Data Security Customer Information
GDPR Summary
Hiring Hub has always had a strong focus on protecting any data it collects and processes. As a UK-owned and operated business we appreciate the solidification of this through the General Data Protection Regulation (GDPR) laws that entered into effect on 25 May 2018.
Where needed, we amended our internal policies and procedures to comply with GDPR, and deleted data that we didn’t need to store. We then added further provisions to ensure the security of the data we need to keep for the purpose for the recruitment process.
In relation to our customers, Hiring Hub is both a Data Controller and a Data Processor depending on the type of data collected.
Data Controller
Hiring Hub is the Data Controller for the information we collect about our customers and visitors (Employers and Agencies), which means that we determine the “purposes and means” of the data we collect as the Controller. Some examples: their name, their email address and any other data that we collect based on the GDPR legal bases. This data is safeguarded by various policies and procedures. We have confirmed that any sub processor outside of the EU is Privacy Shield registered.
Data Processor
Our customers (Agencies) are the Data Controllers for the data that they gather (Candidate data) and send to Hiring Hub. Hiring Hub processes that data on behalf of the Agencies, which makes us the Data Processor. When sharing data with sub processors, we have made sure there are Data Processing Agreements (DPA) in place that ensure they also receive and process this data in a lawful way.
Storing data
All our data is stored within the UK or Ireland and we have a back-up data centre in Frankfurt.
Protecting this data
For all data we process and store we have ensured that:
- we have a documented suite of policy documents detailing how we manage our customers data
- we only keep data the for time we require it and for the consented purpose. For example candidate data is only keep in our system for 6 months after the last action.
- only trained staff have access to this data and we’ve increased our access controls (physical and technical)
- PII data is encrypted
- we test our environments and code for vulnerabilities
- our sub-processors are compliant
We updated our terms of business and privacy policy to reflect the GDPR requirements:
https://www.hiring-hub.com/termsofbusiness/
https://www.hiring-hub.com/privacypolicy/
Our sub-processors
We share certain information with companies that may be considered our “sub-processors” under GDPR. This information is currently limited to the following:
Reason | Region | DPA in place | Privacy Shield Registered | |
Amazon Web Services | Cloud infrastructure hosting and storage | EU | Yes | |
Cloud 66/Linode | Cloud infrastructure and storage | EU | Yes | Yes |
Cloudflare | Cloud infrastructure security | US | Yes | Yes |
Google Analytics | Cloud based user analytics | EU | Yes | |
Google business suite | Cloud-based Services | EU | Yes | |
PostMark | Cloud-based Email Notification Services | US | Yes | Yes |
App Signal | Cloud-based application monitoring | EU | Yes | |
Stripe Payment integration | Cloud-based Payment Services | US | Yes | Yes |
Intercom | Cloud-based Customer Support Services | US | Yes | Yes |
Hubspot | Cloud-based CRM | EU/US | Yes | Yes |
ApeCues | Cloud-based User Cues | US | Yes | Yes |
New processors are reviewed in full and will be added to our log. If you would like to be informed of new processors we can arrange that.
Breach Reporting
All staff have read and signed the Data Protection policy and have a Privacy Standard amendment to their contracts which documents their responsibility and the steps they should take if they suspect a data breach. These state that a suspected breach should be reported to the Information Security Manager within 24 hours. The full Incident Policy can be viewed here.
Subject Access Requests
It’s our intention is to service DSR requests (such as delete and export) manually by contacting us at [email protected].
This request can include personal data of other individuals, like your employees or customers that you have provided to us and who have requested this of you. We will respond to these requests within 14 days or less, which is well within the GDPR requirement of 30 days.
If you have an account with us, you may access, correct and delete certain data through your admin account.