security
1. Overview
HireSweet takes its security posture very seriously: keeping our customers' data protected at all times is our top priority. All HireSweet employees are trained in security practices upon integration into the company and on an annual basis. We are committed to securing your application data and continuously eliminating system vulnerabilities. HireSweet uses a variety of industry standard technologies and services to secure your data from unauthorized access, disclosure, use, and loss.
This page describes the technical and organizational measures put in place by design regarding HireSweet's technology. These measures are subject to potential updates to implement additional protective measures and/or to comply with changes in applicable laws/regulations. We are constantly improving our technology in order to offer you the most effective security performances.
HireSweet's use and transfer to any other application of information received from Google accounts will be in accordance with the Google API Services User Data Policy, including limited use requirements (more information). : https://developers.google.com/terms/api-services-user-data-policy#additional_requirements_for_specific_api_scopes).
2. Respect for the privacy of users by design and by default
All our treatments are built Privacy by design and Privacy by default. Each new treatment carried out at HireSweet (creation of a new functionality of our technologies, use of a new software/tool, etc.) is subject to prior transversal verification with the security manager and the data protection officer (hereinafter referred to). Any new treatment is subject to a verification of the technical architecture to guarantee its security before any effective implementation/use. The HireSweet teams question by design and by default the possibility and opportunity of using the principles of minimization and pseudonymization and ensure that the management of retention periods is strictly in accordance with the Regulations in force.
In the event that a new processing involves the intervention of an external service provider or the use of third-party software, a legal verification of the guarantees provided by the said third party is carried out on the basis of article 28 of the RGPD by the DPO. If necessary, HireSweet requests the provision of additional guarantees. In particular, the points relating to the hosting of the data concerned are checked. In addition, the legal basis for any new processing is strictly verified and documented. If the consent of the person concerned is required, the proof of this collection is kept.
3. Incident response plan
Unusual network patterns or suspicious behavior are among HireSweets' biggest concerns when it comes to hosting and managing infrastructure. All HireSweet employees are committed to a specific incident response plan, with a designated IT security manager, an IT security analyst, and fallback solutions that ensure high availability. All service-impacting incidents and business-critical incidents are closely monitored and addressed 24 hours a day, 7 days a week, 365 days a year.
Access logs, activity records, and other metrics are reviewed in case an incident occurs. Our engineering team is constantly monitoring our infrastructure and the alerts of suppliers in advance. We use notification and alert systems to identify and manage risks and threats immediately.
4. Vulnerability disclosure
We encourage anyone who practices responsible disclosure and who abides by our policies and terms of service to participate in our bug bounty program. Our aim is to address and report any identified safety issues through a coordinated and constructive approach. Please avoid automated testing and perform security tests with your own data only. Please do not disclose information about vulnerabilities until we fix them.
Accepted vulnerabilities include the following:
_Authentication issues
_ Cross-Site Scripting (XSS)
_ Open redirection
_ Cross-site Request Forgery (CSRF)
_ Command/file/URL inclusion
_ Code execution
_ Code or database injections
The targets are limited to the main HireSweet products. Blogs, third-party websites, account enumeration, denial of service, denial of service, spam attacks, phishing, physical access, and any attacks against specific HireSweet users are out of reach.
Rewards are made at our discretion based on the criticality of the vulnerability reported. HireSweet will consider the potential impact on the business and customers, ease of operation, and the ability to mitigate the problem internally. We are working on specific criteria and award amounts. For now, only vulnerabilities of medium or greater severity will be rewarded. As a safe haven, Hiresweet is committed to not taking legal action against you if your activities are carried out in accordance with this policy.
If you want to report a vulnerability or if you have any security issues with a HireSweet product, please contact security@hiresweet.com. We look forward to working with you to resolve the issue quickly.
5. Accessibility to our customers' data via our technologies
Our technologies use the most secure methods to restrict, operationally and technically, the accessibility of your data.
Each customer can only have access to their own data. He has no access to the data of another HireSweet customer thanks to appropriate technical partitioning measures. Likewise, each customer can only have access to the functionalities actually offered by HireSweet. Watertightness is ensured thanks to the various user profiles and each of these profiles has tailor-made adjustable rights.
6. Governance
An adequate organization has been put in place by HireSweet based on shared responsibility between the entities concerned, allowing HireSweet to optimize and continuously improve its services. This ensures that security aspects are taken into account in a preventive and reactive manner.
HireSweet appointed the following officials:
(i) A security manager: Ismael Belghiti, CTO, in charge of (1) the security issues of HireSweet, (2) the management of data breaches and, possibly, the notification to the competent supervisory authority. (ii) A human resources manager: Paul Bachelier, COO, in charge of (1) the management of human resources and in particular of the IT environment for HireSweet employees and (2) the logistical consequences following the arrival and departure of staff. (iii) A data protection officer: Isis Kiewiet, legal officer in charge of (1) the general compliance of the company with the GDPR and (2) the management of requests for the rights of the persons concerned.
Subcontractors
HireSweet only uses subcontractors who have implemented all the technical and organizational measures required to guarantee the security, integrity, confidentiality, availability and resilience of the systems and services used for data processing, while respecting the rights of the persons concerned. The contracts between HireSweet and the subcontractors provide for these guarantees. A processing register includes all subcontracted treatments on the instructions of the HireSweet customer and is regularly updated according to the technical and organizational measures put in place.
HireSweet employees
HireSweet employees are informed and bound by security rules as described below:employment contracts that include clauses dealing directly with the confidentiality of our customers' data. security and GDPR training as well as tests and “Q&A” upon arrival at the company and at least annually.an IT charter that contains mandatory data management and security measures.
7. Safety - general
Infrastructure and network security
HireSweet's technologies are hosted on Amazon Web Services (London) and Google Cloud Platform (Paris) and we use multiple application-level security mechanisms and functions to ensure the security of customer data. Amazon Web Services (AWS) and Google Cloud Platform (GCP) data centers are highly scalable, secure, and reliable. AWS complies with major security policies and frameworks, including SSAE 16, SOC framework, ISO 27001, and PCI DSS Level 1.
Only designated authorized members of HireSweet have access to the infrastructure configuration. We take appropriate steps to ensure that all personal data is kept secure, including security measures to prevent personal data from being accidentally lost, or used or accessed in an unauthorized manner, for the duration of your use of our services. HireSweet employees do not have physical access to AWS and GCP data centers, servers, networking equipment, or storage.
Security checks and audits.
HireSweet carries out (1) annual external security pentests conducted by external providers and (2) monthly internal security pentests. Errors and incidents are corrected within a strict timeframe. Password Management Policy. HireSweet has implemented a strict password management policy for each of its technologies (multi-factor authentication, complex passwords, hash of login identifiers, etc.
Internal workstation security.
All HireSweet employee workstations are subject to mandatory security regulations, such as an automatic session locking mechanism, security firewalls, and unique accounts for all computer resources made available by HireSweet, with permissions and permissions based on the nature of the employee's function.
Event recording.
HireSweet has established a system for registering employee and user identifiers retained for a period of fifteen days for the purposes of security analysis and the detection of events that may affect the security of HireSweet Technologies' computer system. Internet Security. HireSweet's premises are equipped with wifi networks and passwords dedicated to (1) internal teams and (2) to external teams and visitors, as well as video surveillance and alarm systems.
Management of retention periods.
HireSweet has implemented policies to delete its technology databases in accordance with the Regulation.
Crisis management.
HireSweet has put in place an internal policy in the event of an attempted, actual or alleged data breach including all internal procedures and technical and organizational measures to ensure that the means previously implemented by HireSweet prevent the data breach, including the provision of information on all internal procedures put in place to ensure the communication of mandatory instructions in the event of a real or suspected data breach and a procedure for reporting its Customers who could be affected.
Unusual network models or suspicious behavior are among HireSweet's biggest concerns when it comes to hosting and managing infrastructure. All HireSweet employees are committed to a specific incident response plan, with a designated IT security manager, an IT security analyst, and fallback solutions that ensure high availability. All service-impacting incidents and business-critical incidents are closely monitored and responded to 24 hours a day, 7 days a week, 365 days a year.
Access logs, activity records, and other metrics are reviewed in case an incident occurs. Our engineering team is constantly monitoring our infrastructure and the alerts of suppliers in advance. We use notification and alert systems to identify and manage risks and threats immediately.
8. Comments and other information
Please contact:
- privacy@hiresweet.com, or
- dpo@hiresweet.com