Security Leadership

JazzHR recognizes the importance of fostering innovation built on the foundation of customer trust, which is why JazzHR is committed to providing solutions that safeguard your organization’s data. A dedicated team leads tour secure engineering efforts, combined with an enterprise security program with oversight from legal and senior leadership. A Vice President directs the security strategy and compliance initiatives at JazzHR and Employ Inc and oversees the Security and Technology teams. Employ Inc Head of Security and Global Security Operations Center team members further support these efforts.


 

What Type of Data Do We Collect, Receive, Process and Store?

The JazzHR Recruitment Platform receives, processes, and stores personal information captured in resumes submitted by candidates seeking employment. JazzHR stores information about your organization’s job opportunities and other workforce program information used to administer recruiting activities on the JazzHR Recruitment Platform. For complete details about the personal information collected, received, processed, and stored, please visit our privacy notice at https://www.jazzhr.com/privacy-policy.


 

JazzHR Assurance & Privacy Programs

SOC (Service Organization Control) 2 Type 2

A Service Organization Report (SOC 2 Type 2 report) is evidence of a service provider’s internal organizational controls of crucial governance areas, including how a company safeguards customer data and how well those controls operate over an auditing period. SOC 2 reports provide a customer with a verified external opinion that can assist them with evaluating the risks associated with procuring third-party technology services like JazzHR. JazzHR is working with Employ to complete a SOC2 Type 1 audit in 2023 and will target to have a SOC 2 Type 2 audit conducted by a third-party auditor in 2024.

Cloud Security Alliance – Consensus Assessments Initiative Questionnaire

JazzHR has joined the Cloud Security Alliance (CSA) to promote best practices in providing security assurance within Cloud Computing environments by completing the Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ offers an industry-recognized method to communicate which security controls exist in IaaS (Infrastructure as a Service), PaaS (Platform as a Service), and SaaS service provider organizations, providing security control transparency through a standardized document. The CAIQ has 16 governing & operating domains divided into “control areas” within CSA’s Controls Matrix structure, including:

  • Application & Interface Security
  • Audit Assurance & Compliance
  • Business Continuity Management & Operational Resilience
  • Change Control & Configuration Management
  • Data Security & Information Lifecycle Management
  • Datacenter Security
  • Encryption & Key Management
  • Governance and Risk Management
  • Human Resources
  • Identity & Access Management
  • Infrastructure & Virtualization Security
  • Interoperability & Portability
  • Mobile Security
  • Security Incident Management, E-Discovery & Cloud Forensics
  • Supply Chain Management, Transparency and Accountability
  • Threat and Vulnerability Management

 

GDPR & CCPA

JazzHR’s information security parameters comply with with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). As a recruitment platform provider, JazzHR is primarily a service provider and data processor under the GDPR and CCPA. JazzHR has no direct relationship with the individual employees and jobseekers whose personal data it processes on behalf of our customers. The employer is responsible for complying with the job seeker’s deletion request. If you are an employee or jobseeker and would no longer like to be contacted by an employer on the JazzHR ATS (Applicant Tracking System) platform, please contact the employer directly to resolve your concern.

Customers with an active Master Services Agreement with JazzHR can request a Data Privacy Addendum. Customers can request a copy of the JazzHR Data Privacy Addendum by contacting Customer Support or Sales.

Standard Contractual Clauses (SCC)

For Customers with data processing requirements for European Union residents, JazzHR has the Standard Contractual Clauses (SCC) as approved by the European Commission. This ensures that as a data processor, JazzHR has the appropriate safeguards to protect personal data transferred to JazzHR and its third-party providers in the United States of America.

Privacy Shield

For personal information that is received that originates in the European Union, JazzHR has certified its compliance with the EU-U.S. Privacy Shield Framework as set forth by the United States Department of Commerce regarding the collection, use, and retention of personal information from European Union countries. JazzHR adheres to all Privacy Shield Principles when transferring and processing personal data from the EU to the U.S (United States). To verify JazzHR’s participation in the EU-U.S. Privacy Shield program, please visit www.privacyshield.gov.

Customer Security Reviews & Assessments

JazzHR aims to operate transparently and to assure its security posture by supporting customer vendor due diligence processes. If your organization would like to conduct a security review or assessment, you may submit your security questionnaire or third-party vendor assessment to our JazzHR Security team for review by contacting Customer Support or Sales.


 

JazzHR Data Security

Data Encryption (In Transit and At Rest)

All customer information, including Personally, Identifiable Information (PII) that is transmitted between external networks (i.e., a user’s internet browser or third-party application programming interfaces (APIs) and the JazzHR Recruitment Platform is done exclusively over HTTPS transport layer security (TLS) encrypted connections. JazzHR supports the latest open-source and commercial internet browsers (i.e., Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox) that support secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 transport-level encryption protocols.

All customer information, including Personally Identifiable Information (PII) stored in JazzHR’s service delivery environment, is protected at rest using AES-256-bit encryption.

Key Management

JazzHR uses Amazon Web Services’ Key Management Service (KMS) to manage the creation and lifecycle of private encryption keys. JazzHR APIs leverage those keys to perform encryption, decryption and re‐encryption operations on customer‐provided data as needed.

Data Retention

JazzHR’s data retention for the JazzHR Recruitment Platform period is six months for application and system logs. Customer data in the JazzHR Recruitment Platform is stored for the duration of the service contract.

Data Deletion

The JazzHR Platform provides built-in product functionality for customers to perform delete operations on-the-fly. These tools allow customers to comply with their regulatory obligations independent of JazzHR. Deletion means removing all customer personal data such that it cannot be recovered or reconstructed from JazzHR databases, systems, or another repository. JazzHR does not delete customer data or configure customer retention policies during an active service term. JazzHR initiates the deletion of all customer data from the production systems six months following contract termination or trial expiration if not requested in advance by the customer. Customer data will be held in encrypted backups for an additional six months after deletion from the production environment. The JazzHR engineering and operations team performs the data deletion. JazzHR can notify the customer that its data deletion is complete upon request.


 

JazzHR’s Multi-Tenant Environment

The JazzHR Recruitment Platform is a Software-As-A-Service (SaaS) platform based on a multi-tenant architecture that logically separates customer data through access controls based on company, users, and roles. Our application has extensive access control lists (ACL), role-based access controls (RBAC), authentication, and authorization mechanisms that enforce data access for authorized users only. All customer accounts are assigned a primary key to access data or services. The primary key is used in combination with the user ID to create a unique GUID which allows access to only services and data that match the customer/user GUID.


 

JazzHR Infrastructure and Network Security

Cloud Hosting Platforms

JazzHR uses Amazon Web Services (AWS) as its cloud hosting provider for the JazzHR Recruitment Platform. AWS is architected to be the most flexible and secure cloud computing environment available today – providing a broad set of global cloud-based services, including computing, storage, databases, analytics, networking, developer tools, management tools, security, and enterprise applications. AWS core infrastructure satisfies the security requirements for the military, global banks, and other high-sensitivity organizations. It is backed by a deep set of cloud security tools, with over 230 security, compliance, and governance services and features. AWS currently supports over 90 security standards and compliance certifications.

Physical Security

JazzHR uses Amazon Web Services (AWS) located in US-East1, US-East2, and US-West2 regions. JazzHR does not have physical access to the AWS data centers. For more information on AWS data centers, please visit https://aws.amazon.com/compliance/data-center/.

For our corporate offices – employee access into buildings and offices is controlled using electronic access control cards and video surveillance monitoring. All visitors are validated with proper identification for sign-in and must wear a visitor identity badge.

Logical Access Control

JazzHR maintains access control policies consistent with best practices. The customer support teams must access systems to support JazzHR customers in troubleshooting and resolving customer issues communicated via support channels. Technical team members need access to resolve escalated customer issues and provide technical support for the environment. The level of access depends on the role and responsibilities associated with an internal function. JazzHR grants access using a role-based access control model.

Intrusion Detection and Prevention

JazzHR monitors its AWS GuardDuty service for managed threat detection where unusual activity is monitored and alerted. JazzHR’s production application is hosted in Amazon Web Services with load balancing to help detect and automatically mitigate specific network-based attacks, such as DDoS (Distributed Denial of Service). Our VPC (Virtual Private Cloud) contains auto-scaling instances to help distribute any attack load and reduce service impact.

Remote Access

Only authorized JazzHR employees can access the production JazzHR Recruitment Platform via restricted bastion hosts with a secure VPN session and multi-factor authentication. We log all access to all accounts by IP address and monitor access logs for unusual activity.


 

JazzHR Business Continuity and Disaster Recovery

High Availability

The JazzHR Recruitment Platform is used in AWS US‐EAST region, where the data center is in Virginia, US (United States). The US‐East Region consists of five (5) Availability Zones (AZ), and JazzHR’s platform uses four (4) of those available zones. JazzHR utilizes an N+1 configuration – using load balancers across the web, application, resource server and database tiers. All database architectures are in a primary-secondary architecture to provide the highest availability and performance.

Disaster Recovery

All customer data in the production JazzHR Recruitment Platform is backed up via full instance/system images weekly, daily, and DB transaction log backups every 15 minutes. All backup files are stored in Amazon S3 Storage, encrypted before backup, and encrypted at rest, with access logging enabled. Backups are test restored during the monthly maintenance window.

Data Backup and Recovery

JazzHR performs a daily backup of all customer data, storing all encrypted backup data in Amazon S3 using AES-256 encryption. JazzHR tests its data recovery process every quarter. RPO (Recovery Point Objective) is 24 hours. RTO (Recovery Time Objectives) is less than 1 hour for server infrastructure and less than 4 hours for database infrastructure.

Business Continuity

JazzHR performs annual test and tabletop tests for business continuity across the various teams that provide support and service to the JazzHR Recruitment Platform and its customers.


 

JazzHR Corporate Security

Background Checks

JazzHR performs various background checks, such as criminal and reference checks, on all new employees and contractors that are subject to approval before employment by JazzHR management.

Employee Onboarding & Offboarding

JazzHR follows a detailed checklist when onboarding new employees into the organization (providing them with the necessary access to systems to do their job and security awareness training) and offboarding employees leaving the organization (ensuring all respective accounts are disabled within 24 hours of termination).

Information Security Policies

JazzHR is working with Employ to adopt information security policies that are updated on an ongoing basis and reviewed annually for business and technical operations alignment for the organization. The information security policies follow industry security frameworks and best practices from ISO 27001, National Institute of Standards and Technology (NIST) and Payment Card Industry – Data Security Standard (PCI-DSS).

Security Training

All new employees receive onboarding and systems training, including environment and access control setup, formal security awareness and privacy training, security policies review, company policies review, and corporate values. In addition, all engineers receive formal security training on OWASP Top 10 and software development topics focused on secure software development lifecycle process. Every year, all employees participate in the mandatory annual security awareness training. JazzHR uses KnowBe4 – a training platform focusing on security awareness.

Access Control & Multi-Factor Authentication

JazzHR uses an access control list and role-based access control groups to allow only authorized JazzHR employees to access data systems on an as-needed basis. Access to various SaaS systems that JazzHR uses to manage day-to-day activities in supporting our customers is authenticated single-sign-on system with multi-factor authentication. Access is logged and monitored for unusual activity via our 7×24 Security Operations Center.

Mobile Device Management

Whether provided by the organization or the individual for business use, care, and security of mobile devices, such as laptops, tablets, and smartphones, is subject to the Employ Inc Information Technology (IT)) Mobile Device Management solution, which enables JazzHR to protect and secure corporate resources and data, and from different devices. Employ Inc utilizes JAMF and Microsoft Endpoint Manager – cloud-based services focusing on mobile device management (MDM) and mobile application management (MAM).

Anti-Virus / Anti-Malware Protection

JazzHR is responsible for protecting the organization’s infrastructure from viruses and malware by using firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews, and malware incident management. JazzHR utilizes commercial enterprise endpoint protection solutions from industry-leading providers such as Sophos and open-source projects such as ClamAV.

Third-Party Vendor Management

JazzHR reviews our third-party vendors and sub-processors annually or when significant changes may impact the integration of their services with the JazzHR Recruitment Platform. We review our third-party vendor’s SOC2/ISO certifications and relevant security information to ensure they align with our security practices.


 

JazzHR Product Operations

Infrastructure-As-Code

JazzHR follows an Infrastructure-As-Code methodology to reduce the administration of manual tasks in building, updating, and removing infrastructure and scaling up the infrastructure to meet application performance and uptime commitments and to be auditable where infrastructure changes are repeatable with a lower error of misconfigurations.

Software Development Lifecycle

JazzHR follows a software development lifecycle to design, develop and test high-quality product features. The JazzHR Product Management and Engineering team work closely to produce high-quality components. JazzHR follows a scrum process for delivering new features and improvements into the production JazzHR Recruitment Platform.

Change Management

JazzHR follows a standard change management process using Atlassian JIRA workflows that are aligned with the JazzHR software development lifecycle and software release process. All change requests are reviewed and approved by JazzHR subject matter experts. Changes are performed in non-production environments first. Once the change has been successfully verified in the non-production environment, the change is then scheduled to be performed in the production environment during the scheduled maintenance window. JazzHR follows a scrum process where team retrospectives are performed at the end of each sprint to review operational effectiveness and quality of delivery.

Risk Management

JazzHR leverages an informal risk management program to identify, assess, mitigate, report, and monitor risks. The JazzHR Product and Engineering teams review and evaluate the risks identified by the Security Team at least bi-annually. The risk management program encompasses the following phases:

  • Identify – The identification phase includes listing the risks (threats and vulnerabilities) in the environment. This phase provides a basis for all their risk management activities.
  • Assess – The assessment phase considers the potential impact(s) of identified risks to the business and their likelihood of occurrence and includes an evaluation of internal control effectiveness.
  • Mitigate – The mitigate phase includes putting controls, processes, and other physical and virtual safeguards in place to prevent and detect identified and assessed risks.
  • Report – The report phase results in risk reports provided to managers with the data they need to make effective business decisions and comply with internal policies and applicable regulations.
  • Monitor – The monitoring phase includes JazzHR Compliance performing monitoring activities to evaluate whether processes, initiatives, functions and/or activities mitigate the risk as designed.

 

Incident Management

JazzHR follows an incident management process to restore “normal” service operations as quickly as possible, minimizing any adverse impact on business operations or our customers. JazzHR’s Security Incident Management process is formalized and defines how to escalate and respond to incidents appropriately.

Scheduled Maintenance Windows

JazzHR follows a standardized change management process in which we perform maintenance on the JazzHR Recruitment Platform in a scheduled maintenance window.

Uptime Monitoring

JazzHR uses various commercial and open-source tools to monitor the performance and availability of the JazzHR Recruitment Platform from an infrastructure and application perspective. JazzHR maintains an average 99.9% up time.


 

JazzHR Vulnerability Management Programs

Penetration Tests & Network Scans

JazzHR performs web application penetration and exploitation tests on the JazzHR Recruitment Platform by using a third-party vendor called BSI AppSec using automated and manual testing techniques covering:

  • Authentication
  • Authorization
  • Session Management
  • Input/output Validation
  • Configuration
  • Sensitive Data Handling
  • Privilege Escalation
  • Error Handling
  • Logical Vulnerability Checks
  • Business Logic

JazzHR also uses open-source security tools like OpenVAS (Open Vulnerability Assessment Scanner) and OWASP Zed Attack Proxy (ZAP) to perform security scans.

System & Application Patching

JazzHR proactively monitors various trusted sources for common vulnerabilities and exposures (CVE) to secure the operating system and application services supporting the JazzHR Recruitment Platform. JazzHR also uses tools such as AWS Inspector to automatically assess the operating system and application services for exposure, vulnerabilities, and deviations from security best practices. As part of the JazzHR Risk Management process, as new vulnerabilities and exposures are discovered and announced, JazzHR follows a change management process for reviewing and rolling out system and application patches for the JazzHR Recruitment Platform. Before patching in our production environment, JazzHR will verify all patches in our testing environment.

Responsible Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with JazzHR’s Recruitment Platform or services, please contact security@jazzhr.com

We take all disclosures seriously. Once disclosures are received, our security team will verify the vulnerability and may contact you to further collaborate on the findings. The security team will work with our product management and engineering services team on the disclosure for resolution using our software development lifecycle and change management process.

 

Last updated January 25th, 2023.