Information Security and Privacy Statement

TapRecruit is committed to protecting the confidentiality of information provided by its clients. We maintain an information security program that has implemented administrative, technical, and physical safeguards in order to reasonably and appropriately ensure confidentiality, integrity, and availability of our client information. 

Given that we’re a SAAS based service, we understand that technology and risk change over time. Therefore, we conduct risk assessments and continually evaluate, modify, and adjust our security procedures, policies, and standards, along with ensuring that everything we do matches our documented processes. 

TapRecruit’s Chief Information Security Officer is responsible for all security strategy, policy development, enforcement, training, and maintaining a security-minded culture. Our CISO is also responsible for revisions and testing of our incident response process and procedures. Additionally, we assess our third parties (supply chain) to ensure they meet our strict data privacy and compliance standards. 

TapRecruit’s Information Security program has been designed with industry best practices, industry frameworks (NIST, ISO 27000 Series), which enables our organization to comply with federal and state laws and regulations related to its business and services, including but not limited to GDPR and CCPA. 

Our approach to information security is based on the following key principles: 

TapRecruit Information Security Culture 

It all starts with our people. At TapRecruit, our employees and contractors all recognize that protecting company and client information is everyone’s responsibility. One of the benefits of being a small organization is that new information, changes to policies or procedures, emerging potential external threats, or new tools can be communicated, implemented, and trained quickly. 

Physical Security Standards 

Our servers are hosted on Amazon Web Services (AWS) who provide robust physical data security and environmental controls. 

Employee computers come pre-installed with enterprise-level security and device management software. Computer hard drives are encrypted, and all recycled/decommissioned hardware and media are sanitized. 

Data Encryption 

All customer data is encrypted at rest and in transit throughout the information lifecycle. Our databases and server hard-drives use AES 256 encryption standards for encryption at rest. All customer and API access over the public internet is encrypted with SSL/HTTPS. Customer data behind our firewall is encrypted in transit with TLS 1.2. 

Data Privacy 

We only collect and process information that our customers provide us. Our customers own their own data. Personally identifiable information (PII) is not saved on our servers. We maintain a privacy policy, which provides information regarding our information management practices, types of information we collect, and how that information is used. 

Data Security 

Customer data is hosted in secure databases properly hardened and secured from non-production environments. All-access to the database is tightly controlled and locked down with two-factor authentication implemented. 

Application Security 

Our application servers are secured behind industry-standard firewalls with restricted ports. We support multiple industry level Single-Sign-on providers. Customers can designate admins who can centrally provision and de-provision users and manage role-based access permissions either on our platform de-provision or via their Applicant Tracking System if an API-based integration is put in place. Passwords are encrypted in transit and stored hashed. 

Internal privileges are audited on a quarterly basis. 

We ensure that our internal network is maintained correctly with vulnerability and patch management. We use enterprise standard key management policies with regular key rotation. 

Incident Response and Disaster Recovery 

We have well-defined incident response and disaster recovery policies. We do daily backups, and backups are tested on a frequent basis, at least quarterly. 

In the event that any unauthorized access is discovered by our internal monitoring tools, TapRecruit staff will: 

  • Activate the Incident Response Plan and assemble response team members 
  • Immediately reset all relevant passwords and revoke relevant keys 
  • Notify TapRecruit’s CISO, Engineering, Product, and Customer Success teams 
  • Notify affected customers (if impacted) of the intrusion and if/how their data was compromised 
  • Conduct an assessment to identify the source of the breach 
  • Define system or process improvement tasks to avoid incidents in the future 
  • Communicate affected customers (if impacted) of the improvement plan, and update customers as improvements are deployed

Security, Privacy Training, and Compliance 

TapRecruit provides on-going training for its employees and contractors for all information security policies and practices. Our training program includes acknowledgment signatures, and we track participation and attendance. 

We conduct comprehensive background checks on all employees and contractors. We are prepared for disciplinary measures for breaches of our policies and procedures. We also ensure onboarding and offboarding processes are followed, including providing only least privilege access when deemed appropriate for their job function. 

Contact 

If you have questions or comments regarding TapRecruit’s Information Security program, you may contact us at Security@TapRecruit.co