Security & Privacy
Is my data safe with Teamtailor?
Security is a top priority at Teamtailor. We have a Chief Information Security Officer who is responsible for all security concerns. Our information security management system is based on industry best practices. We audit our security controls annually according to the SOC2 standard to ensure their effectiveness.
Who can access my data?
Two different groups have access to your data:
Your users: Your users (i.e. your employees, contractors and consultants) will have access to the data according to the permissions you assign. You control who has access to which functions, candidates, recruitment processes, settings, etc.
For more information on access levels and instructions for inviting users, see Invite users and select the right access | Teamtailor Support.
Our staff: A limited number of authorised Teamtailor personnel can gain access to your data. Teamtailor team members will only access your data if this is necessary for things like onboarding new customers, customer support, or troubleshooting.
Within Teamtailor, access to data is based on the principle of least privilege, which means that Teamtailor limits its personnels access rights to data to the bare minimum. To do so, we use role-based access controls, where access levels are approved and reviewed by designated system owners. In addition, our personnel are required to use unique user accounts.
Furthermore, access is revoked as part of our structured off-boarding process, which is triggered when someone leaves the company or changes roles. We enforce MFA for all access to privileged data, and we conduct regular reviews of access rights. Finally, all access to our hosting platforms is audit logged.
What's the uptime of your service?
Keeping our services up and running is a top priority for us. We are constantly evaluating and improving our infrastructure and technical solutions to reduce the risk of downtime and malfunctions.
As such, we have a historical uptime of 99.9% or higher. Take a look at our stats for previous months at status.teamtailor.com.
How is my data backed up?
We are continuously backing up our databases on filesystem level to ensure that we can quickly restore data in the event of hardware failures or data corruption.
Where is my data stored?
Teamtailor will store your data at AWS data centers in Ireland or Oregon, depending on the region you have chosen. AWS data centers are ISO 27001 certified and SOC2 compliant. Read more about AWS data center protection.
Do you encrypt my data?
All communication with the Teamtailor application and between our servers is encrypted using the industry standard HTTPS (TLS 1.2 or higher). Teamtailor uses AES-256 encryption at rest for your data. Passwords are hashed according to industry best practices.
How do you protect the Teamtailor application?
The Teamtailor development team is small and experienced. Product teams are responsible for assessing risks and implementing mitigation measures as part of their daily work.
Our code deploy pipeline includes mandatory peer review by at least two persons, static code analysis, dependency checks, and automatic unit and integration tests. Code changes will be blocked if code does not have sufficient automatic test cases, or any vulnerabilities are found in third party dependencies used by our code. Every build has its own dedicated test environment where changes are verified before the build is released. Test and production environments are fully separated and do not share any data.
We also do external penetration tests at least once per year and run weekly vulnerability scans of public-facing services.
What about your employees?
Teamtailor performs reference checks on all new employees. All new hires and contractors are required to sign a strict confidentiality agreement and to comply with policies governing the use of information and equipment.
All Teamtailor employees attend regular security awareness training.
Data protection & privacy
When handling your candidates’ and users’ personal data, we mainly do so on your behalf - acting as a so-called data processor under the GDPR.
We work hard to ensure that you remain in control of when and how this personal data is used, and of your compliance with all applicable data protection requirements, in particular by:
Your instructions - our agreement
Our standard agreement is based on the principle that we can only process your personal data in accordance with your instructions, as provided in our standard terms and conditions and Data Processing Agreement (“DPA”).
We ensure that EU/EEA-based customers’ personal data is stored mainly within the EU/EEA, and that our US-based customers’ personal data can be stored mainly within the US.
If we need to send EU/EEA-based customers’ personal data to a subcontractor outside of the EU/EEA, we enter into all relevant agreements with the data processor, such as a DPA and relevant standard contractual clauses (“SCC”). We also conduct a data transfer impact assessment, which we are happy to provide on request.
Privacy by design
When developing new product features, we always keep privacy in mind.
We also offer a range of feature specifically designed to enable your compliance with data protection laws, such as:
- Settings that allow you to collect permission to retain candidates’ personal data for different purposes and in different ways;
- Settings that allow you to renew your permissions from candidates;
- Granular data retention settings, ensuring automatic data deletion for different types of information and candidates;
- Processes for receiving and handling your recruitment-related data subject requests;
For more information, please refer to the following support articles: