Security

SOC 2 Type 2

A Service Organization Report (SOC 2 Type 2 report) is designed to evidence a service provider's internal organizational controls concerning key governance areas, including how a company safeguards customer data and how well those controls are operating over time. SOC 2 reports provide a customer with a verified external opinion that can assist them with evaluating the risks associated with procuring third-party technology services like Lever by Employ. Schellman, an independent third-party auditor, has issued Lever by Employ's SOC 2 Type 2 report.

ISO/IEC 27001

ISO/IEC 27001 is an international standard that is a testament to an organization's commitment to information security. It demonstrates that an organization has established and maintains robust information security management systems (ISMS) in line with international standards. Just like a SOC 2 Type 2 report provides valuable insights into a service provider's controls, an ISO/IEC 27001 certification attests to an organization's dedication to safeguarding sensitive information. Schellman, an independent third-party auditor, has issued Employ's ISO/IEC 27001 certificate.

Cloud Security Alliance – Consensus Assessments Initiative Questionnaire

Employ has joined the Cloud Security Alliance's (CSA) mission to promote best practice in the provision of security assurance within Cloud Computing environments by completing the Consensus Assessments Initiative Questionnaire (CAIQ). CAIQ offers an industry-recognized method to communicate which security controls exist in IaaS (Infrastructure as a service), PaaS (Platform as a service), and SaaS service provider organizations, providing security control transparency through a standardized document. The CAIQ is organized into 16 governing & operating domains divided into “control areas” within CSA's Controls Matrix structure, including:

• Application & Interface Security
• Audit Assurance & Compliance
• Business Continuity Management & Operational Resilience
• Change Control & Configuration Management
• Data Security & Information Lifecycle Management
• Datacenter Security
• Encryption & Key Management
• Governance and Risk Management
• Human Resources
• Identity & Access Management
• Infrastructure & Virtualization Security
• Interoperability & Portability
• Mobile Security
• Security Incident Management, E-Discovery & Cloud Forensics
• Supply Chain Management, Transparency and Accountability
• Threat and Vulnerability Management

Employ Security & Compliance Information Package

The Employ Security & Compliance information package includes the latest SOC 2 report, ISO 27001 certificate, information security policies, latest penetration test results and high-level architecture diagrams. This package can be requested by contacting Customer Support or Sales.

GDPR & CCPA

Lever by Employ's information security parameters comply with the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA) and are intended to support our customers' compliance with the GDPR and CCPA. As a provider of a recruitment platform, Employ (as the provider of Lever by Employ) is primarily a service provider or data processor under the GDPR and CCPA. Employ has no direct relationship with the individual employees and jobseekers whose personal data it processes on behalf of our customers.

Individuals applying for jobs with employers that are Lever by Employ customers have an account set up under their email address that associates all applications for that individual with that email address. The individual can access their account at the Site and transmit requests to the employers to correct, amend, or delete inaccurate data in an application. The employer is responsible for complying with the individual's request. If you are an employee or jobseeker and would no longer like to be contacted by an employer or employers, please contact the employer directly to resolve your concern.

Customers that have an active Master Services Agreement with Employ for Lever by Employ are eligible to request a Data Privacy Addendum. A copy of the Lever by Employ Data Privacy Addendum can be requested by contacting Customer Support or Sales.

Standard Contractual Clauses (SCC)

For Customers with data processing requirements for EU (European Union) residents, Employ also has available the Standard Contractual Clauses (SCC) as approved by the European Commission following the invalidation of the Privacy Shield by the EU (European Union), to ensure that as a data processor, Employ has the appropriate safeguards to protect personal data transferred to Employ and its third-party providers in the United States of America.

Data Privacy Framework

For personal information that is received that originates in the European Union, Employ will adhere to applicable privacy and data transfer requirements for the collection, use, transfer, and retention of personal information from European Union countries, including by using appropriate safeguards and transfer mechanisms where required. See here for Employ Inc Data Privacy Framework status: dataprivacyframework.gov/list

Customer Security Reviews & Assessments

Employ aims to operate in a transparent manner and strives to provide assurance about its security posture through supporting customer's vendor due diligence processes. If your organization would like to conduct a security review or assessment, you may submit your security questionnaire or third-party vendor assessment to our Employ Security team for review by contacting Customer Support or Sales.

Data Encryption (In Transit and At Rest)

All customer information, including Personally Identifiable Information (PII) that is transmitted between external networks (i.e., a user's internet browser or third-party APIs) and the Lever by Employ Platform is done exclusively over HTTPS transport layer security (TLS) encrypted connections. Lever by Employ supports the latest open source and commercial internet browsers (i.e., Google Chrome, Apple Safari, Microsoft Edge, and Mozilla Firefox), that supports secure cipher suites to encrypt all traffic in transit, including use of TLS 1.2 transport level encryption protocols.

All customer information, including Personally Identifiable Information (PII) stored in Lever by Employ's service delivery environment, is protected using AES-256-bit encryption.

Key Management

Lever by Employ uses AWS (Amazon Web Services) Key Management Service (KMS) to manage the creation and lifecycle of private encryption keys and enables the Lever by Employ APIs to leverage those keys to perform encryption, decryption and re-encryption operations on customer-provided data as needed.

Data Retention

Lever by Employ's data retention for the Lever by Employ Platform period is a rolling 6 months for application logs and system logs. Lever by Employ customers can configure data retention policies specific to their needs in the platform using built-in product functionality based on the geographic regions to meet varying privacy regulations. Outside of these customer-defined retention policies for personal data, customer data in the Lever by Employ Platform is stored for the duration of the service contract between the customer and Employ for Lever by Employ.

Data Deletion

The Lever by Employ Platform provides built-in product functionality for customers to delete personal data records using retention policies, as described above, or perform delete operations on-the-fly. These tools allow customers the ability to comply with their regulatory obligations independent of Employ. Employ does not delete customer data or configure customer retention policies during an active service term.

Employ initiates the deletion of all customer data from the production systems 90 days following contract termination so that such data is deleted by 45 days after contract termination. Data contained in data backups is deleted over the course of the standard cycling of data backups so that such backup data will all be deleted by 150 days following contract termination date unless otherwise directed by customer.

Deletion means removing or obliterating all customer personal data such that it cannot be recovered or reconstructed from Lever by Employ databases, systems, or other repository. Confirmation that data has been deleted is performed by the Employ engineering and operations team. Upon request, Employ shall provide written certification to the customer that it has been completed.

Lever by Employ's Multi-Tenant Environment

The Lever by Employ Platform is a Software-As-A-Service (SaaS) platform based on a multitenant architecture that logically separates customer data through access control based on company, users, and roles. Our application has extensive access control lists (ACL), role-based access control (RBAC), authentication, and authorization mechanisms that allow data access for authorized users only. All customer accounts are assigned with a primary key that relates to the ability to access data or services. The primary key is used in combination with the user ID to create a unique GUID which will allow access to only services and data that match the customer/user GUID.

Cloud Hosting Platforms

Lever by Employ uses Amazon Web Services (AWS) as its cloud hosting provider for the Lever by Employ Platform. AWS is architected to be the most flexible and secure cloud computing environment available today — providing a broad set of global cloud-based services including compute, storage, databases, analytics, networking, developer tools, management tools, security, and enterprise applications. AWS currently supports over 90 security standards and compliance certifications.

Physical Security

Lever by Employ uses Amazon Web Services (AWS) — US-West2 and EU-Central1 regions. Employ does not have physical access to the AWS data centers.

For our corporate offices — where Employ's employees work, access into the building and offices is controlled using electronic access control cards and video surveillance monitoring. All visitors are validated with proper identification for sign-in and must wear a visitor identity badge.

Logical Access Control

Employ maintains access control policies consistent with best practices. Access to corporate systems used to support Lever by Employ customers is required for the customer support teams to troubleshoot and resolve customer issues that are communicated via the support channels. Technical team members require access to resolve escalated customer issues and provide technical support for the environment. The level of access is dependent on the role and responsibilities associated with an internal function and is granted using a role-based access control model.

Intrusion Detection and Prevention

Employ's Security Operations Center (SOC) monitors network, application, and system logs. The SOC team is responsible for communicating all automated alerts/alarms for security-related events and incidents in a timely manner. Employ monitors its AWS GuardDuty service for managed threat detection service where unusual activity is monitored and alerted our 7x24 Security Operations Center. Lever by Employ's production application is hosted in Amazon Web Services with load balancing to help detect and automatically mitigate certain network-based attacks, such as DDoS. Our VPC contains auto-scaling instances to help distribute the attack load and reduce the impact to services.

Remote Access

Only authorized Employ employees can access the production Lever by Employ Platform via restricted bastion hosts with a secure VPN session authorized successfully using multi-factor authentication. We log all access to all accounts by IP address and monitor access logs for unusual activity via our 7x24 Security Operations Center.

High Availability

The Lever by Employ Platform is hosted in AWS US-West2 and EU-Central1 regions. The Lever by Employ platform is striped across multiple Availability Zones of those regions. Lever by Employ uses load balancers across the web, application, resource server and database tiers. All database architectures are in a master-slave architecture to provide the highest availability and performance.

Disaster Recovery

All customer data in the production Lever by Employ Platform is backed up via full instance/system images weekly, daily, and DB transaction log backups every 15 minutes. All backup files are stored in Amazon S3 Storage, encrypted prior to backup, encrypted at rest, with access logging enabled. Backups are test restored during the monthly maintenance window.

Data Backup and Recovery

Employ performs a daily backup of all customer data where all backup data is stored encrypted in Amazon S3 using AES-256 encryption. Employ tests its data recovery process every quarter. RPO (Recovery Point Objective) is 24 hours. RTO (Recovery Time Objectives) is less than 1 hour for server infrastructure and less than 4 hours for database infrastructure.

Business Continuity

Employ performs annual tests and tabletop tests for business continuity across the various teams that provide support and service to the Lever by Employ Platform and its customers.

Information Security Policies

Employ maintains information security policies updated annually for business and technical operations alignment for the organization. The information security policies follow industry security frameworks and best practices from SOC 2, ISO/IEC, Center for Internet Security, NIST and PCI-DSS.

Background Checks

Employ performs various background checks such as criminal and reference checks on all new employees and contractors that are subject to approval prior to employment by Employ management.

Employee Onboarding & Offboarding

Employ follows a detailed checklist approach when onboarding new employees into the organization (providing them with the necessary access to systems to do their job and security awareness training) and offboarding employees leaving the organization (ensuring all respective accounts have been disabled within 24 hours of termination).

Security Training

All new employees receive onboarding and systems training, including environment and access control setup, formal security awareness and privacy training, security policies review, company policies review, and corporate values. In addition, all engineers receive formal security training on OWASP (Open Worldwide Application Security Project) Top 10 and software development topics focused on secure software development lifecycle process.

Every year, all employees participate in the mandatory annual security awareness training. Employ uses commercial, enterprise security awareness training platforms and internal training content for security curriculum roll-out, completion tracking, and ongoing phishing simulation campaigns.

Access Control & Multi-Factor Authentication

Employ uses access control lists and role-based access control groups to allow only authorized Employ employees to data systems on an as-needed basis. Access to various SaaS systems that Employ uses to manage daily activities supporting our customers is authenticated single-sign-on system with multi-factor authentication. Access is logged and monitored for unusual activity via our 7x24 Security Operations Center.

Mobile Device Management

Care and security of mobile devices such as laptops, tablets, and smartphones, whether provided by the organization or the individual for business use is subject to the Employ Corporate IT Mobile Device Management solution which enables Employ to protect and secure corporate resources and data, and from different devices. Employ utilizes commercial, cloud-based mobile device management (MDM) solutions that integrate with identity and access management systems to control who has access to, and what they have access to, and to enforce data protection policies for corporate information.

Anti-Virus / Anti-Malware Protection

Employ is responsible for protecting the organization's infrastructure from virus and malware by using firewalls, anti-virus, spam filtering, software installation and scanning, vulnerability management, user awareness training, threat monitoring and alerts, technical reviews, and malware incident management. Employ utilizes a combination of commercial enterprise endpoint protection solutions and open-source anti-malware tools to support detection, prevention, and response capabilities across the environment.

Third-Party Vendor Management

Employ reviews our third-party vendors and sub-processors annually or when there are significant changes that may impact the integration of their services with the SaaS Platform. We review our third-party vendor's SOC2/ISO certifications and relevant security information to ensure they are in alignment with our security practices.

Infrastructure-As-Code

Lever by Employ follows an Infrastructure-As-Code methodology to reduce the administration of manual tasks in building, updating, and removing infrastructure. This allows Lever by Employ to be nimble in scaling up the infrastructure to meet application performance and uptime commitments and to be auditable where infrastructure changes to be repeatable with low error of misconfigurations.

Software Development Lifecycle

Lever by Employ follows a software development lifecycle to design, develop and test high quality product features to be implemented in the Lever by Employ Platform. The Lever by Employ Product Management and Engineering team work closely together to produce high-quality features that meet or exceed customer expectations, reaches completion within times and cost estimates. Lever by Employ follows a scrum process for delivering new features and improvements into the production Lever by Employ Platform.

Change Management

Lever by Employ follows a standard change management process using Atlassian JIRA workflows that are aligned with the Lever by Employ software development lifecycle and software release process. All change requests are reviewed and approved by Lever by Employ subject matter experts. Changes are performed in non-production environments first. Once the change has been successfully verified in the non-production environment, the change is then scheduled to be performed in the production environment during the scheduled maintenance window. Lever by Employ follows a scrum process where team retrospectives are performed at the end of each sprint to review operational effectiveness and quality of delivery.

Risk Management

Lever by Employ leverages a risk management program to identify, assess, mitigate, report, and monitor risks. The Lever by Employ Product and Engineering teams reviews and evaluates the risks identified by the Security Team at least bi-annually. The risk management program encompasses the following phases:

• Identify — The identification phase includes listing out risks (threats and vulnerabilities) that exist in the environment. This phase provides a basis for all other risk management activities.
• Assess — The assessment phase considers the potential impact(s) of identified risks to the business and its likelihood of occurrence and includes an evaluation of internal control effectiveness.
• Mitigate — The mitigate phase includes putting controls, processes, and other physical and virtual safeguards in place to prevent and detect identified and assessed risks.
• Report — The report phase results in risk reports provided to managers with the data they need to make effective business decisions and to comply with internal policies and applicable regulations.
• Monitor — The monitor phase includes Employ Compliance performing monitoring activities to evaluate whether processes, initiatives, functions and/or activities are mitigating the risk as designed.

Incident Management

Lever by Employ follows an incident management process to quickly restore “normal” service operations as quickly as possible, minimizing any adverse impact on business operations or our customers. Employ's Security Incident Management process is formalized and defines how to properly escalate and respond to incidents.

Scheduled Maintenance Windows

Lever by Employ follows a standardized change management process in which maintenance of the Lever by Employ Platform is performed during a pre-defined maintenance window as agreed upon in the Master Service Agreement with customers. As part of our standard scheduled maintenance, we do our best in minimizing downtime in the scheduled maintenance window where servers and services are taken out of operation without impacting availability.

Uptime Monitoring

Lever by Employ uses various commercial and open-source tools to monitor the performance and availability of the Lever by Employ Platform from an infrastructure and application perspective. Lever by Employ maintains an average 99.9% uptime. Customers can view platform status by visiting: status.lever.co

Penetration Tests & Network Scans

Lever by Employ performs web application penetration and exploitation tests on the Lever by Employ Platform by using qualified third-party security testing providers using various automated and manual testing techniques covering:

• Authentication
• Authorization
• Session Management
• Input/output Validation
• Configuration
• Sensitive Data Handling
• Privilege Escalation
• Error Handling
• Logical Vulnerability Checks
• Business Logic

The security team at Employ conducts ad-hoc Dynamic Application Security Testing (DAST) using open source and commercial-enterprise grade tools/services. These tools enable the team to actively test their web applications by simulating real-world attacks, identifying vulnerabilities such as cross-site scripting, SQL injection, and more. The detected security misconfigurations or weaknesses are acted upon using industry standard risk/severity matrixes and response times.

System & Application Patching

Lever by Employ proactively monitors various trusted sources for common vulnerabilities and exposures (CVE) for securing the operating system and application services that support the Lever by Employ Platform. As part of the Lever by Employ Risk Management process, as new vulnerabilities and exposures are discovered and announced Lever by Employ follows a change management process for reviewing and rolling-out system and application patches for the Lever by Employ Platform. All patches are tested in our testing environment prior to patching in our production environment. Lever by Employ also uses tools such as AWS (Amazon Web Services) Inspector to automatically assess the operating system and application services for exposure, vulnerabilities, and deviations from security best practices.

Responsible Vulnerability Disclosure

If you would like to report a vulnerability or have any security concerns with Lever by Employ's Platform or services, please contact security@employinc.com

We take all disclosures seriously. Once disclosures are received, our security team will verify the vulnerability and may contact you to further collaborate on the findings. The security team will work with our product management and engineering services team on the disclosure for resolution using our software development lifecycle and change management process.