Survale Data Security
Audited Annually to Meet or Exceed the Highest Standards
Data Privacy
Survale is audited annually to meet SOC 2 data security standards and confirm for our clients that we have effectively executed against our security controls and procedures. We hold our sub processors to these same standards and audit them annually as well. Our SOC 2 audit attestations are available for our clients by contacting security@survale.com.
The Survale system uses personally identifiable candidate and employee data (Pii) to be able to provide automated talent experience feedback and analytics. Survale does not utilize or collect any Sensitive Data like health or payment information. In fact the data Survale does require from clients is low level Pii and includes name, email and mobile phone number (for clients choosing to collect feedback via SMS).
GDPR
Survale utilizes data centers within the EU to ensure our clients can keep their data local. In addition, we incorporate GDPR Standard Clauses into our agreements to govern the handling of that data, whether or not any cross border data transfers are desired.
The Survale system has a number of UI level tools for easily handling tasks like subject data deletion or Pseudonymization, either manually or automatically. A full description of our GDPR compliance measures are available to clients upon request.
Below is a general description of the measures we take to secure Pii for our clients.
General Description of Security Measures
| Security Measure | Description |
|---|---|
| Measures of pseudonymization and encryption of Personal Data | For the purpose of transfer control, an encryption technology is used (e.g. remote access via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose. The Controller is assigned a unique encryption key, generated using a FIPS 140-2 compliant crypto library, which is used to encrypt and decrypt all of the Controller’s archived data. In addition to the encryption keys, all data being written to the storage grid includes the Controller’s unique account ID. Survale’s systems that write data to the storage grid retrieve the encryption key from one system and the customer code from another, which serves as a cross check against two independent systems. The encryption key is encrypted with a Survale key stored within a centralized and restricted key management system. In order for Survale to access Personal Data via the master key, the key management system provisions keys following a strict process of approval that includes multiple levels of executive authorization. Use of these master encryption keys is limited to senior production engineers and all access is logged, and monitored by CTO. The Controller’s archived data is encrypted at rest using AES256 bit encryption Data in transit is protected by Transport Layer Security (“TLS”). |
| Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services | Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfillment of the task to be performed by the individual person. To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk. |
| Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident | All of the Survale’s applications can be easily recreated in different geographical regions. Data is stored across multiple data centers. The data centers can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Personal Data against accidental destruction and loss. Survale maintains redundancy throughout its IT infrastructure in order to minimize the lack of availability to or loss of data. Backups are maintained multiple times a day in accordance with our backup procedures. We maintain a disaster recovery policy and at least once per calendar year practice executing the policy. |
| Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing | Survale conducts multiple internal audits. We strive to automate audits hence the majority of our monitoring of our infrastructure is automated and running 24/7 and based on various frameworks (CIS, NEST etc.). We obtain an external security and compliance audit once per calendar year. |
| Measures for user identification and authorization | Remote access to the data processing systems is only possible for two employees through only two IP addresses using a VPN to access a bastion host with authenticated security keys. All access attempts, successful and unsuccessful are logged and monitored. |
| Measures for the protection of data during transmission | Data in transit is protected by Transport Layer Security (“TLS”). |
| Measures for the protection of data during storage | Personal Data is only retained on the third party data center servers, which are covered by AWS certifications. The Controller’s archived data is encrypted at rest using 2048 bit encryption and data in transit is protected by Transport Layer Security (“TLS”). Controller is a virtual organization with no centralized premises and no internal network and no data is stored or processed outside of their AWS data centers. The AWS security provisions will apply as set out at https://aws.amazon.com/compliance/data-center/controls/. |
| Measures for ensuring events logging | Remote access to the data processing systems is only possible through Survale’s limited access protocol described above. All access attempts, successful and unsuccessful are logged and monitored. |
| Measures for ensuring system configuration, including default configuration | Survale’s system configuration is based on the Security Technical Implementation Guides (STIG). System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. Deviations will be fixed automatically and reported to our SOC |
| Measures for internal IT and IT security governance and management | Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems. |
| Measures for certification/assurance of processes and products | Survale will continue to maintain these certifications, SOC 2 Attestation Reports and/or other substantially similar or equivalent certifications for the term of the Agreement. The technical and organizational measures defined herein are implemented SOC 2 standards . Survale shall maintain controls materially as protective as those provided in the SOC 2 or other substantially similar or equivalent standards. AND Survale utilizes third party data centers that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II and SOC 2 and 3 Attestation Reports. Survale will only use third party data centers that maintain the aforementioned certifications and/or attestations, or that have other substantially similar or equivalent certifications and/or attestations. See: https://aws.amazon.com/compliance/iso-certified/ Upon the Controller’s written request (no more than once in any 12 month period), Survale shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties |
| Measures for ensuring data minimization | If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage |
| Measures for ensuring data quality | All of the data processed is provided by the Controller. Survale does not assess the quality of the data provided by the Controller. Survale provides tools within its product to help the Controller understand and correct the data that is stored. Survale also uses a third party managed firewall in front of the server infrastructure which checks data for potential threats and blocks requests as required. |
| Measures for ensuring limited data retention | Survale uses a data classification scheme for all data that it stores. When a record with Personal Data is deleted then it will be permanently removed from Survale’s active databases. The data is retained in backups until they are replaced by more recent backups |
| Measures for ensuring accountability | Survale internally reviews its information security policies semi-annually to ensure they are still relevant and are being followed. All employees that handle sensitive data must acknowledge the information security policies. These employees are re-trained on information security policies once per year. A disciplinary policy is in place for employees that do not adhere to information security policies. |
| Measures for allowing data portability and ensuring erasure | The Services have built-in tools that allow the Controller to export or permanently erase data. |
| Measures to be taken by the (Sub-) Survale to be able to provide assistance to the Controller (and, for transfers from a Survale to a Sub-Survale, to the Data Exporter). | The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, Survale provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCC |
Latest News and Resources
Check out Survale’s original articles exploring candidate experience survey, onboarding survey and employee experience survey best practices and use cases
Core Recruiting Experience Metrics Needed for Each Talent Acquisition Role
Providing data driven recruiting experiences requires several core recruiting experience metrics. And if you’re measuring candidate experience with basic satisfaction…
When Candidate Experience Is Like Canceling Your Cable
True Story. I just finally canceled my cable/Internet service with a big nationwide company that rhymes with infinity. I’ve developed…
The CandE Awards and the Value of Candidate Experience Benchmarks
As the Talent Board’s involvement with the CandE Benchmark Research Program winds down and its final report is published, it’s…
