Security & Compliance

 

Leadership

Employ’s leadership team recognizes the importance of fostering innovation built on the foundation of customer trust, which is why Employ is committed to building solutions that aim to safeguard your organization’s data. This approach of secure engineering is combined with an enterprise security program led by a dedicated team with oversight from legal and senior leadership. Employ’s security programs and practices have been independently verified against the SOC 2 and ISO 27001 framework. The security strategy and compliance initiatives at Employ are directed by a Vice President at Employ who is responsible for overseeing the Security and Technology teams. This leadership effort is further supported by Employ’s Director of Cybersecurity Programs, Security Engineering and Global Security Operations Center team members.

 

What Type of Data Do We Collect, Receive, Process and Store?

Our Lever Platform receives, processes, and stores personal information captured in resumes submitted by candidates seeking employment opportunities. For complete details about the personal information collected, received, processed, and stored, please visit our privacy site at https://www.employinc.com/privacy/. Lever also stores information about your organization’s job opportunities posted online and other workforce program information used to administer recruiting activities on the Lever Platform.

Employ is committed to educating our customers, prospects, applicants, candidates, and the general market about our efforts in artificial intelligence (AI) and machine learning (ML) space. The industry is moving in the direction of more automation driven by AI and ML, resulting in increased activity that is guided and/or executed based on pre-defined workflows and data models. This advancement will provide amazing productivity increases, allowing customers to create and build relationships with many more individuals in each phase of the sourcing, recruiting, hiring, and onboarding journey.

 

Lever Assurance & Privacy Programs

SOC 2 Type 2

A Service Organization Report (SOC 2 Type 2 report) is designed to evidence a service provider’s internal organizational controls concerning key governance areas, including how a company safeguards customer data and how well those controls are operating over time. SOC 2 reports provide a customer with a verified external opinion that can assist them with evaluating the risks associated with procuring third-party technology services like Lever. Schellman, an independent third-party auditor, has issued Lever’s SOC 2 Type 2 report.

ISO/IEC 27001

ISO/IEC 27001 is an international standard that is a testament to an organization’s commitment to information security. It demonstrates that an organization has established and maintains robust information security management systems (ISMS) in line with international standards. Just like a SOC 2 Type 2 report provides valuable insights into a service provider’s controls, an ISO/IEC 27001 certification attests to an organization’s dedication to safeguarding sensitive information. Schellman, an independent third-party auditor, has issued Employ’s ISO/IEC 27001 certificate.

Cloud Security Alliance – Consensus Assessments Initiative Questionnaire

Employ has joined the Cloud Security Alliance’s (CSA) mission to promote best practice in the provision of security assurance within Cloud Computing environments by completing the Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ offers an industry-recognized method to communicate which security controls exist in IaaS (Infrastructure as a service), PaaS (Platform as a service), and SaaS service provider organizations, providing security control transparency through a standardized document. The CAIQ is organized into 16 governing & operating domains divided into “control areas” within CSA’s Controls Matrix structure, including:

  • Application & Interface Security
  • Audit Assurance & Compliance
  • Business Continuity Management & Operational Resilience
  • Change Control & Configuration Management
  • Data Security & Information Lifecycle Management
  • Datacenter Security
  • Encryption & Key Management
  • Governance and Risk Management
  • Human Resources
  • Identity & Access Management
  • Infrastructure & Virtualization Security
  • Interoperability & Portability
  • Mobile Security
  • Security Incident Management, E-Discovery & Cloud Forensics
  • Supply Chain Management, Transparency and Accountability
  • Threat and Vulnerability Management

The CAIQ is reviewed and updated monthly as part of our continuous improvement in security.

Lever Security & Compliance Information Package

The Lever Security & Compliance information package includes the latest SOC 2 report, ISO 27001 certificate, information security policies, latest penetration test results and high-level architecture diagrams. This package can be requested by contacting Customer Support or Sales.

GDPR & CCPA

Lever’s information security parameters comply with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and are intended to support our customers’ compliance with the GDPR and CCPA. As a provider of a recruitment platform, Lever is primarily a service provider or data processor under the GDPR and CCPA. Lever has no direct relationship with the individual employees and jobseekers whose personal data it processes on behalf of our customers. Individuals applying for jobs with employers that are Lever customers have an account set up under their email address that associates all applications for that individual with that email address. The individual can access their account at the Site and transmit requests to the employers to correct, amend, or delete inaccurate data in an application. The employer is responsible for complying with the individual’s request. If you are an employee or jobseeker and would no longer like to be contacted by an employer or employers, please contact the employer directly to resolve your concern.

Customers that have an active Master Services Agreement with Lever are eligible to request a Data Privacy Addendum. A copy of the Lever Data Privacy Addendum can be requested by contacting Customer Support or Sales.

Standard Contractual Clauses (SCC)

For Customers with data processing requirements for EU (European Union) residents, Lever also has available the Standard Contractual Clauses (SCC) as approved by the European Commission following the invalidation of the Privacy Shield by the EU (European Union), to ensure that as a data processor, Lever has the appropriate safeguards to protect personal data transferred to Lever and its third-party providers in the United States of America.

Privacy Shield

For personal information that is received that originates in the European Union, Lever has certified its compliance with the EU-U.S. Privacy Shield framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information from European Union countries. Lever will adhere to all Privacy Shield Principles when transferring and processing personal information from the EU to the U.S. To verify Lever’s participation in the EU-U.S. Privacy Shield program, please visit: www.privacyshield.gov.

Customer Security Reviews & Assessments

Lever aims to operate in a transparent manner and strives to provide assurance about its security posture through supporting customer’s vendor due diligence processes. If your organization would like to conduct a security review or assessment, you may submit your security questionnaire or third-party vendor assessment to our Employ Security team for review by contacting Customer Support or Sales.

Lever Data Security

Data Encryption (In Transit and At Rest)

All customer information, including Personally, Identifiable Information (PII) that is transmitted between external networks (i.e., a user’s internet browser or third-party APIs) and the Lever Platform is done exclusively over HTTPS transport layer security (TLS) encrypted connections. Lever supports the latest open source and commercial internet browsers (i.e., Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox), that supports secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 transport level encryption protocols.

All customer information, including Personally Identifiable Information (PII) stored in Lever’s service delivery environment, is protected using AES-256-bit encryption.

Key Management

Lever uses AWS (Amazon Web Services) Key Management Service (KMS) to manage the creation and lifecycle of private encryption keys and enables the Lever APIs to leverage those keys to perform encryption, decryption and re‐encryption operations on customer‐provided data as needed.

Data Retention

Lever’s data retention for the Lever Platform period is a rolling 6 months for application logs and system logs. Lever customers can configure data retention policies specific to their needs in the platform using built-in product functionality based on the geographic regions to meet varying privacy regulations. Outside of these customer-defined retention policies for personal data, customer data in the Lever Platform is stored for the duration of the service contract between the customer and Lever.

Data Deletion

The Lever Platform provides built-in product functionality for customers to delete personal data records using retention policies, as described above, or perform delete operations on-the-fly. These tools allow customers the ability to comply with their regulatory obligations independent of Lever. Lever does not delete customer data or configure customer retention policies during an active service term. erm. Lever initiates the deletion of all customer data from the production systems 90 days following contract termination so that such data is deleted by 45 days after contract termination. Data contained in data backups is deleted over the course of the standard cycling of data backups so that such backup data will all be deleted by 150 days following contract termination date unless otherwise directed by customer. Deletion means removing or obliterating all customer personal data such that it cannot be recovered or reconstructed from Lever databases, systems, or other repository. Confirmation that data has been deleted is performed by the Lever engineering and operations team. Upon request, Lever shall provide written certification to the customer that it has been completed.

Lever’s Multi-Tenant Environment

The Lever Platform is a Software-As-A-Service (SaaS) platform based on a multitenant architecture that logically separates customer data through access control based on company, users, and roles. Our application has extensive access control lists (ACL), role-based access control (RBAC), authentication, and authorization mechanisms that allow data access for authorized users only. All customer accounts are assigned with a primary key that relates to the ability to access data or services. The primary key is used in combination with the user ID to create a unique GUID which will allow access to only services and data that match the customer/user GUID.

Lever Infrastructure and Network Security


Cloud Hosting Platforms

Lever uses Amazon Web Services (AWS) as its cloud hosting provider for the Lever Platform. AWS is architected to be the most flexible and secure cloud computing environment available today – providing a broad set of global cloud-based services including compute, storage, databases, analytics, networking, developer tools, management tools, security, and enterprise applications. AWS core infrastructure is built to satisfy the security requirements for the military, global banks, and other high-sensitivity organizations. This is currently backed by a deep set of cloud security tools, with over 230 security, compliance, and governance services and features. AWS currently supports over 90 security standards and compliance certifications. For more information on AWS certifications, please visit https://aws.amazon.com/artifact/.


Physical Security

Lever uses Amazon Web Services (AWS) – US-West2 and EU-Central1 regions. Lever does not have physical access to the AWS data centers. For more information on AWS data centers, please visit https://aws.amazon.com/compliance/data-center/.

For our corporate offices – where employees work, access into the building and offices is controlled using electronic access control cards and video surveillance monitoring. All visitors are validated with proper identification for sign-in and must wear a visitor identity badge.


Logical Access Control

Lever maintains access control policies consistent with best practices. Access to corporate systems used to support Lever customers is required for the customer support teams to troubleshoot and resolve customer issues that are communicated via the support channels. Technical team members require access to resolve escalated customer issues and provide technical support for the environment. The level of access is dependent on the role and responsibilities associated with an internal function and is granted using a role-based access control model.

Intrusion Detection and Prevention

Lever’s Security Operations Center (SOC) monitors (24*7*365) network, application, and system logs. The SOC team is responsible for communicating all automated alerts/alarms for security-related events and incidents in a timely manner. Lever monitors its AWS GuardDuty service for managed threat detection service where unusual activity is monitored and alerted our 7×24 Security Operations Center. Lever’s production application is hosted in Amazon Web Services with load balancing to help detect and automatically mitigate certain network-based attacks, such as DDos. Our VPC contains auto-scaling instances to help distribute the attack load and reduce the impact to services.

Remote Access

Only authorized Lever employees can access the production Lever Platform via restricted bastion hosts with a secure VPN session authorized successfully using multi-factor authentication. We log all access to all accounts by IP address and monitor access logs for unusual activity via our 7×24 Security Operations Center.

 

Lever Business Continuity and Disaster Recovery

High Availability

The Lever Platform is hosted in the AWS us-west-2 (Oregon, US) and eu-central-1 (Frankfurt, Germany) regions. The Lever’s platform is stripped across multiple Availability Zones of those regions. Lever uses load balancers across the web, application, resource server and database tiers. Lever’s databases ensure continuous availability and protection against data loss through its robust replica set or Primary-Replica architecture.

Disaster Recovery

All customer data in the production Lever Platform is backed up via full instance/system images weekly, daily, and DB transaction log backups every 15 minutes. All backup files are stored in Amazon S3 Storage, encrypted prior to backup, encrypted at rest, with access logging enabled. Backups are test restored during the monthly maintenance window.

Data Backup and Recovery

Lever performs a daily backup of all customer data where all backup data is stored encrypted in Amazon S3 using AES-256 encryption. Lever tests its data recovery process every quarter. RPO (Recovery Point Objective) is 24 hours. RTO (Recovery Time Objectives) is less than 1 hour for server infrastructure and less than 4 hours for database infrastructure.

Business Continuity

Lever performs annual tests and tabletop tests for business continuity across the various teams that provide support and service to the Lever Platform and its customers.

 

Employ Corporate Security

Information Security Policies

Employ maintains information security policies updated annually for business and technical operations alignment for the organization. The information security policies follow industry security frameworks and best practices from ISO 27001, NIST and PCI-DSS.

Background Checks

Employ performs various background checks such as criminal and reference checks on all new employees and contractors that are subject to approval prior to employment by Employ management.

Employee Onboarding & Offboarding

Employ follows a detailed checklist approach when onboarding new employees into the organization (providing them with the necessary access to systems to do their job and security awareness training) and offboarding employees leaving the organization (ensuring all respective accounts have been disabled within 24 hours of termination).

Security Training

All new employees receive onboarding and systems training, including environment and access control setup, formal security awareness and privacy training, security policies review, company policies review, and corporate values. In addition, all engineers receive formal security training on OWASP (Open Worldwide Application Security Project) Top 10 and software development topics focused on secure software development lifecycle process. Every year, all employees participate in the mandatory annual security awareness training. Employ uses the KnowBe4 enterprise security awareness training platform for security curriculum roll-out, tracking, and ongoing phishing campaigns.

Access Control & Multi-Factor Authentication

Employ uses access control lists and role-based access control groups to allow only authorized Employ employees to data systems on an as-needed basis. Access to various SaaS systems that Employ uses to manage daily activities supporting our customers is authenticated single-sign-on system with multi-factor authentication. Access is logged and monitored for unusual activity via our 7×24 Security Operations Center.

Mobile Device Management

Care and security of mobile devices such as laptops, tablets, and smartphones, whether provided by the organization or the individual for business use is subject to the Employ Corporate IT Mobile Device Management solution which enables Lever to protect and secure corporate resources and data, and from different devices. Employ utilizes Microsoft Intune – a cloud-based service that focuses on mobile device management (MDM) and mobile application management (MAM). It integrates with Microsoft Office 365 and Azure Active Directory to control who has access to, and what they have access to, and Azure Information Protection for data protection.

Anti-Virus / Anti-Malware Protection

Employ is responsible for protecting the organization’s infrastructure from virus and malware by using firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews, and malware incident management. Employ utilizes commercial enterprise endpoint protection solutions from industry leading providers such as Sophos and open-source projects such as ClamAV.

Third-Party Vendor Management

Employ reviews our third-party vendors and sub-processors annually or when there are significant changes that may impact the integration of their services with the SaaS Platform. We review our third-party vendor’s SOC2/ISO certifications and relevant security information to ensure they are in alignment with our security practices.

Lever Platform Operations

Infrastructure-As-Code

Lever follows an Infrastructure-As-Code methodology to reduce the administration of manual tasks in building, updating, and removing infrastructure. This allows Lever to be nimble in scaling up the infrastructure to meet application performance and uptime commitments and to be auditable where infrastructure changes to be repeatable with low error of misconfigurations.

Software Development Lifecycle

Lever follows a software development lifecycle to design, develop and test high quality product features to be implemented in the Lever Platform. The Lever Product Management and Engineering team work closely together to produce high-quality features that meet or exceed customer expectations, reaches completion within times and cost estimates. Lever follows a scrum process for delivering new features and improvements into the production Lever Platform.

Change Management

Lever follows a standard change management process using Atlassian JIRA workflows that are aligned with the Lever software development lifecycle and software release process. All change requests are reviewed and approved by Lever subject matter experts. Changes are performed in non-production environments first. Once the change has been successfully verified in the non-production environment, the change is then scheduled to be performed in the production environment during the scheduled maintenance window. Lever follows a scrum process where team retrospectives are performed at the end of each sprint to review operational effectiveness and quality of delivery.

Risk Management

Lever leverages a risk management program to identify, assess, mitigate, report, and monitor risks. The Lever Product and Engineering teams reviews and evaluates the risks identified by the Security Team at least bi-annually. The risk management program encompasses the following phases:

  • Identify – The identification phase includes listing out risks (threats and vulnerabilities) that exist in the environment. This phase provides a basis for all other risk management activities.
  • Assess – The assessment phase considers the potential impact(s) of identified risks to the business and its likelihood of occurrence and includes an evaluation of internal control effectiveness.
  • Mitigate – The mitigate phase includes putting controls, processes, and other physical and virtual safeguards in place to prevent and detect identified and assessed risks.
  • Report – The report phase results in risk reports provided to managers with the data they need to make effective business decisions and to comply with internal policies and applicable regulations.
  • Monitor – The monitor phase includes Lever Compliance performing monitoring activities to evaluate whether processes, initiatives, functions and/or activities are mitigating the risk as designed.

Incident Management

Lever follows an incident management process to quickly restore “normal” service operations as quickly as possible, minimizing any adverse impact on business operations or our customers. Lever’s Security Incident Management process is formalized and defines how to properly escalate and respond to incidents.

Scheduled Maintenance Windows

Lever follows a standardized change management process in which maintenance of the Lever Platform is performed during a pre-defined maintenance window as agreed upon in the Master Service Agreement with customers. As part of our standard scheduled maintenance, we do our best in minimizing downtime in the scheduled maintenance window where servers and services are taken out of operation without impacting availability.

Uptime Monitoring

Lever uses various commercial and open-source tools to monitor the performance and availability of the Lever Platform from an infrastructure and application perspective. Lever maintains an average 99.9% uptime. Customers can view platform status by visiting: http://status.lever.co

Lever Vulnerability Management Programs

Penetration Tests & Network Scans

Lever performs web application penetration and exploitation tests on the Lever Platform by using a third-party vendor called Cobalt Labs using various automated and manual testing techniques covering:

  • Authentication
  • Authorization
  • Session Management
  • Input/output Validation
  • Configuration
  • Sensitive Data Handling
  • Privilege Escalation
  • Error Handling
  • Logical Vulnerability Checks
  • Business Logic

The security team at Lever conducts ad-hoc Dynamic Application Security Testing (DAST) using popular tools like ZAP (Zed Attack Proxy) and Burp Suite. These tools enable the team to actively test their web applications by simulating real-world attacks, identifying vulnerabilities such as cross-site scripting, SQL injection, and more. The detected security misconfigurations or weaknesses are acted upon using industry standard risk/severity matrixes and response times.

System & Application Patching

Lever proactively monitors various trusted sources for common vulnerabilities and exposures (CVE) for securing the operating system and application services that support the Lever Platform. As part of the Lever Risk Management process, as new vulnerabilities and exposures are discovered and announced Lever follows a change management process for reviewing and rolling-out system and application patches for the Lever Platform. All patches are tested in our testing environment prior to patching in our production environment. Lever also uses tools such as AWS (Amazon Web Services) Inspector to automatically assess the operating system and application services for exposure, vulnerabilities, and deviations from security best practices.

Responsible Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with Lever’s Platform or services, please contact security@employinc.com

We take all disclosures seriously. Once disclosures are received, our security team will verify the vulnerability and may contact you to further collaborate on the findings. The security team will work with our product management and engineering services team on the disclosure for resolution using our software development lifecycle and change management process.