Security
1. Overview
HireSweet takes its security posture very seriously: keeping our customers' data protected at all time is our highest priority. All HireSweet employees are trained on security practices during company onboarding and on an annual basis. We are committed to securing your application's data and continuously eliminating systems vulnerability. HireSweet uses a variety of industry-standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.
This page describes the technical and organizational measures put into place by design regarding HireSweet’s technology. These measures are subject to potential updates to implement additional safeguards and/or in order to comply with changes of applicable laws/regulations. We constantly improve our technology in order to offer you the most efficient security performances.
HireSweet's use and transfer to any other app of information received from Google Accounts will adhere to the Google API Services User Data Policy including the Limited Use requirements (more information: https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes).
2. Privacy by design & by default on our technology
We develop our processings according to the “privacy by design” and the “privacy by default” principles. All new processing (new functionality on our technology, use of a new software/tool etc.) is subject to a verification by the security manager and the data protection officer (hereafter designated) previously to its implementation. In addition, all new processing is subject to a verification of the technical architecture in order to ensure its security before any effective implementation/use. HireSweet’s team always takes into account the “privacy by design” and “privacy by default” principles when reflecting about the possible use of minimisation and pseudonymisation. In addition, HireSweet ensures that data retention periods comply with applicable Regulation.
If any external provider were to be involved in a new processing activity, or if any new software tool were to be used, our DPO always verifies whether the guarantees provided by all third-parties comply with article 28 of the GDPR. Where appropriate and if necessary, HireSweet may request additional guarantees. Data storage clauses and legal basis clauses are particularly controlled and documented. If consent of the data subject is requested, proof of such consent is retained by HireSweet.
3. Incident Response Plan
Unusual network patterns or suspicious behavior are among HireSweets' biggest concerns for infrastructure hosting and management. All HireSweet employees are committed to respect a specific Incident Response Plan, with designated Computer Security Officier, Computer Security Analyst and fallbacks ensuring high availability. All service impacting and business-critical incidents are closely monitored and responded to 24/7, 365 days a year.
Access logs, activity records, and other metrics are reviewed in case an incident occurs. Our Engineering team is constantly monitoring both our infrastructure and alerts from upstream vendors. We use notification and alert systems to immediately identify and manage risks and threats.
4. Vulnerability Disclosure
We encourage everyone that practices responsible disclosure and comply with our policies and terms of service to participate in our bug bounty program. Our goal is to address and report any identified security issues through a coordinated and constructive approach. Please avoid automated testing and only perform security testing with your own data. Please do not disclose any information regarding the vulnerabilities until we fix them.
Accepted vulnerabilities are the following:
_ Authentication issues
_ Cross-Site Scripting (XSS)
_ Open redirect
_ Cross-site Request Forgery (CSRF)
_ Command/File/URL inclusion
_ Code execution
_ Code or database injections
Targets are restricted to HireSweet main products. Blogs, third party websites, account enumeration, denial of service, spam attacks, phishing, physical access and any attacks against specific HireSweet users are out of scope.
Rewards are done at our discretion depending on the criticality of the vulnerability reported. HireSweet will consider potential impact to the business and clients, ease of exploitation and ability to mitigate the issue internally. We are working on specific reward criteria and amounts. At this time, only vulnerabilities with medium and above severity will be rewarded. As a safe harbor, Hiresweet is committed to not initiating legal action against you if your activities are performed respecting this policy.
If you would like to report a vulnerability or have any security concerns with a HireSweet product, please contact security@hiresweet.com. We welcome working with you to resolve the issue promptly.
5. Client’s data access through our technology
Our technology uses the most secured methods in order to restrict operational and technical access to you data.Each client can only have access to his/her own data. He/She can never have access to any other client’s data thanks to appropriate technical partitioning measures. Likewise, each client can only have access to functionalities actually made available by HireSweet. The existence of different user profiles enables leakproofness and each of these profiles have customizable rights.
6. Governance
An adequate organisation has been put in place by HireSweet based on a shared responsibility between the concerned entities allowing HireSweet to optimize and permanently improve its services. This guarantees that security aspects are taken into account in a preventative and responsive manner.
HireSweet has nominated the following managers:
(i) A security manager: Ismael Belghiti, CTO, in charge of (1) security matters of the HireSweet company, (2) data breach management and, eventually, notification of the competent supervisory authority.
(ii) A human resources manager: Paul Bachelier, COO, in charge of (1) human resources management and particularly the IT environment of HireSweet employees and (2) logistic consequences following staff arrivals and departures.
(iii) A data protection officer: Isis Kiewiet, Head of legal in charge of (1) general GDPR compliance of the company and (2) concerned persons rights’ request management.
Subprocessors
HireSweet only uses subprocessors who have put in place all technical and organisational measures requested in order to ensure the security, integrity, confidentiality, availability and resilience of the systems and services used for data processing, while respecting the rights of the concerned persons. Contracts between HireSweet and subprocessors provide for these guarantees.
A processing record includes all processings subcontracted on HireSweet’s client instructions and is regularly updated depending on the technical and organisational measures put in place.
HireSweet’s employees
HireSweet’s employees are informed and bound by security rules as described hereafter:
labour contracts which include clauses that directly address the confidentiality of our clients' data.
Security and GDPR training as well as tests and “Q&A” upon arrival within the company and at least annually.
an IT Charter which contains mandatory data management and security measures.
7. Security - general
Infrastructure and Network Security
HireSweet’s technologies are hosted on Amazon Web Services (Paris) and Google Cloud Platform (London) and we use multiple application-level security mechanisms and features to ensure customer data safety. Amazon Web Services (AWS) and Google Cloud Platform (GCP) data centers are highly scalable, secure, and reliable. AWS complies with leading security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS Level 1.
Only designated authorized HireSweet members have access to configure the infrastructure. We take appropriate measures to ensure that all personal data is kept secure including security measures to prevent personal data from being accidentally lost, or used or accessed in an unauthorized way, for the duration of your use of our Services. HireSweet employees do not have physical access to AWS and GCP data centers, servers, network equipment, or storage.
Controls and security audits.
HireSweet carries out (1) annual external security pentests conducted by external providers and (2) monthly internal security pentests. Errors and incidents are corrected within strict deadlines.
Passwords management policy. HireSweet has put in place a strict password management policy for each regarding its technology (multi-factor authentication, complex passwords, hash of connection identifiers, etc.).
Security of internal workstations.
All HireSweet employees’ workstations are bound by security requirements rules, such as an automatic session locking mechanism, security firewalls and unique accounts for all the IT resources made available by HireSweet, with permissions and authorizations depending on the nature of the employee's position.
Event logging.
HireSweet has set up a system of recording employee and user identifiers kept for a period of fifteen days for the purpose of security analysis and detection of events that could affect the security of the HireSweet technologies IT system.
Internet security. HireSweet's premises are equipped with wifi networks and passwords dedicated to (1) internal teams and (2) external teams and visitors, as well as video surveillance and alarm systems.
Retention Period Management.
HireSweet has implemented database deletion policies for its technology in compliance with the Regulation.
Crisis Management.
HireSweet has put in place an internal policy in case of attempted, actual or suspected data breach including all internal procedures and technical and organizational measures to ensure that the means previously implemented by HireSweet ensure the avoidance of data breach, including providing information of all internal procedures put in place to ensure the communication of the mandatory instructions in case of actual or suspected data breach and a notification procedure of its customers who may be concerned.
Unusual network patterns or suspicious behavior are among HireSweets' biggest concerns for infrastructure hosting and management. All HireSweet employees are committed to respect a specific Incident Response Plan, with designated Computer Security Officer, Computer Security Analyst and fallbacks ensuring high availability. All service impacting and business-critical incidents are closely monitored and responded to 24/7, 365 days a year.
Access logs, activity records, and other metrics are reviewed in case an incident occurs. Our Engineering team is constantly monitoring both our infrastructure and alerts from upstream vendors. We use notification and alert systems to immediately identify and manage risks and threats.
8. Feedbacks & more information
Please contact:
- privacy@hiresweet.com, or
- dpo@hiresweet.com