Security Overview

Customer data protection and security are the foundations on which TalentDesk’s products and services are built. The trust that our clients have bestowed upon us in their data is treated as our highest priority.

Our practices are based on the legal framework of the European General Data Protection Regulation (GDPR) as well as common standards and guidelines such as SOC2.

Data Protection

Data Storage

TalentDesk stores its data in Amazon Web Services (AWS) facilities in the UK and the USA.

Data Ownership

The customer is and remains the owner and controller of the data within the meaning of art. 24 EU GDPR. In particular, this means that the customer is responsible for respecting the rights of data subjects (chapter 3 of EU GDPR).

TalentDesk is the data processor and processes its customer’s data exclusively at the customer’s instruction and for the purposes laid down in the data processing agreement.

User Protection

SSO

TalentDesk support SAML-based Single Sign-on (SSO) which allows you to authenticate users in your own systems without requiring them to enter additional login credentials.

Network and Application Security

Encryption

TalentDesk.io uses 256-bit encryption for all communications between the customer browser and our front-end/back-end services using HTTPS. The use of an encrypted communication channel ensures that the service is protected against man-in-the-middle (MitM) attacks.

HTTPS also ensures the protection of the privacy and integrity of the exchanged data. The bidirectional encryption of communications between a user and the platform protects against eavesdropping and tampering with or forging the contents of the communication.

In practice, the above provides a reasonable guarantee that a user is indeed communicating with the website they intend to communicate with (as opposed to an impostor), as well as ensuring that the contents of communications between the user and platform cannot be read or forged by any third party.

Backups and Monitoring

To ensure data consistency/integrity our system performs daily automated backups of our database via the Amazon Relational Database Service (RDS) (available for review).

Moreover, our platform guarantees high availability by utilizing a Master-Slave replication scheme.

Application events produce audit logs for all activities which are reviewed for suspicious activity.

Firewall, DDoS

On the infrastructure level, TalentDesk.io leverages advanced protection mechanisms provided by Amazon Web Services (AWS). The AWS Web Application Firewall (AWS WAF) protects TalentDesk.io from common web exploits that could potentially affect application availability, compromise security or consume excessive resources. Moreover, the AWS Shield which is a managed Distributed Denial of Service (DDoS) protection service safeguards the platform in order to minimize downtime and promote high availability.

Authentication & Authorization

On the application level, security is our number one priority when it comes to accessing and exchanging information. In TalentDesk.io we utilize JSON Web Tokens (JWT) which is an open standard that defines a compact and self-contained way for securely transmitting information between parties. This information can be verified and trusted because it is digitally signed using a secret (with the HMAC algorithm). Moreover, special care is taken against common attacks like Cross-site request forgery (CSRF), Cross-site scripting (XSS) and SQL injection.

Virtual Private Cloud

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorized requests from getting to our internal network.

Pentest and Vulnerability Scanning

We use third-party security tools to continuously monitor for vulnerabilities in our application and infrastructure stack. Our SRE team responds around the clock to any reported issues.

Secure Development

All development is performed by our in-house development team who are trained and follow the best practices to ensure the highest level of security in our application codebase.

All code is peer reviewed before it can be merged and deployed into production. We have a continual revision of our dependency packages to ensure they are patched for any security vulnerabilities. We use Static and Dynamic Application Security Testing to detect basic security vulnerabilities in our codebase and applications.

Business Continuity and Disaster Recovery

TalentDesk performs backups of all critical assets and carries out regular system restore tests to ensure that our disaster recovery procedure is accurate and total. All data backups are encrypted and stored in a secure location.

Team

We follow strict internal procedures that prevent our team from accessing customer data. Database access is restricted to instances of technical support and access is limited by the required support time window. 

Our employees sign a Non-Disclosure and Confidentiality Agreement to protect our customer’s sensitive information.

Last updated: November 01, 2022