Data Security Customer Information

Data Security Customer Information

GDPR Summary


Hiring Hub has always had a strong focus on protecting any data it collects and processes. As a UK-owned and operated business we appreciate the solidification of this through the General Data Protection Regulation (GDPR) laws that entered into effect on 25 May 2018.

Where needed, we amended our internal policies and procedures to comply with GDPR, and deleted data that we didn’t need to store. We then added further provisions to ensure the security of the data we need to keep for the purpose for the recruitment process.

In relation to our customers, Hiring Hub is both a Data Controller and a Data Processor depending on the type of data collected.

Data Controller

Hiring Hub is the Data Controller for the information we collect about our customers and visitors (Employers and Agencies), which means that we determine the “purposes and means” of the data we collect as the Controller. Some examples: their name, their email address and any other data that we collect based on the GDPR legal bases. This data is safeguarded by various policies and procedures. We have confirmed that any sub processor outside of the EU is Privacy Shield registered.

Data Processor

Our customers (Agencies) are the Data Controllers for the data that they gather (Candidate data) and send to Hiring Hub. Hiring Hub processes that data on behalf of the Agencies, which makes us the Data Processor. When sharing data with sub processors, we have made sure there are Data Processing Agreements (DPA) in place that ensure they also receive and process this data in a lawful way.


Storing data

All our data is stored within the UK or Ireland and we have a back-up data centre in Frankfurt. 


Protecting this data

For all data we process and store we have ensured that:

  • we have a documented suite of policy documents detailing how we manage our customers data
  • we only keep data the for time we require it and for the consented purpose. For example candidate data is only keep in our system for 6 months after the last action. 
  • only trained staff have access to this data and we’ve increased our access controls (physical and technical)
  • PII data is encrypted
  • we test our environments and code for vulnerabilities
  • our sub-processors are compliant 

We updated our terms of business and privacy policy to reflect the GDPR requirements:

Our sub-processors

We share certain information with companies that may be considered our “sub-processors” under GDPR. This information is currently limited to the following:


Reason Region DPA in place Privacy Shield Registered
Amazon Web Services Cloud infrastructure hosting and storage EU Yes
Cloud 66/Linode Cloud infrastructure and storage EU Yes Yes
Cloudflare Cloud infrastructure security US Yes Yes
Google Analytics Cloud based user analytics EU Yes
Google business suite Cloud-based Services EU Yes
PostMark Cloud-based Email Notification Services US Yes Yes
App Signal Cloud-based application monitoring EU Yes
Stripe Payment integration Cloud-based Payment Services US Yes Yes
Intercom Cloud-based Customer Support Services US Yes Yes
Hubspot Cloud-based CRM EU/US Yes Yes
ApeCues Cloud-based User Cues US Yes Yes


New processors are reviewed in full and will be added to our log. If you would like to be informed of new processors we can arrange that.

Breach Reporting

All staff have read and signed the Data Protection policy and have a Privacy Standard amendment to their contracts which documents their responsibility and the steps they should take if they suspect a data breach. These state that a suspected breach should be reported to the Information Security Manager within 24 hours. The full Incident Policy can be viewed here.

Subject Access Requests

It’s our intention is to service DSR requests (such as delete and export) manually by contacting us at [email protected].

This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.

If you have an account with us, you may access, correct and delete certain data through your admin account.

As featured in: