follow up security events, system usage, and performance.

Data Protection in the Cloud

Amazing Hiring is using certified service providers to ensure that data is stored in secure environments and in accordance with modern security standards. All the data which is a subject of European and US jurisdiction is being stored and processed by our services that run in Hetzner Online data centers - ISO 27001 certified cloud provider.

Secure Data Transmission

Amazing Hiring integrates with different services and tools using APIs. We protect information transmitted over the network without compromising the security of the data. Communication through APIs is performed in accordance with modern web security standards using TLS 1.2 encryption.

Conclusion

The goal of Amazing Hiring is to have the Information Security, which includes organizational and technical measures to ensure that data security is sufficient to protect the business against all types of threats, whether internal, external, deliberate or accidental. Safeguard measures include information confidentiality, integrity, availability and traceability. We want our customers and partners to have confidence that their data is protected and transparency with respect to Amazing Hiring’s activities to fulfill its responsibilities in accordance with the data protection rules.