We recognise that your information is a very important asset and hireful takes that responsibility very seriously. This security statement is aimed at providing you with more information about our security infrastructure and practices.
information security policy
hireful maintains a written Information Security policy and we define employee’s responsibilities and their acceptable use of information system resources. The organisation receives signed acknowledgement from users indicating that they have read, understand, and agree to abide by the rules of behaviour, before providing authorised access to hireful’s systems. This policy is periodically reviewed and updated as necessary.
Our security policies cover a wide array of security related topics ranging from general standards with which every employee must comply, such as account, data, and physical security, to more specialised security standards covering internal applications and information systems.
organisational security
Information security roles and responsibilities are defined within the organisation. The platform team focuses on information security, auditing our software product and compliance, as well as defining the security controls for the protection of hireful’s AWS infrastructure. hireful’s internal IT team carry similar responsibilities for our corporate infrastructure.
asset management
hireful’s data and information system assets are comprised of customer and end-user assets as well as corporate assets. These asset types are managed under our security policies and procedures. hireful authorised personnel who handle these assets are required to comply with the procedures and guidelines defined by hireful security policies.
physical and environmental security
Our information systems and infrastructure are hosted in a world-class data centre provided by AWS to provide high availability and redundancy to hireful and its customers. The standard physical security controls implemented at each data centre are managed by AWS. These data centres have completed a Service Organisation Controls (SOC) 2 Type II audit and are ISO27001 accredited.
operational security
change management
hireful maintains a change management process to ensure that all changes made to the production environment are applied in a deliberate manner. Changes to information systems, network devices, and other system components, and physical and environment changes are monitored and controlled through a formal change control process. Changes are reviewed, approved, tested and monitored post-implementation to ensure that the expected changes are operating as intended.
supplier and vendor relationships
hireful likes to partner with suppliers and vendors that operate with the same or similar values around lawfulness, ethics, and integrity that hireful does. As part of its review process, we screen our suppliers and vendors and bind them to appropriate confidentiality and security obligations, especially if they manage customer data. Our finance department may perform audits from time to time on hireful suppliers and vendors in an effort to ensure the confidentiality, integrity, and availability of data that our third-party suppliers or vendors may handle.
auditing and logging
We maintain audit logs on systems. These logs provide an account of which personnel have accessed which systems. Access to our auditing and logging tool is controlled by limiting access to authorised individuals. Security events are logged, monitored, and addressed by trained team members. Network components, workstations, applications and any monitoring tools are enabled to monitor user activity. Organisational responsibilities for responding to events are defined. Security events that record critical system configuration changes and administrators are alerted at the time of change. Retention schedules for the various logs are defined in our retention policy.
antivirus and malware
Antivirus and malicious code protection is centrally managed and configured to retrieve the updated signatures and definitions available. Malicious code protection policies automatically apply updates to these protection mechanisms. Anti-virus tools are configured to run scans and provide virus detection. Laptop and remote users are covered under virus protection. Procedures to detect and remove unauthorised or unsupported (e.g. freeware) applications are documented.
backups
hireful has backup standards and guidelines and associated procedures for performing backup and restoration of data in a scheduled and timely manner. Controls are established to help safeguard backed up data. Periodic tests are conducted to test whether data can be safely recovered from backup devices.
network security
Our infrastructure servers reside behind high-availability firewalls and are monitored for the detection and prevention of various network security threats. Firewalls are utilised to help restrict access to systems from external networks and between systems internally. By default, all access is denied and only explicitly allowed ports and protocols are allowed based on business need.
hireful maintains separate development, staging and production environments.
Automated tools are deployed within the network to support near-real-time analysis of events to support of detection of system-level attacks. Next generation firewalls deployed within the data centre monitor outbound communications for unusual or unauthorised activities, which may be an indicator of the presence of malware (e.g., malicious code, spyware, adware).
patch management
hireful’s infrastructure is managed by AWS and we are using container-based, virtual servers including serverless solutions to mitigate exposure to vulnerabilities. Patch management processes are therefore managed by AWS.
secure network connections
HTTPS encryption is configured for customer access to our product. This helps to ensure that user data in transit is safe, secure, and available only to intended recipients.
AES-256 is the technology we use to encrypt all user storage and transit data including databases, internal and external connections and client uploaded files as server-side encryption.
All our communication is encrypted in rest and motion (using a Key Management Service). When encrypting data in motion, our services use the Transport Layer Security (TLS 1.2) protocol to provide encryption between end-user application (web browser or mobile app) and our service.
access controls
role based access
Role based access controls are implemented for access to information systems. Processes and procedures are in place to address employees who are voluntarily or involuntarily terminated. Access controls to sensitive data in our databases, systems, and environments are set on a need-to-know / least privilege necessary basis. Access control lists define the behaviour of any user within our information systems, and security policies limit them to authorised behaviours.
authentication and authorisation
We require that authorised users are provisioned with unique account IDs. Our password policy covers all applicable information systems, applications, and databases. Our password best practices enforce the use of complex passwords that include both alpha and numeric characters, which are deployed to protect against unauthorised use of passwords.
hireful employees are granted a limited set of default permissions to access company resources, such as their email, and the corporate intranet. Employees are granted access to certain additional resources based on their specific job function. Requests for additional access follow a formal process that involves a request and an approval from a data or system owner, manager, or other executives, as defined by our security guidelines.
software development lifecycle
We follow a defined methodology for developing secure software that is designed to increase the resiliency and trustworthiness of our product. Our product is deployed on an iterative, rapid release development lifecycle. Security and security testing are implemented throughout the entire software development methodology. Quality Assurance is involved at each phase of the lifecycle and security best practices are a mandated aspect of all development activities.
Our secure development lifecycle follows standard security practices including vulnerability testing, regression testing, penetration testing, and product security assessments. The leadership of the hireful development teams reviews our development methodology regularly to incorporate evolving security awareness, industry practices and to measure its effectiveness.
multitier architecture
Our infrastructure is built following multi-layered architecture principles as a client–server architecture in which presentation, application processing and data management functions are physically separated. We provide a 3-tier architecture plus further layers to improve the information security, management, development and deployment, as well as the ability to ensure that the ongoing integrity, availability and resilience of processing systems and services are in place.
All our layers are physically separated and have no direct cross-connection access outside of the direct connection. Our architecture is built following microservice principles where each core domain service is separate and managed by automated deployment scripts.
incident management
hireful has a formalised incident response plan (Incident Response Plan) and associated procedures in case of an information security incident. The Incident Response Plan defines the responsibilities of key personnel and identifies processes and procedures for notification. Incident response personnel are trained, and execution of the incident response plan is tested periodically.
business continuity and disaster recovery
To minimise service interruption due to hardware failure, natural disaster, or other catastrophe, we implement a disaster recovery program at our data centre. This program includes multiple components to minimise the risk of any single point of failure. Application data is replicated to multiple systems within the data centre and, in some cases, replicated to secondary or backup data centres that are geographically dispersed to provide adequate redundancy and high availability.
data protection
We apply a common set of personal data management principles to customer data that we may process, handle, and store. We protect personal data using appropriate physical, technical, and organisational security measures.
We give additional attention and care to sensitive personal data.
hireful only processes personal information in a way that is compatible with and relevant for the purpose for which it was collected or authorised in accordance with our privacy policy. We take all reasonable steps to protect information we receive from our users from loss, misuse or unauthorised access, disclosure, alteration and/or destruction.
security of processing data
As a processor of your client’s data, we have implemented appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:
1.) the pseudonymisation and encryption of personal data; 2.) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; 3.) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; 4.) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
pseudonymisation of personal data
hireful provides data cleansing services for all our clients where all personal data is “removed” from our system including databases, reports, logs, data backups and file systems. The process is fully automated and has multi-layer monitoring to be sure we don’t hold any private data after this period. The personal data record can not always be physically deleted due to data dependencies and relationship integrity, therefore, we provide data anonymisation or pseudonymisation. Our data cleanse service or manually triggered data record deletion request will remove all related records or provide one of the following:
Anonymisation – will rendered the personal data records anonymous in such a manner that the data subject is not or no longer identifiable. Pseudonymisation – the data can no longer be attributed to a specific data subject without the use of additional information.
questions and answers
General compliance
How does an ATS work?
Do I need an ATS to be GDPR compliant?
Why should I choose hireful ATS?
How much does hireful ATS cost?
Will hireful ATS fit my business?
Can hireful ATS help me attract better talent?
Will hireful ATS help me to reduce recruitment costs?
How long does it take to implement hireful ATS?
Where is the platform hosted?
Our infrastructure is fully managed by Amazon Web Services (AWS) hosted in the Republic of Ireland, EU.
Please provide information framework / technology on which the service is built.
It is a web-based PAAS 3-tier plus platform using microserviced and serverless architecture, cloud-based hosted by AWS.
Does your organisation currently have a centralised collection of logs from security and network devices?
We are using various logging solutions i.e. IPS, MS AD for internal end-users and AWS LogTrial, CloudWatch and ElasticSearch for our ATS infrastructure.
What if any certification does your organisation hold in relation to information security risk management?
We became ISO 27001 certified in March 2022. We comply with CIS Benchmarks. Our hosting provider is AWS (where we process and store client data); they have various certifications and further information can be found here: https://aws.amazon.com/compliance. We have Cyber Essentials (cert. number IASME-CE-002598) in the context of our corporate network.
Please provide details of what secure coding standards and independent security audits you perform.
We follow OWASP Secure Coding Practices. All our software and platform engineers have the right certification and knowledge to do so. We conduct regular training workshops and constantly update our systems based on the latest standards and trends.
data access and encryption
How does an ATS work?
Do I need an ATS to be GDPR compliant?
Why should I choose hireful ATS?
How much does hireful ATS cost?
Will hireful ATS fit my business?
Can hireful ATS help me attract better talent?
Will hireful ATS help me to reduce recruitment costs?
How long does it take to implement hireful ATS?
Data encryption (What’s encrypted and how? Encryption at rest and/or in transit?)
All digital data at rest is encrypted using AES-256 encryption and managed by AWS. In transit both internal and external data is encrypted using AES-256 encryption and managed by AWS
How authentication takes place both inside and outside of our network, including installations of any services required by the client?
Our platform is web-based (PAAS). We do not have any client’s services installed directly within our system or network. We do provide integrations that are custom-built using various technologies and authentication. Accounts are protected by username, password and Multi-Factor Authentication (which can be optional based on your requirements).
How does your organisation access and manage hosting services?
All our systems (infrastructure and servers) including databases have restricted access, managed by AWS IAM. The connections between the user machines and the infrastructure is tunnelled by VPN and they are encrypted. Access to other services i.e. codebase repositories is username & password based using hardware or virtual MFA and/or secure keys or OAuth2 where possible. We have strict infrastructure access policies that are managed and monitored by our Platform Team.
network
How does an ATS work?
Do I need an ATS to be GDPR compliant?
Why should I choose hireful ATS?
How much does hireful ATS cost?
Will hireful ATS fit my business?
Can hireful ATS help me attract better talent?
Will hireful ATS help me to reduce recruitment costs?
How long does it take to implement hireful ATS?
How is administrative access to your firewalls controlled?
Our ATS infrastructure is hosted on AWS and all the security rules are discussed, planned and managed by our Platform and Engineering managers. Any administrative access to AWS is strictly limited using VPN secure connections. There is no public administrative access for any of our assets.
Are your organisation’s firewall rules subject to a regular review?
We have various firewalls and IPS in use internally for end-users. Infrastructure firewalls (protecting client data) and external access points are managed by AWS. Our Platform Team are responsible for the AWS perimeter security.
How often do you review your firewall rules?
AWS VPC security is designed and reviewed on a daily basis as a part of our software development process.
Are all workstations & servers built from a hardened build standard?
Yes
Is filtering of network traffic based on firewall rules that apply the principle of ‘least access’?
