At the time of this document’s publication, SmartRecruiters’ customers have used our platform to post more than 150,000 jobs, process more than 4.8 million candidates, and make more than 80,000 hires a month. And with our global customer base increasing 50% year over year, those numbers are only going to rise. Consequently, a customer’s recruiting data is expansive, highly aggregated, and critical to meeting business
objectives. Not to mention that processing such a massive amount of recruiting transactions, while simultaneously managing copious amounts of hiring data, requires a robust platform that is architected, not just for scalability and performance, but for protection, privacy, and security.
So, as an industry-leading Talent Acquisition Suite (TAS) that is heavily relied upon by high-performance organizations and flagship consumer brands to attract, select, and hire the best, SmartRecruiters is highly differentiated from others in both the engineering and design of our platform architecture, which are structured upon key functional elements that include:
- Ease of Use
- Security in Depth
While each of these principles rank as “high-priority” for consumers when procuring a new recruitment solution, perhaps the most important, but least discussed when thinking about recruiting, is platform security.
Rest assured, our team has you covered by our powerful modern Talent Acquisition Suite built for state-of-the-art resilience and scalability, complete with robust security measures, and wrapped in a best-in-class consumer UI that delivers an amazing candidate experience, fosters hiring team collaboration, and enhances recruiter productivity from any device, anywhere.
Specifically, SmartRecruiters features a modern, cloud platform operating in a multi-tenant SaaS (Software as a Service) environment, which means SmartRecruiters takes away from customers the burden of maintaining and securing the hiring system. For customers, this means no additional hardware or software costs to consider, no databases to configure, no operating system requirements, and no versions to maintain or update. And because security is top of mind for our team, we follow a “Security in Depth” approach for our Software Development Lifecycle (SDLC), code deployment practices, security patches and backups, architecture and infrastructure, executing across multiple layers of validated security management practices, backed and certified by ISO 27001 & SOC-2 type II.
In the pages that follow, our Security Management team outlines SmartRecruiters' Information Security Management processes and practices, detailing how our team goes to great lengths to protect and secure the integrity, availability, and confidentiality of our customers’ data.
At SmartRecruiters, security is top of mind, so you have peace of mind.
SaaS Platform - Complete Cloud Security
The SmartRecruiters TAS is built on a modern SaaS platform. For customers, this means that all of our applications and data are delivered via the Internet and hosted in secure data centers by third-party, most secure, and trusted cloud services providers - Amazon Web Services (AWS) and Google Cloud Platform. These data centers deliver a highly scalable cloud computing platform with high availability and dependability. It is very difficult and expensive to properly secure an on-premises data center. Cloud data centers that are being used by SmartRecruiters deliver superb resiliency, cybersecurity, and compliance that meet the world's top standards. With a cloud-hosted solution, like SmartRecruiters, security responsibilities are shared between our Information Security team and cloud provider.
For example, the cloud provider is responsible for securing the underlying infrastructure that supports the cloud (e.g. security of the cloud), whereas SmartRecruiters is responsible for anything we store or process in the cloud and/ or connect to the cloud.
With SmartRecruiters, customers can expect complete cloud security.
Chosen by the Customer cloud provider is responsible for protecting its global infrastructure that runs all of the services offered in the cloud solution. This infrastructure is comprised of the hardware, software, networking, and facilities that run cloud services. As detailed in their documentation for consumers, security is a top priority.
Hence, cloud providers' reports like SOC-3 or SOC-2 from independent, third-party auditors are available via cloud providers' dedicated websites:
Both AWS and GCP global infrastructure is designed and managed according to security best practices, as well as a variety of industry-recognized security compliance standards. As such, SmartRecruiters selected AWS and GCP for our cloud-hosting providers because they provide the most rigorous physical and environmental security standards designed to accommodate the needs of high-growth enterprise organizations worldwide. Further, their systems are designed to tolerate system or hardware failures with minimal customer impact.
So, as the Cloud provider customer, we know we’re building web architectures atop some of the world’s most secure computing infrastructures. Nevertheless, we still make it a priority to manage information security internally with equally high standards so our customers enjoy complete cloud security.
SmartRecruiters' Information Security Management Systems (ISMS)
Information Security Organization
SmartRecruiters knows the complexity and criticality of information security and its governance demands the highest organizational levels. As a critical resource, data is treated like any other asset essential to the survival and success of an organization - yours and ours. To enable secure business operations, SmartRecruiters has implemented an effective security governance strategy approved by our Security Council and Management Board.
As part of our security governance strategy, SmartRecruiters has appointed our Security Council as our organization's foremost Information Security Authority, with an appointed Information Security Officer as chairman, and accompanying Security Forum as the Executive Body, which includes a Data Protection Officer.
Information Security Standards and Compliance
SmartRecruiters attach significant importance to information security and compliance, as reflected by our security organizational structure and our internal management practices. For example, SmartRecruiters focuses on continuous development and refinement of our information security management practices, in accordance with industry standards and trends. Detailed policies, procedures, and instructions have been developed and put in place to define the roles, tasks, and permissions of both employees and coworkers, in addition to the involvement and management of any third parties that participate in the execution and delivery of our business processes. SmartRecruiters employs experts in security, compliance, and data protection areas, in the organization, who have roles as Data Protection Officer, Information Security Officers, and Security Department.
Specific to compliance, SmartRecruiters adheres to and complies with relevant legalities, contractual requirements, and latest industry standards, including:
- ISMS based on ISO 27001
- Applications tested to OWASP standards
- EU Personal data legislation ( GDPR - General Data Protection Regulation )
- SOC type 2 certification
Global Compliance Program
SmartRecruiters Global Compliance Program covers three major areas:
Adaptation - adapt the software to relevant laws that protect candidates and companies they apply to in matters of recruiting,
Facilitation - facilitate the presentation of customer privacy policies to their candidates, and
Enablement - enable customers to achieve their diversity objectives.
Security Controls and Practices
Maintaining a credible information security system requires continuous evolution to keep pace with innovative platform developments and preparation for increased threats. Such efforts require appropriate controls and heightened monitoring to respond to changing needs, in addition to the performance of regular internal audits in accordance with ISO 27001, and external audits of infrastructure and applications, coupled with the constant analysis of reliable and repeatable measures.
The following sections outline our security controls and practices.
The process of asset management is crucial to information security and business operations and includes information and the information-processing environment. Accordingly, SmartRecruiters established internal policies, procedures, and instructions to identify, implement, maintain, and optimize the security of assets. Every asset is owned, employees are trained to understand their responsibilities, and procedures are aligned with security standards to keep assets secure.
SmartRecruiters’ Information Security Management System obliges relevant internal departments to regularly review assets the company possesses and to classify them against three dimensions: the probability of threat occurrence, possible consequences, and level of protection. The sources of the threats can include natural disasters, technical failures, legal obligations (compliance), and human activities (malicious and non-malicious).
Information Security Awareness
Apart from various technical security protections, SmartRecruiters believes cybersecurity starts with the consciousness of our employees. This consciousness is ingrained at all levels of the organization - starting from top management who participate in the Security Council and are tasked with executing the agreed quarterly cybersecurity plans across the entire organization. In accordance with these plans, our employees participate in the following programs:
- Personal data & PII (personally identifiable information) management
- Cybersecurity protections
- Compliance (ISO 27001, GDPR, SOC-2, etc)
- Techniques of secure software development
- Infrastructural security
- Social engineering prevention
- Related industry security programs and training
SmartRecruiters pays special attention to the verification and hiring of our employees. Depending on the personnel function, coupled with the legislation of the country in which a vacancy is being created, SmartRecruiters takes appropriate actions, such as mandatory background checks, among other measures, to verify the integrity of the person who would join the team.
Onboarding and Exit
SmartRecruiters onboarding process contains employee review and acceptance of Company policies, privacy agreements, non-disclosure agreements, mandatory security training, access setup to the systems, and other related items necessary for creating a secure and reliable work environment. Each new employee is required to complete the onboarding process before permissions and access to confidential data (where applicable) are granted.
The exit process is designed to prevent an exiting employee from accessing or acquiring confidential data or any other asset that belongs to the company during their departure, whether departing voluntarily or exiting as a result of the termination. Depending on the position within the organization, SmartRecruiters organizes and secures knowledge transfer to ensure that key responsibilities are not lost.
New Employee Procedures and Policies
Every new employee, before starting their official duties, must pass cybersecurity and personal data processing security training. This training contains a mandatory knowledge check. Additional mandatory requirements instruct every employee to sign a non-disclosure agreement that intends to protect and secure proprietary company secrets and customer data.
SmartRecruiters has implemented a continuous audit testing program according to ISO 27001. Internal auditors test and optimize system operations and organizational processes. Specifically, these audit programs focus on:
- Software development
- IT operations
- Customer Support
- Sales and Marketing
- Product Processes
- Business Operations
- Penetration Testing
- Infrastructure Access Rights
- Vulnerability Scans
- Backups Audit
- Personal data & PII Security
- Other related processes.
Antivirus and Malware Protection
Every employee is obliged to use antivirus on workstations and mobile phones/tablets. SmartRecruiters policy of using antivirus software on hardware and infrastructure is monitored and audited.
Bug Bounty Hunters Program
Employees are engaged in the internal Bug Bounty Hunters Program created to merge efforts in threat management and risk avoidance so as to understand the value of security in the design approach, maintain as high awareness as possible, to avoid gaps in security training (everyone needs to have some level of awareness), to find and resolve as many bugs as possible, and finally, to keep the SmartRecruiters platform a secure product.
Usage of Subcontractors
SmartRecruiters does not outsource its operations to subcontractors.
Protection of Data
SmartRecruiters takes appropriate security measures to protect against any unauthorized use or access of our hardware and systems. Our security infrastructure includes Intrusion detection services, security monitoring, restricted physical access, restricted network access, encrypted data access, redundant firewalls, isolated public/private LANs, isolated NAS and SAN access, and real-time antivirus. Further, as part of our ISO 27001 certification, we are required to maintain an Access and Password Policy, which requires periodic password updates and enforces monitoring of password guidelines.
Data Entry and Access Control
SmartRecruiters use Cloud providers to host all of our environments. Internally, we use a clear separation of duties so that only specific employees can access certain areas of our product’s database and software. All-access to our services is logged, so we know exactly who has accessed what data at what time. Further, all access attempts to the production environment (logging in, code deployments, etc.) are limited to specific employees, are always logged, and restricted to and available only for trained SmartRecruiters IT staff. We store internal log files indefinitely. Where applicable, SmartRecruiters abides by and supports country-specific data retention requirements for our customers. Further, SmartRecruiters stores information about key events in the database audit tables. Our logs contain HTTP requests with information about the type of request, IP address, and user ID. We keep information about key events in our system and expose this to customers via Audit API.
Data Transmission Control
Transmission-sensitive data between SmartRecruiters and a user’s browser is encrypted using at least 128-bit data encryption. Server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt our customers' data. Communication between users and the SmartRecruiters platform is secured by HTTPS, which is enforced by HSTS. Data backups are transferred also and encrypted with very limited access.
All SmartRecruiters customer data is encrypted and secured in a similar fashion - using a multi-tenant structure. The data is segregated using a dedicated authorization engine, with another layer of separation delivered by cloud providers.
Data at Rest
Data at rest is encrypted and the encryption keys are protected using AWS Key Management Service (KMS)per AWS-based customers or Cloud Key Management (CKM) for GCP. Key management is a managed service to create and control the encryption keys used to encrypt data and uses Hardware Security Modules (HSMs) to protect the security of keys. Key management services are integrated with several other cloud services to help protect data at rest. Key management service is also integrated with cloud logging services to provide logs of all key usage, which help meet regulatory and compliance needs.
Our backup policy enforces storing of backups in two copies. One copy of data is stored in the production environment for day-to-day use with limited access. The second copy is stored in the secondary account, access to a very limited number of employees that have no access to the primary copy. No single employee (including management and administrators) has access that would allow deletion of all of the copies. Hence, Segregation of Duties is the overriding principle and is the result of the Risk Assessment process we apply to every security area.
Data at Transit
SmartRecruiters ensure a high level of security by implementing the newest cryptographic protocols that provide communications security. HTTP access is protected via protocol TLS 1.2 - the newest version of that protocol. We ensure https-only access via HSTS. A full list of cipher suites that are currently in use in TLS 1.2 is listed below:
As mentioned previously, SmartRecruiters is using cloud providers (AWS, GCP), where each data center is a Tier-4. Leveraging our hosting providers we maintain a full data center redundancy in each location, with warm failover capabilities across 2 physical sites. Further, SmartRecruiters consists of a microservices architecture, which ensures maximum resilience and reliability. Thus, the failure of a few services is isolated and does not impact other working services. Because our servers are hosted and located in different cloud providers' availability zones, we are ready (if needed) to use an alternate location according to and in line with our disaster recovery plan.
Data Retention Periods
As a global solution provider, SmartRecruiters supports jurisdictional data security and privacy requirements. As part of our customer-enabled Global Compliance Center (released in January 2017), our Customers can deploy local-based data privacy statements for candidates to accept during the application process, and/or set rules to automatically delete personally identifiable data of candidates for compliance with country-specific data retention requirements. Where no data retention requirements apply, SmartRecruiters stores data until the contract’s termination. Once a contract with a customer is terminated, SmartRecruiters will delete their data after 60 days, unless it is specified differently.
Another aspect of data retention is database backups. As part of maintenance activities, SmartRecruiters is performing the database backups. The database backups are deleted after 8 weeks.
To provide the highest levels of security and universal acceptance, digital signatures - also known as electronic “fingerprints” - are available for use to securely associate a signer with a document in a recorded digital transaction. This is possible by leveraging our native platform implemented DocuSign solution. More details are available here.
Monitoring and Response Management
Information Security Incident Management
In the event of a security incident, SmartRecruiters has implemented and tested the procedures it follows, with special care for emergency incidents. Whenever an incident concerns customers' data or equates to a security breach, our international support team informs customers as soon as the breach is formally detected and according to the timeframes outlined in our Incident Management Policy.
Our support team works according to our Master Service Level Agreement (SLA), which you can find here. To help our employees react quickly enough and to give maximum information about platform status, any affected customer data, and security levels, SmartRecruiters implemented an Intrusion Detection and Prevention System with continuous monitoring.
Application logs are kept for a minimum of 3 months. System and audit logs are kept for a minimum of 1 year. Stored logs are secured, such that no single person is able to delete all backup copies. Retention policy refers to 9 types of logs pushed daily to KMS encrypted buckets.
Penetration and Vulnerability Testing
Given our commitment to enforcing high-security standards, we implemented vulnerability management to avoid security risks (where possible) and minimize the exploitation of known threats. Vulnerability tests are performed every month by the internal quality assurance (QA) Team, and external penetration tests are performed every 6 months on both our infrastructure and application. SmartRecruiters QA team is trained on recognizing and testing vulnerabilities, complemented by our internal Bug Bounty Hunters program, which helps to identify and detect bugs and threats. In addition, SmartRecruiters utilizes vendor relations, and monitors industry authorities and underground hacker communities to recognize and identify potential exploit schemes and new security alerts. Where applicable, patch evaluation, deployment, and notification constitute the SmartRecruiters update process.
Identity and Access Management
Rights & Roles Matrix - Segregation of Duties
SmartRecruiters' security system is based on the execution of the ‘Segregation of Duties’ principle, which attempts to prevent a single individual from access and authority of executing two or more conflicting sensitive transactions that have the potential to significantly jeopardize the security of the company’s assets. On top of this principle and in alignment with any identified risks, the security team of SmartRecruiters has built a Rights & Roles Matrix that provides information on access levels of various functions to the company’s assets (including Personal data & PII of our customers).
Like most SaaS companies, SmartRecruiters' platform architecture is structured on a multi-tenant system. Within this structure, there are several architectural protections that provide top security for each tenant. Separated by an authorization engine, separation is supported by multiple test scenarios that are automatically verified before a general release of any new version of the platform.
Authentication and authorization are crucial elements of platform security and support the strict implementation and monitoring of our internal Password Policy. As such, passwords have termination dates, minimum length, and minimum complexity parameters and differ per system and account. Privileged accounts are managed separately as high-risk points. No shared accounts are used anywhere in the SmartRecruiters platform.
SmartRecruiters has implemented a broadly supported industry standard for Web SSO – SAML 2.0. This standard not only allows for quick setup and configuration but is also supported by a majority of Identity Providers on the market.
Our Customer API provides customers and partners a flexible platform to integrate their services or applications, build their own apps, and create fully customizable career sites. Our Customer API exposes SmartRecruiters functionality and allows them to connect and build software enhancing their instance. Access to API endpoints is available with token or OAuth.
The Customer API is a REST API created for application developers to enable seamless integration with our SmartRecruiters platform. It is divided into several components:
- Posting API – Enables customers to build fully customizable career sites and partners to build widgets. This API contains snapshots of all published jobs as of the last time published.
- Application API – Enables customers and partners to integrate into their own site the full candidate application including screening questions, allows new applications to be submitted, and exposes the status of previously submitted applications.
- Job API – Enables customers to extract and import jobs’ data to/from the SmartRecruiters platform as well as for partners to build applications that can be consumed by customers.
- Candidate API – Enables customers to import, export, read, and update candidate data.
- User API – Enables customers to extract and import users’ data to/from the SmartRecruiters platform as well as for partners to build applications that can be consumed by customers.
- Configuration API – Enables customers to extract and import configuration data to/from the SmartRecruiters platform as well as for partners to build applications that can be consumed by customers.
- Analytics API – Consists of a collection of endpoints specifically built to allow users to download data extracts for reporting and analytics purposes.
Audit API - Enables customers to extract and import data on user activity (many roles) and candidates, such as who modified a candidate profile, who downloaded an attachment, who published job ads, and when, among many other in-platform user activities.
The Marketplace API is created especially for our partners. It is divided into several components:
- Application API – Exposes the full candidate application, allows new applications to be submitted, and exposes the status of previously submitted applications.
- Offer API – This allows partners to create and manage offers.
- Assessment API – Enables assessment and screening vendors to receive assessment requests and submit assessment results.
- Job Board API – Allows job board vendors to integrate with SmartRecruiters Marketplaces.
Physical and Environmental Security
Because SmartRecruiters is hosted by Cloud Providers (AWS or GCP), no data is stored on our site, nor does our staff have physical access to servers and network equipment. Terms and Conditions of cloud provider services guarantee compliance with industry-standard security requirements. Specifically, physical access to Cloud Provider data centers is enforced and controlled by the cloud solution owner Please refer to: https://aws.amazon.com/security or https://cloud.google.com/solutions/security/ and https://cloud.google.com/compute/docs/regions-zones
Physical access by SmartRecruiters personnel within our regional offices is monitored and tracked. All SmartRecruiters offices are protected by intrusion detection systems with integrated alarms, maintained by managed office suppliers.
SmartRecruiters facilities are equipped with fire detection and suppression systems, security cameras in CCTV system, backup generators for back-office servers, humidity controllers inside the internal data center, and logged token-based entries. Internal policies include storage device decommissioning, and secure disposal of equipment data and media.
SmartRecruiters' logical network is built with full redundancy in mind as illustrated in the following images:
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations enforcing the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, and accordingly, manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS and GCP management tools, to help ensure these managed interfaces enforce the most up-to-date ACLs.
Dedicated instances are Amazon EC2 and GCP Cloud Compute server instances that run in a virtual private cloud (VPC). The isolation of the server instances is provided on multiple levels that include: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls.
Network Monitoring and Protection
SmartRecruiters actively monitors its platform on both the network and application levels. Automated alerting systems notify the DevOps team in case of any observed malfunctions, traffic beyond warning levels, and other irregularities.
Networking is actively monitored by:
- AWS Security Hub and Google Security Command Center
- Cloudflare (traffic for selected subdomains) - WAF, anti-DDoS
- Imperva - WAF and Advanced Bot Protection
- SmartRecruiters - Intrusion Prevention Systems, HTTP level filtering, traffic throttling, and alerting
Apart from the monitoring provided and maintained via SmartRecruiters’ internal SIEM, the network is also monitored by relevant AWS and GCP cloud mechanics. AWS Security Hub with GuardDuty and Google Security Command Center helps to ensure a high level of service performance, availability, and security. AWS and GCP monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
Apart from strictly monitoring activities, the SmartRecruiters security team performs various preventive operations including vulnerability scans (automatic and manual), which are intended to detect security flaws on the level of the operating system, web application, and databases.
Change Management Security
Software, Hardware, Managing Patches
SmartRecruiters infrastructure is regularly and automatically reviewed against available software updates. The patches are applied either automatically or manually with the mandatory validation of correct service operations. The SmartRecruiters security team monitors security/vulnerability information feeds and acts if needed.
Code - Security in Development and Support Processes
Platform code validation is an area of security-focused for our team. Specifically, the SmartRecruiters development process includes a number of activities such as:
- Training about security standards and precautions
- Mandatory code review
- Regular internal penetration tests (by the internal QA team)
- Regular external penetration tests (by the third party)
- Code scanning via automated solution
Business Continuity Process and Disaster Recovery (BCP&DR)
Cloud Provider infrastructure offers a high level of availability and provides SmartRecruiters features to deploy a resilient IT architecture. The solution has been designed to tolerate system or hardware failures with minimal customer impact. Datacenter Business Continuity Management is under the direction of the Amazon Infrastructure and Google Group. Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
SmartRecruiters operates in two Cloud solution data centers, located in Europe and North America regions. The role of the primary data center is to process all incoming traffic in case of normal operations. The secondary data center stores the backups of the Primary region from the last 24 hours and can be operational within 24 hours thanks to the automated management over the configuration of the services.
SmartRecruiters uses separate data centers in Europe and North America region for failover and disaster recovery purposes, these data centers are located approx. 50 km apart from each other. Cloud storage has built a fault-tolerant architecture and infrastructure, where all the base services of the platform are redundant with active failover capacity. Base services include Application servers, Web Servers, Database Servers, load balancers, and storage.
With exception of a force majeure event, the SmartRecruiters commit to the following values:
- RTO Recovery Time Objective = 8 hours max. unscheduled outage time
- RPO Recovery point objective = 8 hours maximum loss of data
RTO & RPO
Depending on the configuration selected and used by a customer, the SmartRecruiters platform cooperates with the third-party sub-processors for some functions. These include the companies listed below. Security responsibilities are described in contracts or terms and conditions. If needed a DPA is signed between SmartRecruiters and the third party. For companies, without SOC-2 reports Smartrecruiters conducts remote security audits once a year.
All our existing cooperation (our subprocessors) can be found on our webpage: subprocessors