Security & Compliance
Are at the Core of What We Do
We believe that your data belongs to you, and our platform is built to ensure all data is safe, secure and reliably available. Our commitment to compliance means we keep up with key certifications and global compliance standards.
Data Types and Ownership
As candidates apply, they enter various personally identifiable information (PII) in response to questions asked by the employer. All PII from a structured field within the employer’s database may be represented in the JobSync environment, including full name, email address, phone number, home address, work history, and educational data.
JobSync also captures the data inside resumes that candidates upload.
Via the JobSync website and its services, JobSync collects user data such as browser type (i.e., Chrome, Safari, Edge), device type (mobile device, desktop), length of the session on the page and the site, IP address (where permitted) and other data that allows JobSync to provide and optimize its services.
In addition, JobSync may collect the outcome of any API call it may make on behalf of an employer, such as the successful insertion of candidate data, the availability of the API, and other service-related data.
JobSync does not explicitly collect sensitive data such as Social Security numbers, bank account details, or health information. However, certain demographic surveys, such as those conducted under Equal Employment Opportunity (EEO) or Office of Federal Contract Compliance Programs (OFCCP) regulations in the US, may ask questions about ethnicity, gender, veteran status, disability, criminal history, and eligibility for programs like the Work Opportunity Tax Credit (WOTC). Globally, employers may collect additional demographic data, including date of birth, religion, and other sensitive data. JobSync collects and stores this information only if a candidate provides it in response to these surveys.
The data collected by JobSync belongs to the individual or entity that provided it and where legally permitted to the entity that JobSync collects the data on behalf of. JobSync acts as a data processor. We do not own or claim rights to the data submitted to our platform outside of our contractual agreement with an individual employer and the various laws that apply to managing a candidate’s data.
To maintain the integrity of the data we collect, access to the platform is strictly regulated. Following the ‘least privilege’ access model, JobSync employees are only granted access to the essential data required for their roles. No organization can access another organization’s data.
A person may request that their personal data or the data of a person they have governance over be removed from the JobSync system by completing this form. Upon verification of the request, any personal data or records held by JobSync of the user will be promptly removed within 10 calendar days unless otherwise required by law. JobSync will confirm the removal with the user.
Security
and Protection
The platform infrastructure is built on robust security measures ensuring the protection of candidate information.
We hold data only to the extent that we need to process it and ensure its delivery. Data is processed and regularly purged in accordance with the local laws and contractual agreements with its employer customers.
All data, whether in transit or at rest, is fortified with advanced encryption protocols. We also employ hashing techniques to ensure the integrity and security of data. Hashing is the process of converting data into a unique code that cannot be reversed to its original form. This helps protect sensitive information, making it very difficult for hackers to access or manipulate.
JobSync takes regular backups of its systems, and of the data it holds. Data is encrypted in both transit and at rest. To learn more about JobSync’s data services, review our Data Processing Agreement.
A Data Processing Agreement (DPA) is a legally binding contract between a data controller and a data processor that outlines the terms and responsibilities related to processing personal data. In the context of JobSync, it is an agreement between our customers, partners, and users (data controller) and our company (data processor) with respect to the use of the platform and services provided by JobSync. This agreement ensures that both parties are compliant with relevant state, federal, and international laws, such as the General Data Protection Regulation (GDPR) in Europe.
The DPA also outlines:
- The security measures and protocols in place to protect personal data.
- Which vendors are used, where those vendors are used, and how we hold them accountable.
Our DPA is publicly available on our website for anyone to review. By using our platform, customers agree to the terms of this DPA.
We use a DPA for several reasons:
- Legal compliance: Data protection is a highly regulated and complex area. Which laws are applicable depends on the type of data being processed, the location of the candidates whose data is being processed, the location/ headquarters of the employer, where the job is physically located, and more. The DPA ensures compliance with all applicable laws and regulations and ensures transparency in how we achieve such compliance.
- Vendor compliance: In the event that a vendor falls short of the required data protection standards, the DPA makes it possible to remove them, ensuring data remains uncompromised throughout our operational chain.
- Technology changes: Technology is not static. As we continue to improve our platform and incorporate new innovations such as artificial intelligence, it is essential that our data management practices keep pace with those changes. The DPA ensures that the outputs of tools like AI are contemplated, considered, and then processed in a safe and compliant manner.
Customer data: Relevant people within JobSync have access to information on customers, partners, and the employers we engage with, including their names, phone numbers, and email addresses. “Relevant people” are those who are directly responsible for the product and who provide sales, customer, and technical support. They all sign commitments to hold this information confidential. Customer data is not exportable, and we have tracking in place to know if someone tries to remove data from our platform.
Candidate data: Candidate data is kept isolated and is accessible only to people with the highest level of access and who need access for very specific requests. For example, after an explicit request by the customer through our technical support teams. Non-support commercial-side employees do not have access to candidate data. No person at JobSync has direct access to any candidate PII, and all requests for such data are explicitly logged and limited. Like all confidential information, JobSync employees sign confidentiality agreements and agree annually to enhanced confidentiality policies.
Pre-existing ATS data: In the processing of data, our platform finds duplicate data and updates candidate records to the appropriate version. Our platform requires access to candidate data that already exists inside the ATS to achieve this. Rest assured that deduping happens automatically, and no human has explicit access to that candidate data.
Compliance
and Certifications
JobSync adheres to SOC 2 Type II, a best practices framework and compliance certification for managing and protecting data. We also comply with (and often exceed) national and international privacy standards such as those laid down by the General Data Protection Regulation, California Consumer Privacy Act, Colorado Privacy Act, Swiss Federal Data Protection Act, Canadian Consumer Protection, US CAN-SPAM, TCPA, etc.
Yes. The platform undergoes regular security audits, including SOC 2 compliance assessments, and is subjected to continuous penetration testing to identify potential vulnerabilities. We have a dedicated team of security experts who continuously monitor and improve our security protocols. Customers may request our current SOC 2 report by emailing your account representative or by contacting us.
All third-party vendors that do, or could, have access to our systems, customer, or candidate data have to be authorized and will only be authorized if they meet and continue to stay compliant with our strict security and compliance standards. This includes entering into binding commitments to comply with all relevant laws, regulations, and industry standards in line with our Data Processing Agreement.
Instead of differentiating between European and Californian users as required by these regulations, JobSync offers data subject rights to all individuals regardless of their location or the size of their organization.
The right to forgotten form is available on our website and allows anyone to request the removal of their personal data from our platform. This triggers a comprehensive purging process that ensures the permanent and irreversible deletion of all data associated with that person from all of our systems.
We work with individual employers to make sure that their job ads and data practices are compliant with any specific state or local laws, for example, to ensure that salary disclosure is made and expiration dates are included in job ads where required. This happens down to a city and job level, since applicable laws may depend on where a company is headquartered, where they’re physically located, and where they’re recruiting from.
The Telephone Consumer Protection Act regulates telephone solicitations and also imposes restrictions around the right to text message candidates. Since the law surrounding text messaging is nuanced, we encourage all of our customers to seek explicit permission from candidates even if they do not intend to communicate via text or believe that their messaging technology is TCPA-compliant in other ways.
Opt-in is gathered through the platform, which logs the exact date, time, and IP address of the candidate’s explicit text message opt-in. The data record is available to customers to demonstrate compliance with this law if needed.
EEO and
OFCCP Compliance
The Equal Employment Opportunity Commission (EEOC) and the Office of Federal Contract Compliance Programs (OFCCP) have defined what constitutes an “Internet applicant” for federal contractors and subcontractors. This definition is known as the Internet Applicant Rule. The rule requires that any potential or prospective employee who is qualified for the position they are interacting with must go through the same application process as every other qualified applicant, among other things.
To ensure compliance with the Internet Applicant Rule, JobSync ensures that no matter where the candidate interacts with an employer’s job content on the internet, they receive the same set of questions in the same order as they would if they found the job on the employer’s career site. This ensures fairness and equality of experience for candidates.
In addition, JobSync strives to insert all EEO data and OFCCP directly into the ATS in the predefined secure area without the need to add new, less protected fields, questionnaires, templates or alternative storage locations for such protected data.
We offer tools to collect voluntary self-identification information during the application process. This data feeds directly into the place(s) with your ATS, where you track OFCCP information. You should continue to utilize the existing EEO and OFCCP reporting processes you had in place prior to working with JobSync. Because JobSync collects completed applications, not leads or partial data from its sources, you do not need to amalgamate a second data source with your existing reporting infrastructure, saving time and improving accuracy in compliance reporting.
There are no strict standards on how EEO data should be collected, only that candidates must be able to choose not to disclose. If you decide to make your questions optional, we will reflect that. Alternatively, if you require responses with a “choose not to disclose” option, our system will support it as well. Some organizations opt not to collect EEO data upfront, and we can accommodate that preference as long as it aligns with your standard employment practices.
Most modern ATS’s seclude EEO / OFCCP demographic data in such a way that it is not visible to recruiters and hiring managers. This limits their ability to make informed decisions about candidates that could lead to discrimination, conscious or unconscious. JobSync places EEO, OFCCP and demographic data within these secluded fields.
Yes. Our user interface for candidates adheres to the Web Content Accessibility Guidelines 2.1 Level AA standards, a set of internationally recognized standards to ensure that digital content is accessible for all users, including those with disabilities. Note that individual sites have their own accessibility standards based on the providers you choose to work with. When we use their interface to collect information, we can only rely on their chosen standards.
Security Practices and Incident Response
JobSync’s approach to data security starts from a proactive stance to ensure that a data breach is an unlikely scenario. With our transparent DPA, in-process SOC 2 Type 2 certification, GDPR alignment, least privileged access to data, continual monitoring, penetration testing, and ongoing security training for our employees, the best case scenario is one where we never experience a data breach. In the unlikely chance a data breach does occur, JobSync has well-documented procedures in place, including containment practices, notification plans, and incident recovery steps.
Our data security practices are audited, at minimum, annually. We run continual monitoring penetration testing with an accredited 3rd party with periodic point-in-time penetration testing with alternative 3rd parties.
All employees go through regular security and compliance training. Not only are all our security policies outlined in our employee handbook, our employees are regularly re-trained and tested and required to acknowledge their compliance on such policies.