Is my data safe with Teamtailor?
Security is a top priority at Teamtailor. We have a Chief Information Security Officer who is responsible for all security concerns. Our information security management system is based on industry best practices. We audit our security controls annually according to the SOC2 standard to ensure their effectiveness.
Who can access my data?
Two different groups have access to your data:
Your users: Your users (i.e. your employees, contractors and consultants) will have access to the data according to the permissions you assign. You control who has access to which functions, candidates, recruitment processes, settings, etc.
For more information on access levels and instructions for inviting users, see Invite users and select the right access | Teamtailor Support.
Our staff: A limited number of authorised Teamtailor personnel can gain access to your data. Teamtailor team members will only access your data if this is necessary for things like onboarding new customers, customer support, or troubleshooting.
Within Teamtailor, access to data is based on the principle of least privilege, which means that Teamtailor limits its personnels access rights to data to the bare minimum. To do so, we use role-based access controls, where access levels are approved and reviewed by designated system owners. In addition, our personnel are required to use unique user accounts.
Furthermore, access is revoked as part of our structured off-boarding process, which is triggered when someone leaves the company or changes roles. We enforce MFA for all access to privileged data, and we conduct regular reviews of access rights. Finally, all access to our hosting platforms is audit logged.
What's the uptime of your service?
Keeping our services up and running is a top priority for us. We are constantly evaluating and improving our infrastructure and technical solutions to reduce the risk of downtime and malfunctions.
As such, we have a historical uptime of 99.9% or higher. Take a look at our stats for previous months at status.teamtailor.com.
How is my data backed up?
We are continuously backing up your data to ensure that we can quickly restore our services and all information in the event of hardware failures or data corruption. Backups are kept in separate locations from your live data.
Where is my data stored?
Teamtailor provides two fully separate production environments, located in the EU and the USA. Depending on your preference, we ensure that your data can be stored primarily within the EU/EEA or the US. Our main infrastructure and storage are hosted in AWS data centers in either Ireland or Oregon, depending on the region you select. In addition to AWS, we work with several other suppliers who may process your data, depending on the features you utilize. For more details, please refer to this list.
It's worth noting that all AWS data centers hold ISO 27001 certification and comply with SOC2 regulations. If you'd like to learn more about the protection measures implemented in AWS data centers, you can find additional information here.
Do you encrypt my data?
All communication with the Teamtailor application and between our servers is encrypted using the industry standard HTTPS (TLS 1.2 or higher). Teamtailor uses AES-256 encryption at rest for your data. Passwords are hashed according to industry best practices.
How do you protect the Teamtailor application?
The Teamtailor development team is small and experienced. Product teams are responsible for assessing risks and implementing mitigation measures as part of their daily work.
Our code deploy pipeline includes mandatory peer review by at least two persons, static code analysis, dependency checks, and automatic unit and integration tests. Code changes will be blocked if code does not have sufficient automatic test cases, or any vulnerabilities are found in third party dependencies used by our code. Every build has its own dedicated test environment where changes are verified before the build is released. Test and production environments are fully separated and do not share any data.
We also do external penetration tests at least once per year and run weekly vulnerability scans of public-facing services.
What about your employees?
Teamtailor performs reference checks on all new employees. All new hires and contractors are required to sign a strict confidentiality agreement and to comply with policies governing the use of information and equipment.
All Teamtailor employees attend regular security awareness training.
Data protection & privacy
Your data - your rules
When handling your candidates’ and users’ personal data, we only use it to provide you with our services, in accordance with the instructions you’ve provided us in our agreement.
We don’t sell your personal data. We don’t share it with other companies.
Designed for global compliance
For more than five years, we have been using the requirements of the EU General Data Protection Regulation (GDPR) as the starting point for our product development.
As our service is designed for compliance with one of the strictest data protection laws in the world, it caters to most national- and state data protection rules based on similar principles as the GDPR, such as:
- the UK GDPR
- the new Swiss Federal Act on Data Protection
- the California Consumer Privacy Act
Examples of our privacy by design
We offer a range of features that enable compliance with data protection laws, such as:
- Settings that allow you to collect permission to retain candidates’ personal data for different purposes and in different ways;
- Settings that allow you to renew your permissions from candidates;
- Granular data retention settings, ensuring automatic data deletion for different types of information and candidates;
- Processes for receiving and handling your recruitment-related data subject requests;
To be able to offer the safest, quickest and most high-performing version of our service, we cooperate with a number of subprocessors.
For a full overview of which these subprocessorsare, what they do and where they process our customers’ data, please see this list.
We have entered into adequate contractual agreements with all of our subprocessors, corresponding to the Data Processing Agreement between Teamtailor and our customers.
When EU/EEA/UK-based customers’ personal data is transferred outside this area, or where we see a risk that it could be, we have entered into, or ensured that our subprocessor enters into, relevant standard contractual clauses. We also conduct a data transfer impact assessment, which we are happy to provide on request.
For more information, please refer to the following support articles: