Security & Compliance

Leadership

Employ’s leadership team recognizes the importance of fostering innovation built on the foundation of customer trust, which is why Employ is committed to building solutions that aim to safeguard your organization’s data. This approach of secure engineering is combined with an enterprise security program led by a dedicated team with oversight from legal and senior leadership. Employ’s security programs and practices have been independently verified against the SOC 2 and ISO 27001 framework. The security strategy and compliance initiatives at Employ are directed by a Vice President at Employ who is responsible for overseeing the Security and Technology teams. This leadership effort is further supported by Employ’s Director of Cybersecurity Programs, Security Engineering and Global Security Operations Center team members.

What Type of Data Do We Collect, Receive, Process and Store?

Our JazzHR Platform receives, processes, and stores personal information captured in resumes submitted by candidates seeking employment opportunities. For complete details about the personal information collected, received, processed, and stored, please visit our privacy site at https://www.employinc.com/privacy/. JazzHR also stores information about your organization’s job opportunities posted online and other workforce program information used to administer recruiting activities on the JazzHR Platform.

Employ is committed to educating our customers, prospects, applicants, candidates, and the general market about our efforts in artificial intelligence (AI) and machine learning (ML) space. The industry is moving in the direction of more automation driven by AI and ML, resulting in increased activity that is guided and/or executed based on pre-defined workflows and data models. This advancement will provide amazing productivity increases, allowing customers to create and build relationships with many more individuals in each phase of the sourcing, recruiting, hiring, and onboarding journey.

JazzHR Assurance & Privacy Programs

SOC 2 Type 1

A Service Organization Report (SOC 2 Type 1 report) focuses on a service provider’s systems and the suitability of the design of controls to meet the relevant trust service criteria. It is a crucial indicator for JazzHR to handle customer data, highlighting our commitment to maintaining stringent data security and privacy standards. The SOC 2 Type 1 report is particularly significant for customers evaluating the security of our technology services. It provides an external, verified perspective on our control environment at a specific point in time, ensuring that the design of our controls is appropriate and effective for handling sensitive data. CyberGuard Compliance, an independent third-party auditor, has issued JazzHR’s SOC 2 Type 1 report.

SOC 2 Type 2

A Service Organization Report (SOC 2 Type 2 report) is designed to evidence a service provider’s internal organizational controls concerning key governance areas, including how a company safeguards customer data and how well those controls are operating over time. SOC 2 reports provide a customer with a verified external opinion that can assist them with evaluating the risks associated with procuring third-party technology services like JazzHR. A third-party auditor will complete a SOC 2 Type 2 examination on JazzHR in Q4/2024.

ISO/IEC 27001

ISO/IEC 27001 is an international standard that is a testament to an organization’s commitment to information security. It demonstrates that an organization has established and maintains robust information security management systems (ISMS) in line with international standards. Just like a SOC 2 Type 2 report provides valuable insights into a service provider’s controls, an ISO/IEC 27001 certification attests to an organization’s dedication to safeguarding sensitive information. Schellman, an independent third-party auditor, has issued Employ’s ISO/IEC 27001 certificate.

Cloud Security Alliance – Consensus Assessments Initiative Questionnaire

Employ has joined the Cloud Security Alliance’s (CSA) mission to promote best practice in the provision of security assurance within Cloud Computing environments by completing the Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ offers an industry-recognized method to communicate which security controls exist in IaaS (Infrastructure as a service), PaaS (Platform as a service), and SaaS service provider organizations, providing security control transparency through a standardized document. The CAIQ is organized into 16 governing & operating domains divided into “control areas” within CSA’s Controls Matrix structure, including:

Application & Interface Security
Audit Assurance & Compliance
Business Continuity Management & Operational Resilience
Change Control & Configuration Management
Data Security & Information Lifecycle Management
Datacenter Security
Encryption & Key Management
Governance and Risk Management
Human Resources
Identity & Access Management
Infrastructure & Virtualization Security
Interoperability & Portability
Mobile Security
Security Incident Management, E-Discovery & Cloud Forensics
Supply Chain Management, Transparency and Accountability
Threat and Vulnerability Management

The CAIQ is reviewed and updated monthly as part of our continuous improvement in security.

JazzHR Security & Compliance Information Package

The JazzHR Security & Compliance information package includes the latest SOC 2 report, ISO 27001 certificate, information security policies, latest penetration test results and high-level architecture diagrams. This package can be requested by contacting Customer Support or Sales.

GDPR & CCPA

JazzHR’s information security parameters comply with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and are intended to support our customers’ compliance with the GDPR and CCPA. As a provider of a recruitment platform, JazzHR is primarily a service provider or data processor under the GDPR and CCPA. JazzHR has no direct relationship with the individual employees and jobseekers whose personal data it processes on behalf of our customers. Individuals applying for jobs with employers that are JazzHR customers have an account set up under their email address that associates all applications for that individual with that email address. The individual can access their account at the Site and transmit requests to the employers to correct, amend, or delete inaccurate data in an application. The employer is responsible for complying with the individual’s request. If you are an employee or jobseeker and would no longer like to be contacted by an employer or employers, please contact the employer directly to resolve your concern.

Customers that have an active Master Services Agreement with JazzHR are eligible to request a Data Privacy Addendum. A copy of the JazzHR Data Privacy Addendum can be requested by contacting Customer Support or Sales.

Standard Contractual Clauses (SCC)

For Customers with data processing requirements for EU (European Union) residents, JazzHR also has available the Standard Contractual Clauses (SCC) as approved by the European Commission following the invalidation of the Privacy Shield by the EU (European Union), to ensure that as a data processor, JazzHR has the appropriate safeguards to protect personal data transferred to JazzHR and its third-party providers in the United States of America.

Privacy Shield

For personal information that is received that originates in the European Union, JazzHR has certified its compliance with the EU-U.S. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union countries. JazzHR will adhere to all Privacy Shield Principles when transferring and processing personal information from the EU to the U.S. To verify JazzHR’s participation in the EU-U.S. Privacy Shield program, please visit: www.privacyshield.gov.

Customer Security Reviews & Assessments

JazzHR aims to operate in a transparent manner and strives to provide assurance about its security posture through supporting customer’s vendor due diligence processes. If your organization would like to conduct a security review or assessment, you may submit your security questionnaire or third-party vendor assessment to our Employ Security team for review by contacting Customer Support or Sales.

JazzHR Data Security

Data Encryption (In Transit and At Rest)

All customer information, including Personally, Identifiable Information (PII) that is transmitted between external networks (i.e., a user’s internet browser or third-party APIs) and the JazzHR Platform is done exclusively over HTTPS transport layer security (TLS) encrypted connections. JazzHR supports the latest open source and commercial internet browsers (i.e., Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox), that supports secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 transport level encryption protocols.

All customer information, including Personally Identifiable Information (PII) stored in JazzHR’s service delivery environment, is protected using AES-256-bit encryption.

Key Management

JazzHR uses AWS (Amazon Web Services) Key Management Service (KMS) to manage the creation and lifecycle of private encryption keys and enables the JazzHR APIs to leverage those keys to perform encryption, decryption and re‐encryption operations on customer‐provided data as needed.

Data Retention

JazzHR’s data retention for the JazzHR Platform period is a rolling one-hundred and twenty (120) days for application logs and system logs. Customer data in the JazzHR Platform is stored for the duration of the service contract.

Data Deletion

The JazzHR Platform provides built-in product functionality for customers to perform delete operations on-the-fly. These tools allow customers to comply with their regulatory obligations independent of JazzHR. Deletion means removing all customer personal data such that it cannot be recovered or reconstructed from JazzHR databases, systems, or another repository. JazzHR does not delete customer data or configure customer retention policies during an active service term. JazzHR initiates the deletion of all customer data from the production systems ninety (90) days following contract termination or trial expiration if not requested in advance by the customer. Customer data will be held in encrypted backups for an additional thirty (30) days after deletion from the production environment. The JazzHR engineering and operations team performs the data deletion. JazzHR can notify the customer that its data deletion is complete upon request.

JazzHR’s Multi-Tenant Environment

The JazzHR Platform is a Software-As-A-Service (SaaS) platform based on a multitenant architecture that logically separates customer data through access control based on company, users, and roles. Our application has extensive access control lists (ACL), role-based access control (RBAC), authentication, and authorization mechanisms that allow data access for authorized users only. All customer accounts are assigned a primary key to accessing data or services. The primary key is used in combination with the user ID to create a unique GUID which will allow access to only services and data that match the customer/user GUID.

JazzHR Infrastructure and Network Security

Cloud Hosting Platforms

JazzHR uses Amazon Web Services (AWS) as its cloud hosting provider for the JazzHR Platform. AWS is architected to be the most flexible and secure cloud computing environment available today – providing a broad set of global cloud-based services including compute, storage, databases, analytics, networking, developer tools, management tools, security, and enterprise applications. AWS core infrastructure is built to satisfy the security requirements for the military, global banks, and other high-sensitivity organizations. This is currently backed by a deep set of cloud security tools, with over 230 security, compliance, and governance services and features. AWS currently supports over 90 security standards and compliance certifications. For more information on AWS certifications, please visit https://aws.amazon.com/artifact/.

Physical Security

JazzHR uses Amazon Web Services (AWS) – US-East1, US-East2 and US-West2 regions. JazzHR does not have physical access to the AWS data centers. For more information on AWS data centers, please visit https://aws.amazon.com/compliance/data-center/.

For our corporate offices – where employees work, access into the building and offices is controlled using electronic access control cards and video surveillance monitoring. All visitors are validated with proper identification for sign-in and must wear a visitor identity badge.

Logical Access Control

JazzHR maintains access control policies consistent with best practices. Access to corporate systems used to support JazzHR customers is required for the customer support teams to troubleshoot and resolve customer issues that are communicated via the support channels. Technical team members require access to resolve escalated customer issues and provide technical support for the environment. The level of access is dependent on the role and responsibilities associated with an internal function and is granted using a role-based access control model.

Intrusion Detection and Prevention

JazzHR’s Security Operations Center (SOC) monitors (24*7*365) network, application, and system logs. The SOC team is responsible for communicating all automated alerts/alarms for security-related events and incidents in a timely manner. JazzHR monitors its AWS GuardDuty service for managed threat detection service where unusual activity is monitored and alerted our 7×24 Security Operations Center. JazzHR’s production application is hosted in Amazon Web Services with load balancing to help detect and automatically mitigate certain network-based attacks, such as DDos. Our VPC contains auto-scaling instances to help distribute the attack load and reduce the impact to services.

Remote Access

Only authorized JazzHR employees can access the production JazzHR Platform via restricted bastion hosts with a secure VPN session authorized successfully using multi-factor authentication. We log all access to all accounts by IP address and monitor access logs for unusual activity via our 7×24 Security Operations Center.

JazzHR Business Continuity and Disaster Recovery

High Availability

The JazzHR Platform is used in AWS US‐EAST region, where the data center is in Virginia, US (United States). The US‐East Region consists of five (5) Availability Zones (AZ), and JazzHR’s platform uses four (4) of those available zones. JazzHR utilizes an N+1 configuration – using load balancers across the web, application, resource server and database tiers. All database architectures are in a primary-secondary architecture to provide the highest availability and performance.

Disaster Recovery

All customer data in the production JazzHR Platform is backed up via full instance/system images weekly, daily, and DB transaction log backups every 15 minutes. All backup files are stored in Amazon S3 Storage, encrypted prior to backup, encrypted at rest, with access logging enabled. Backups are test restored during the monthly maintenance window.

Data Backup and Recovery

JazzHR performs a daily backup of all customer data where all backup data is stored encrypted in Amazon S3 using AES-256 encryption. JazzHR tests its data recovery process every quarter. RPO (Recovery Point Objective) is 24 hours. RTO (Recovery Time Objectives) is less than 1 hour for server infrastructure and less than 4 hours for database infrastructure.

Business Continuity

JazzHR performs annual tests and tabletop tests for business continuity across the various teams that provide support and service to the JazzHR Platform and its customers.

Employ Corporate Security

Information Security Policies

Employ maintains information security policies updated annually for business and technical operations alignment for the organization. The information security policies follow industry security frameworks and best practices from ISO 27001, NIST and PCI-DSS.

Background Checks

Employ performs various background checks such as criminal and reference checks on all new employees and contractors that are subject to approval prior to employment by Employ management.

Employee Onboarding & Offboarding

Employ follows a detailed checklist approach when onboarding new employees into the organization (providing them with the necessary access to systems to do their job and security awareness training) and offboarding employees leaving the organization (ensuring all respective accounts have been disabled within 24 hours of termination).

Security Training

All new employees receive onboarding and systems training, including environment and access control setup, formal security awareness and privacy training, security policies review, company policies review, and corporate values. In addition, all engineers receive formal security training on OWASP (Open Worldwide Application Security Project) Top 10 and software development topics focused on secure software development lifecycle process. Every year, all employees participate in the mandatory annual security awareness training. Employ uses the KnowBe4 enterprise security awareness training platform for security curriculum roll-out, tracking, and ongoing phishing campaigns.

Access Control & Multi-Factor Authentication

Employ uses access control lists and role-based access control groups to allow only authorized Employ employees to data systems on an as-needed basis. Access to various SaaS systems that Employ uses to manage daily activities supporting our customers is authenticated single-sign-on system with multi-factor authentication. Access is logged and monitored for unusual activity via our 7×24 Security Operations Center.

Mobile Device Management

Care and security of mobile devices such as laptops, tablets, and smartphones, whether provided by the organization or the individual for business use is subject to the Employ Corporate IT Mobile Device Management solution which enables Employ to protect and secure corporate resources and data, and from different devices. Employ utilizes Microsoft Intune – a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). It integrates with Microsoft Office 365 and Azure Active Directory to control who has access to, and what they have access to, and Azure Information Protection for data protection.

Anti-Virus / Anti-Malware Protection

Employ is responsible for protecting the organization’s infrastructure from virus and malware by using firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews, and malware incident management. Employ utilizes commercial enterprise endpoint protection solutions from industry leading providers such as Sophos and open-source projects such as ClamAV.

Third-Party Vendor Management

Employ reviews our third-party vendors and sub-processors annually or when there are significant changes that may impact the integration of their services with the SaaS Platform. We review our third-party vendor’s SOC2/ISO certifications and relevant security information to ensure they are in alignment with our security practices.

JazzHR Platform Operations

Infrastructure-As-Code

JazzHR follows an Infrastructure-As-Code methodology to reduce the administration of manual tasks in building, updating, and removing infrastructure. This allows JazzHR to be nimble in scaling up the infrastructure to meet application performance and uptime commitments and to be auditable where infrastructure changes to be repeatable with low error of misconfigurations.

Software Development Lifecycle

JazzHR follows a software development lifecycle to design, develop and test high quality product features to be implemented in the JazzHR Platform. The JazzHR Product Management and Engineering team work closely together to produce high-quality features that meet or exceed customer expectations, reach completion within times and cost estimates. JazzHR follows a scrum process for delivering new features and improvements into the production JazzHR Platform.

Change Management

JazzHR follows a standard change management process using Atlassian JIRA workflows that are aligned with the JazzHR software development lifecycle and software release process. All change requests are reviewed and approved by JazzHR subject matter experts. Changes are performed in non-production environments first. Once the change has been successfully verified in the non-production environment, the change is then scheduled to be performed in the production environment during the scheduled maintenance window. JazzHR follows a scrum process where team retrospectives are performed at the end of each sprint to review operational effectiveness and quality of delivery.

Risk Management

JazzHR leverages a risk management program to identify, assess, mitigate, report, and monitor risks. The JazzHR Product and Engineering teams review and evaluate the risks identified by the Security Team at least bi-annually. The risk management program encompasses the following phases:

Identify – The identification phase includes listing out risks (threats and vulnerabilities) that exist in the environment. This phase provides a basis for all other risk management activities.
Assess – The assessment phase considers the potential impact(s) of identified risks to the business and its likelihood of occurrence and includes an evaluation of internal control effectiveness.
Mitigate – The mitigate phase includes putting controls, processes, and other physical and virtual safeguards in place to prevent and detect identified and assessed risks.
Report – The report phase results in risk reports provided to managers with the data they need to make effective business decisions and to comply with internal policies and applicable regulations.
Monitor – The monitor phase includes JazzHR Compliance performing monitoring activities to evaluate whether processes, initiatives, functions and/or activities are mitigating the risk as designed.

Incident Management

JazzHR follows an incident management process to quickly restore “normal” service operations as quickly as possible, minimizing any adverse impact on business operations or our customers. JazzHR’s Security Incident Management process is formalized and defines how to properly escalate and respond to incidents.

Scheduled Maintenance Windows

JazzHR follows a standardized change management process in which maintenance of the JazzHR Platform is performed during a pre-defined maintenance window as agreed upon in the Master Service Agreement with customers. As part of our standard scheduled maintenance, we do our best in minimizing downtime in the scheduled maintenance window where servers and services are taken out of operation without impacting availability.

Uptime Monitoring

JazzHR uses various commercial and open-source tools to monitor the performance and availability of the JazzHR Platform from an infrastructure and application perspective. JazzHR maintains an average 99.9% uptime.

JazzHR Vulnerability Management Programs

Penetration Tests & Network Scans

JazzHR performs web application penetration and exploitation tests on the JazzHR Platform by using a third-party vendor called Cobalt Labs using various automated and manual testing techniques covering:

Authentication
Authorization
Session Management
Input/output Validation
Configuration
Sensitive Data Handling
Privilege Escalation
Error Handling
Logical Vulnerability Checks
Business Logic

The security team at JazzHR conducts ad-hoc Dynamic Application Security Testing (DAST) using popular tools like ZAP (Zed Attack Proxy) and Burp Suite. These tools enable the team to actively test their web applications by simulating real-world attacks, identifying vulnerabilities such as cross-site scripting, SQL injection, and more. The detected security misconfigurations or weaknesses are acted upon using industry standard risk/severity matrixes and response times.

System & Application Patching

JazzHR proactively monitors various trusted sources for common vulnerabilities and exposures (CVE) for securing the operating system and application services that support the JazzHR Platform. As part of the JazzHR Risk Management process, as new vulnerabilities and exposures are discovered and announced JazzHR follows a change management process for reviewing and rolling-out system and application patches for the JazzHR Platform. All patches are tested in our testing environment prior to patching in our production environment. JazzHR also uses tools such as AWS (Amazon Web Services) Inspector to automatically assess the operating system and application services for exposure, vulnerabilities, and deviations from security best practices.

Responsible Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with JazzHR’s Platform or services, please contact security@employinc.com

We take all disclosures seriously. Once disclosures are received, our security team will verify the vulnerability and may contact you to further collaborate on the findings. The security team will work with our product management and engineering services team on the disclosure for resolution using our software development lifecycle and change management process.

Last updated March 15th, 2024.