At the time of this document’s publication, SmartRecruiters customers have used our platform to post more than 50,000 jobs, process more than 1.2 million candidates, and make more than 8,000 hires a month. And with our global customer base increasing 50% year over year -- those numbers are only going to rise.
Consequently, a customer’s recruiting data is expansive, highly aggregated, and critical to meeting business objectives. Not to mention that processing such a massive amount of recruiting transactions, while simultaneously managing copious amounts of hiring data, requires a robust platform that is architected, not just for scalability and performance, but for protection, privacy, and security.
So, as an industry-leading Talent Acquisition Suite (TAS) that is heavily relied upon by high-performance organizations and flagship consumer brands to attract, select, and hire the best, SmartRecruiters is highly differentiated from others in both the engineering and design of our platform architecture, structured upon key functional elements that include:
- Ease of Use
- Security in Depth
And while each of these principles ranks as “high-priority” for consumers when procuring a new recruitment solution, perhaps the most important, but least discussed when thinking about recruiting, is platform security.
Rest assured, our team has you covered by our powerfully modern Talent Acquisition Suite architected for state-of-the-art resilience and scalability, complete with robust security measures, and wrapped in a best-in-class consumer UI that delivers an amazing candidate experience, fosters hiring team collaboration, and enhances recruiter productivity from any device, anywhere.
Specifically, SmartRecruiters features a modern, cloud platform operating in a multi-tenant SaaS (Software as a Service) environment, which means SmartRecruiters takes away from customers the burden of maintaining and securing hiring system. For customers, this means no additional hardware or software costs to consider, no databases to configure, no operating system requirements, and no versions to maintain or update. And because security is top of mind for our team, we follow a “Security in Depth” approach for our Software Development Lifecycle (SDLC), code deployment practices, security patches and backups, architecture and infrastructure, executing across multiple layers of validated security management practices, backed and certified by ISO 27001.
In the pages that follow, our Security Management team outlines SmartRecruiters Information Security Management processes and practices, detailing how our team goes to great lengths to protect and secure the integrity, availability, and confidentiality of our customers’ data.
At SmartRecruiters, security is top of mind, so you have peace of mind.
SaaS Platform - Complete Cloud Security
The SmartRecruiters TAS is architected on a modern SaaS platform. For customers, this means that all of our applications and data are delivered via the Internet and hosted in secure data centers by a third-party, cloud services provider - Amazon Web Services (AWS). AWS’ data centers deliver a highly scalable cloud computing platform with high availability and dependability. It is very difficult and expensive to properly secure on-premise data center. Cloud data center (Amazon AWS) that is being used by SmartRecruiters delivers superb resiliency, cybersecurity and compliance that meet world's top standards. With a cloud-hosted solution, like SmartRecruiters, security responsibilities are shared between our Information Security team and AWS.
For example, AWS is responsible for securing the underlying infrastructure that supports the cloud (e.g. security of the cloud), whereas SmartRecruiters is responsible for anything we store or process in the cloud and/ or connect to the cloud.
Amazon AWS is responsible for protecting its global infrastructure that runs all of the services offered in the AWS cloud. This infrastructure is comprised of the hardware, software, networking, and facilities that run AWS cloud services. As detailed in their documentation for consumers, security is a top priority.
“Protecting this infrastructure is AWS’s number one priority, and while you can’t visit our data centers or offices to see this protection firsthand, we provide several reports from third-party auditors who have verified our compliance with a variety of computer security standards and regulations…”
Hence, AWS reports like SOC-3 or SOC-2 from independent, third-party auditors are available via AWS’ website at: https://aws.amazon.com/compliance/soc-faqs/
The AWS global infrastructure is designed and managed according to security best practices, as well as a variety of industry-recognized security compliance standards. As such, SmartRecruiters selected AWS for our cloud-hosting provider because AWS provides the most rigorous physical and environmental security standards designed to accommodate the needs of high growth enterprise organizations worldwide. Further, AWS has designed its systems to tolerate system or hardware failures with minimal customer impact.
So, as the AWS customer, we know we’re building web architectures atop some of the world’s most secure computing infrastructure. Nevertheless, we still make it a priority to manage information security internally with equally high standards so our customers enjoy complete cloud security.
SmartRecruiters Information Security Management Systems (ISMS)
Information Security Organization
SmartRecruiters knows complexity and criticality of information security and its governance demand the highest organizational levels. As a critical resource, data is treated like any other asset essential to the survival and success of an organization - yours and ours. To enable secure business operations, SmartRecruiters has implemented an effective security governance strategy approved by our Security Council and Management Board.
As part of our security governance strategy, SmartRecruiters has appointed our Security Council as our organization's foremost Information Security Authority, with an appointed Information Security Officer as chairman, and accompanying Security Forum as the Executive Body, which includes a Data Protection Officer.
Information Security Standards and Compliance
SmartRecruiters attaches significant importance to information security and compliance, as reflected by our security organizational structure and our internal management practices. For example, SmartRecruiters focuses on continuous development and refinement of our information security management practices, in accordance with industry standards and trends. Detailed policies, procedures, and instructions have been developed and put in place to define the roles, tasks and permissions of both employees and coworkers, in addition to the involvement and management of any third parties that participate in execution and delivery of our business processes.
Specific to compliance, SmartRecruiters adheres to and complies with relevant legalities, contractual requirements and latest industry-standards, including:
- ISMS based on ISO 27001
- Applications tested to OWASP standards
- Privacy Shield Certification
- EU PII legislation ( GDPR - General Data Protection Regulation)
Global Compliance Program
SmartRecruiters Global Compliance Program covers three major areas:
Adaptation - adapt the software to relevant laws that protect candidates and companies they apply to in matters of recruiting,
Facilitation - facilitate the presentation of customer privacy policies to their candidates, and
Enablement - enable customers to achieve their diversity objectives.
Note, SmartRecruiters current compliance program also extends to Russia and China for customers who engage in hiring and recruiting in these regions.
Security Controls and Practices
Maintaining a credible information security system requires continuous evolution to keep pace with innovative platform developments and preparation for increased threats. Such efforts require appropriate controls and heightened monitoring to respond to changing needs, in addition to performance of regular internal audits in accordance with ISO 27001, and external audits of infrastructure and applications, coupled with the constant analysis of reliable and repeatable measures. In the pages that follow, we outline our security controls and practices:
The process of asset management is crucial to information security and business operations, and includes information and the information-processing environment. Accordingly, SmartRecruiters established internal policies, procedures and instructions to identify, implement, maintain, and optimize security of assets. Every asset is owned, employees are trained to understand their responsibilities, and procedures are aligned with security standards to keep assets secure.
SmartRecruiters’ Information Security Management System obliges relevant internal departments to regularly review assets the company possesses and to classify them against three dimensions: probability of threat occurrence, possible consequences and level of protections. The sources of the threats can include natural disasters, technical failures, legal obligations (compliance), and human activities (malicious and non-malicious).
Information Security Awareness
Apart from various technical security protections, SmartRecruiters believes cybersecurity starts with consciousness of our employees. This consciousness is ingrained at all levels of the organization - starting from top management who participate in the Security Council and are tasked with executing the agreed quarterly cybersecurity plans across the entire organisation. In accordance with these plans, our employees participate in the following programs:
Compliance (ISO 27001, GDPR, etc)
Techniques of secure software development
Social engineering prevention
Related industry security programs and training
SmartRecruiters pays special attention to the verification and hiring of our employees. Depending on the personnel function, coupled with the legislation of the country in which a vacancy is being created, SmartRecruiters takes appropriate actions, such as mandatory background checks, among other measures, to verify the integrity of the person who would join the team.
Onboarding and Exit
SmartRecruiters onboarding process contains employee review and acceptance of data privacy agreements, non-disclosure agreements, mandatory security trainings, access setup to the systems, and other related items necessary for creating a secure and reliable work environment. Each new employee is required to complete the onboarding process before permissions and access to confidential data (where applicable) are granted.
The exit process is designed to prevent an exiting employee from accessing or acquiring confidential data or any other asset that belongs to the company during their departure, whether departing voluntarily or exiting as result of termination. Depending on the position within the organization, SmartRecruiters organizes and secures knowledge transfer to ensure that key responsibilities are not lost.
New Employee Procedures and Policies
Every new employee, before starting their official duties, must pass cybersecurity and personal data processing security trainings. These trainings contain a mandatory knowledge check. Additional mandatory requirements instruct every employee to sign a non-disclosure agreement that intends to protect and secure proprietary company secrets and customer data.
SmartRecruiters has implemented a continuous audit testing program according to ISO 27001. Internal auditors test and optimize system operations and organizational processes. Specifically, these audit programs focus on:
Sales and Marketing
Infrastructure Access Rights
Other related processes.
Antivirus and Malware Protection
Every employee is obliged to use antivirus on workstations and mobile phones/tablets. SmartRecruiters policy of using antivirus software on hardware and infrastructure is monitored and audited.
Bug Bounty Hunters Program
Employees are engaged in internal Bug Bounty Hunters Program created to merge efforts in threat management and risk avoidance so as to understand the value of security in design approach, to maintain as high awareness as possible, to avoid gaps in security trainings (everyone needs to have same level of awareness), to find and resolve as many bugs as possible, and finally, to keep the SmartRecruiters platform a secure product.
Usage of Subcontractors
SmartRecruiters does not outsource its operations to subcontractors.
Protection of Data
SmartRecruiters takes appropriate security measures to protect against any unauthorized use or access of our hardware and systems. Our security infrastructure includes Intrusion detection services, security monitoring, restricted physical access, restricted network access, encrypted data access, redundant firewalls, isolated public/private LANs, isolated NAS and SAN access, and real-time antivirus. Further, as part of our ISO 27001 certification, we are required to maintain an Access and Password Policy, which requires periodic password updates and enforces monitoring of password guidelines.
Data Entry and Access Control
SmartRecruiters uses AWS to host all of our environments. Internally, we use clear separation of duties so that only specific employees can access certain areas of our product’s database and software. All access to our services is logged, so we know exactly who has accessed what data at what time. Further, all access attempts to the production environment (logging in, code deployments, etc.) are limited to specific employees, are always logged, and restricted to and available only for trained SmartRecruiters IT staff. We store internal log files indefinitely. Where applicable, SmartRecruiters abides by and supports country-specific data retention requirements for our customers. Further, SmartRecruiters stores information about key events in the database audit tables. Our logs contain HTTP requests with information about type of request, IP address and user ID. We keep information about key events in our system and expose this to customers via Audit API.
Data Transmission Control
Transmission-sensitive data between SmartRecruiters and a user’s browser is encrypted using at least 128-bit data encryption. AWS server-side encryption uses one of the strongest block ciphers available, 256-bit Advanced Encryption Standard (AES-256), to encrypt our customers' data. Communication between users and the SmartRecruiters platform is secured by HTTPS, which is enforced by HSTS. Data backups are transferred also encrypted with very limited access.
All SmartRecruiters customer data is encrypted and secured in a similar fashion - using a multi-tenant structure. The data is segregated using a dedicated authorization engine, with another layer of separation delivered by AWS.
Data at Rest
Data at rest is encrypted and the encryption keys are protected using AWS Key Management Service (KMS). AWS KMS is a managed service to create and control the encryption keys used to encrypt data, and uses Hardware Security Modules (HSMs) to protect the security of keys. AWS Key Management Service is integrated with several other AWS services to help protect data at rest. AWS Key Management Service is also integrated with AWS CloudTrail to provide logs of all key usage, which help meet regulatory and compliance needs.
Our backup policy enforces storing of backups in two copies. One copy of data is stored at the production environment for day-to-day use with limited access. The second copy is stored at the secondary account, accessible for a very limited number of employees that have no access to the primary copy. No single employee (including management and administrators) have access that would allow deletion all of the copies. Hence, Segregation of Duties is the overriding principle and is the result of the Risk Assessment process we apply to every security area.
Data at Transit
SmartRecruiters ensure a high level of security by implementing newest cryptographic protocols that provide communications security. HTTP access is protected via protocol TLS 1.2 - the newest version of that protocol. We ensure https-only access via HSTS. A full list of cipher suites that are currently in use in TLS 1.2 is listed below:
As mentioned previously, SmartRecruiters is hosted by AWS, where each data center is a Tier-4. Leveraging our hosting provider AWS, we maintain a full data center redundancy in Frankfurt, Germany, with warm failover capabilities across 2 physical sites. Further, SmartRecruiters is comprised of a microservices architecture, which ensures maximum resilience and reliability. Thus, failure of a few services is isolated and does not impact other working services. Because our servers are hosted and located in different AWS availability zones, we are ready (if needed) to use an alternate location according to and in line with our disaster recovery plan.
Data Retention Periods
As a global solution provider, SmartRecruiters supports jurisdictional data security and privacy requirements. As part of our customer-enabled Global Compliance Center (released in January 2017), our Customers can deploy local-based data privacy statements for candidates to accept during the application process, and/or set rules to automatically delete personally identifiable data of candidates for compliance with country specific data retention requirements. Where no data retention requirements apply, SmartRecruiters stores data until contract’s termination. Once a contract with a customer is terminated, SmartRecruiters will delete their data after 30 days, unless it is specified differently.
Another aspect of data retention are database backups. As part of maintenance activities, SmartRecruiters is performing the database backups. The database backups are deleted after 8 weeks.
To provide the highest levels of security and universal acceptance, digital signatures - also known as electronic “fingerprint” - are available for use to securely associate a signer with a document in a recorded digital transaction. This is possible leveraging our native platform implemented DocuSign solution. More details available here.
Monitoring and Response Management
Information Security Incident Management
In the event of a security incident, SmartRecruiters has implemented and tested procedures it follows, with special care for emergency incidents. Whenever an incident concerns customers data or equates to a security breach, our international support team informs customers as soon as the breach is formally detected and according to timeframes outlined in our Incident Management Policy.
Our support team works according to our Master Service Level Agreement (SLA), which you can find here. To help our employees react quickly enough and to give maximum information about platform status, any affected customer data, and security levels, SmartRecruiters implemented an Intrusion Detection and Prevention System with continuous monitoring.
Application logs are kept at minimum 3 months. System and audit logs are kept a minimum 1 year. Stored logs are secured, such that no single person is able to delete all backup copies. Retention policy refers to 9 types of logs pushed daily to KMS encrypted S3 bucket.
Penetration and Vulnerability Testing
Given our commitment to enforcing of high security standards, we implemented vulnerability management to avoid security risks (where possible) and minimize exploitation on known threats. Vulnerability tests are performed every month by internal quality assurance (QA) Team, and external penetration tests are performed every 6 months on both our infrastructure and application. SmartRecruiters QA team is trained on recognizing and testing vulnerabilities, complemented by our internal Bug Bounty Hunters program, which helps to identify and detect bugs and threats. In addition, SmartRecruiters utilizes vendor relations, and monitors industry authorities and underground hacker communities to recognize and identify potential exploit schemes and new security alerts. Where applicable, patch evaluation, deployment, and notification constitute SmartRecruiters update process.
Identity and Access Management
Rights & Roles Matrix - Segregation of Duties
SmartRecruiters security system is based on execution of the ‘Segregation of Duties’ principle, which attempts to prevent a single individual from access and authority of executing two or more conflicting sensitive transactions that have the potential to significantly jeopardize security of the company’s assets. On top of this principle and in alignment with any identified risks, the security team of SmartRecruiters has built a Rights & Roles Matrix that provides information on access levels of various functions to the company’s assets (including PII of our customers).
Like most SaaS companies, SmartRecruiters platform architecture is structured on a multi-tenant system. Within this structure, there are several architectural protections that provide top security for each tenant. Separated by an authorization engine, separation is supported by multiple test scenarios that are automatically verified before a general release of any new version of the platform.
Authentication and authorization are crucial elements of platform security, and supports the strict implementation and monitoring of our internal Password Policy. As such, passwords have termination dates, minimum length and minimum complexity parameters and differ per system and account. Privileged accounts are managed separately as high risk points. No shared accounts are used anywhere in the SmartRecruiters platform.
SmartRecruiters has implemented a broadly supported industry standard for Web SSO – SAML 2.0. This standard not only allows for quick setup and configuration, but is also supported by a majority of Identity Providers on the market.
Our Customer API provides customers and partners a flexible platform to integrate their services or applications, build their own apps, and create fully customizable career sites. Our Customer API exposes SmartRecruiters functionality and allows to connect and build software enhancing their instance. Access to API endpoints is available with token or OAuth.
The Customer API is a REST API created for application developers to enable seamless integration with our SmartRecruiters platform. It is divided into several components:
Posting API – Enables customers to build fully customizable career sites and partners to build widgets. This API contains snapshots of all published jobs as of last time published.
Application API – Enables customers and partners to integrate into their own site the full candidate application including screening questions, allows new applications to be submitted, and exposes the status of previously submitted applications.
Job API – Enables customers to extract and import jobs’ data to / from SmartRecruiters platform as well as for partners to build applications that can be consumed by customers.
Candidate API – Enables customers to import, export, read, and update candidate data.
User API – Enables customers to extract and import users’ data to / from SmartRecruiters platform as well as for partners to build applications that can be consumed by customers.
Configuration API – Enables customers to extract and import configuration data to / from SmartRecruiters platform as well as for partners to build applications that can be consumed by customers.
Analytics API – Consists of a collection of endpoints specifically built to allow users to download data extracts for reporting and analytics purposes.
Audit API - Enables customers to extract and import data on user activity (many roles) and candidates, such as who modified a candidate profile, who downloaded an attachment, who published job ads and when, among many others in-platform user activities.
The Marketplace API is created specially for our partners. It is divided into several components:
Application API – Exposes the full candidate application, allows new applications to be submitted, and exposes the status of previously submitted applications.
Offer API – Allows partners to create and manage offers.
Assessment API – Enables assessment and screening vendors to receive assessment requests and submit assessment results.
Job Board API – Allows job board vendors to integrate with SmartRecruiters Marketplaces.
Physical and Environmental Security
Because SmartRecruiters is hosted by AWS, no data is stored on our site, nor does our staff have physical access to servers and network equipment. Terms and Conditions of AWS services guarantee compliance with industry-standard security requirements. Specifically, physical access to Amazon AWS data centers is enforced and controlled by AWSs’ electronic access control system, featuring responsible and sophisticated technical and physical controls designed to prevent unauthorized access. Please refer to https://aws.amazon.com/security
Physical access by SmartRecruiters personnel within our regional offices is monitored and tracked. All SmartRecruiters offices are protected by intrusion detection system with integrated alarms, maintained by managed office suppliers.
SmartRecruiters facilities are equipped with fire detection and suppression systems, security cameras in CCTV system, backup generators for back office servers, humidity controllers inside internal data center and logged token based entries. Internal policies include storage device decommissioning, secure disposal for equipment data and media.
SmartRecruiters logical network is architected with full redundancy in mind as illustrated here.
Network devices, including firewall and other boundary devices, are in place to monitor and control communications at the external boundary of the network and at key internal boundaries within the network. These boundary devices employ rule sets, access control lists (ACL), and configurations enforcing the flow of information to specific information system services. ACLs, or traffic flow policies, are established on each managed interface, and accordingly manage and enforce the flow of traffic. ACL policies are approved by Amazon Information Security. These policies are automatically pushed using AWS’s ACL- Manage tool, to help ensure these managed interfaces enforce the most up-to-date ACLs.
Dedicated instances are Amazon EC2 server instances that run in a virtual private cloud (VPC). The isolation of the server instances is provided on multiple levels that include: the operating system (OS) of the host platform, the virtual instance OS or guest OS, a firewall, and signed API calls.
Network Monitoring and Protection
SmartRecruiters actively monitors its platform on both the network and application level. Automated alerting systems notify the DevOps team in case of any observed malfunctions, traffic beyond warning levels, and other irregularities.
Networking is actively monitored by:
AWS - general network monitoring, WAF, anti DDoS
Cloudflare (traffic for selected subdomains) - WAF, anti DDoS
SmartRecruiters - Intrusion Prevention Systems, http level filtering, traffic throttling and alerting
Apart from the monitoring provided and maintained by SmartRecruiters internal team, the network is also monitored by AWS staff. AWS utilizes a wide variety of automated monitoring systems to provide a high level of service performance and availability. AWS monitoring tools are designed to detect unusual or unauthorized activities and conditions at ingress and egress communication points. These tools monitor server and network usage, port scanning activities, application usage, and unauthorized intrusion attempts. The tools have the ability to set custom performance metrics thresholds for unusual activity.
Apart from strictly monitoring activities, the SmartRecruiters security team performs various preventive operations including vulnerability scans (automatic and manual), which are intended to detect security flaws on the level of the operating system, web application and databases.
Change Management Security
Software, Hardware, Managing Patches
SmartRecruiters infrastructure is regularly and automatically reviewed against available software updates. The patches are applied either automatically or manually with the mandatory validation of correct service operations. The SmartRecruiters security team monitors security/vulnerability information feeds and acts if needed.
Code - Security in Development and Support Processes
Platform code validation is an area of security focused on by our team. Specifically, the SmartRecruiters development process includes number of activities such as:
training about security standards and precautions
mandatory code review
regular internal penetration tests (by internal QA team)
regular external penetration tests (by third party)
code scanning via automated solution
Business Continuity Process and Disaster Recovery (BCP&DR)
AWS infrastructure offers a high level of availability and provides SmartRecruiters features to deploy a resilient IT architecture. AWS has designed its systems to tolerate system or hardware failures with minimal customer impact. Data center Business Continuity Management at AWS is under the direction of the Amazon Infrastructure Group. Data centers are built in clusters in various global regions. All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites.
SmartRecruiters operates in two AWS data centers, both located in Frankfurt region. The role of the primary data center is to process all incoming traffic in case of normal operations. The secondary data center stores the backups of the Primary region from the last 24 hours and can be operational within 24 hours thanks to the automated management over the configuration of the services.
SmartRecruiters uses two separate data centers in Frankfurt region for failover and disaster recovery purposes, these data centers are located approx. 50 km apart from each other. AWS has built a fault-tolerant architecture and infrastructure, where all the base services of the platform are redundant with active failover capacity. Base services include Application servers, Web Servers, Database Servers, load balancers, and storage.
With exception of a force majeure event, the SmartRecruiters commits to the following values:
RTO Recovery Time Objective = 8 hours max. unscheduled outage time
RPO Recovery point objective = 8 hours maximum loss of data
Depending on the configuration selected and used by a customer, SmartRecruiters platform cooperates with the third-party sub processors for some functions. These include companies listed below. Security responsibilities are described in contracts or terms and conditions. Whenever need the DPA is signed. For companies without SOC-2 report Smartrecruiters conducts remote security audits once a year.
SmartRecruiters (SPOLKA AKCYJNA) Oddzial w Polsce (Poland): our branch in Poland is used for operation, maintenance, support and testing of our talent acquisition platform;
Amazon Web Services, Inc. is used for hosting of the data. Hosting location is the cluster AWS Germany.
SendGrid, Inc. (US) is used to power the sending and receiving of emails from our talent acquisition platform to You and our Customer.
Textkernel B.V. (The Netherlands) is used to parse the Candidate’s CV and documents and parse the data into the database field.
Jitterbit, Inc. (US, service optional) is the cloud connector hosted in our hosting location in Germany and used to host and maintain any custom integrations between Customer’s system and SmartRecruiters platform.
ClickBoarding, LLC (US, service optional) is used by our Customers subscribing to the onboarding add-on.