Survale Data Security

Audited Annually to Meet or Exceed the Highest Standards

Data Privacy

Survale is audited annually to meet SOC 2 data security standards and confirm for our clients that we have effectively executed against our security controls and procedures. We hold our sub processors to these same standards and audit them annually as well. Our SOC 2 audit attestations are available for our clients by contacting security@survale.com. 

The Survale system uses personally identifiable  candidate and employee data (Pii) to be able to provide automated talent experience feedback and analytics. Survale does not utilize or collect any Sensitive Data like health or payment information. In fact the data Survale does require from clients is low level Pii and includes name, email and mobile phone number (for clients choosing to collect feedback via SMS). 

GDPR

Survale utilizes data centers within the EU to ensure our clients can keep their data local. In addition, we incorporate GDPR Standard Clauses into our agreements to govern the handling of that data, whether or not any cross border data transfers are desired.

The Survale system has a number of UI level tools for easily handling tasks like subject data deletion or Pseudonymization, either manually or automatically. A full description of our GDPR compliance measures are available to clients upon request.

Below is a general description of the measures we take to secure Pii for our clients.

General Description of Security Measures

Security Measure Description
Measures of pseudonymization and encryption of Personal Data
For the purpose of transfer control, an encryption technology is used (e.g. remote access via two factor VPN tunnel and full disk encryption). The suitability of an encryption technology is measured against the protective purpose. The Controller is assigned a unique encryption key, generated using a FIPS 140-2 compliant crypto library, which is used to encrypt and decrypt all of the Controller’s archived data. In addition to the encryption keys, all data being written to the storage grid includes the Controller’s unique account ID. Survale’s systems that write data to the storage grid retrieve the encryption key from one system and the customer code from another, which serves as a cross check against two independent systems. The encryption key is encrypted with a Survale key stored within a centralized and restricted key management system. In order for Survale to access Personal Data via the master key, the key management system provisions keys following a strict process of approval that includes multiple levels of executive authorization. Use of these master encryption keys is limited to senior production engineers and all access is logged, and monitored by CTO. The Controller’s archived data is encrypted at rest using AES256 bit encryption Data in transit is protected by Transport Layer Security (“TLS”).
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services
Access to data necessary for the performance of the particular task is ensured within the systems and applications by a corresponding role and authorization concept. In accordance to the “least privilege” and "need-to-know" principles, each role has only those rights which are necessary for the fulfillment of the task to be performed by the individual person. To maintain data access control, state of the art encryption technology is applied to the Personal Data itself where deemed appropriate to protect sensitive data based on risk.
Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident
All of the Survale’s applications can be easily recreated in different geographical regions. Data is stored across multiple data centers. The data centers can be switched in the event of flooding, earthquake, fire or other physical destruction or power outage to protect Personal Data against accidental destruction and loss. Survale maintains redundancy throughout its IT infrastructure in order to minimize the lack of availability to or loss of data. Backups are maintained multiple times a day in accordance with our backup procedures. We maintain a disaster recovery policy and at least once per calendar year practice executing the policy.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing
Survale conducts multiple internal audits. We strive to automate audits hence the majority of our monitoring of our infrastructure is automated and running 24/7 and based on various frameworks (CIS, NEST etc.). We obtain an external security and compliance audit once per calendar year.
Measures for user identification and authorization
Remote access to the data processing systems is only possible for two employees through only two IP addresses using a VPN to access a bastion host with authenticated security keys. All access attempts, successful and unsuccessful are logged and monitored.
Measures for the protection of data during transmission
Data in transit is protected by Transport Layer Security (“TLS”).
Measures for the protection of data during storage
Personal Data is only retained on the third party data center servers, which are covered by AWS certifications. The Controller’s archived data is encrypted at rest using 2048 bit encryption and data in transit is protected by Transport Layer Security (“TLS”). Controller is a virtual organization with no centralized premises and no internal network and no data is stored or processed outside of their AWS data centers. The AWS security provisions will apply as set out at https://aws.amazon.com/compliance/data-center/controls/.
Measures for ensuring events logging
Remote access to the data processing systems is only possible through Survale’s limited access protocol described above. All access attempts, successful and unsuccessful are logged and monitored.
Measures for ensuring system configuration, including default configuration
Survale’s system configuration is based on the Security Technical Implementation Guides (STIG). System configuration is applied and maintained by software tools that ensure the system configurations do not deviate from the specifications. Deviations will be fixed automatically and reported to our SOC
Measures for internal IT and IT security governance and management
Employees are instructed to collect, process and use Personal Data only within the framework and for the purposes of their duties (e.g. service provision). At a technical level, multi-client capability includes separation of functions as well as appropriate separation of testing and production systems.
Measures for certification/assurance of processes and products
Survale will continue to maintain these certifications, SOC 2 Attestation Reports and/or other substantially similar or equivalent certifications for the term of the Agreement. The technical and organizational measures defined herein are implemented SOC 2 standards . Survale shall maintain controls materially as protective as those provided in the SOC 2 or other substantially similar or equivalent standards. AND Survale utilizes third party data centers that maintain current ISO 27001 certifications and/or SSAE 16 SOC 1 Type II and SOC 2 and 3 Attestation Reports. Survale will only use third party data centers that maintain the aforementioned certifications and/or attestations, or that have other substantially similar or equivalent certifications and/or attestations. See: https://aws.amazon.com/compliance/iso-certified/ Upon the Controller’s written request (no more than once in any 12 month period), Survale shall provide within a reasonable time, a copy of the most recently completed certification and/or attestation reports (to the extent that to do so does not prejudice the overall security of the Services). Any audit report submitted to the Controller shall be treated as Confidential Information and subject to the confidentiality provisions of the Agreement between the parties
Measures for ensuring data minimization
If Personal Data is no longer required for the purposes for which it was processed, it is deleted promptly. It should be noted that with each deletion, the Personal Data is only locked in the first instance and is then deleted for good with a certain delay. This is done in order to prevent accidental deletions or possible intentional damage
Measures for ensuring data quality
All of the data processed is provided by the Controller. Survale does not assess the quality of the data provided by the Controller. Survale provides tools within its product to help the Controller understand and correct the data that is stored. Survale also uses a third party managed firewall in front of the server infrastructure which checks data for potential threats and blocks requests as required.
Measures for ensuring limited data retention
Survale uses a data classification scheme for all data that it stores. When a record with Personal Data is deleted then it will be permanently removed from Survale’s active databases. The data is retained in backups until they are replaced by more recent backups
Measures for ensuring accountability
Survale internally reviews its information security policies semi-annually to ensure they are still relevant and are being followed. All employees that handle sensitive data must acknowledge the information security policies. These employees are re-trained on information security policies once per year. A disciplinary policy is in place for employees that do not adhere to information security policies.
Measures for allowing data portability and ensuring erasure
The Services have built-in tools that allow the Controller to export or permanently erase data.
Measures to be taken by the (Sub-) Survale to be able to provide assistance to the Controller (and, for transfers from a Survale to a Sub-Survale, to the Data Exporter).
The transfer of Personal Data to a third party (e.g. customers, sub-contractors, service providers) is only made if a corresponding contract exists, and only for the specific purposes. If Personal Data is transferred outside the EEA, Survale provides that an adequate level of data protection exists at the target location or organization in accordance with the European Union's data protection requirements, e.g. by employing contracts based on the EU SCC
Talent survey analytics

Transform Your Talent Experience

Latest News and Resources

Check out Survale’s original articles exploring candidate experience survey, onboarding survey and employee experience survey best practices and use cases

Reduce Cost Per Applicant With The Secret Shoppers of the Recruiting World

Sure you can keep rejected candidates warm and source from them for future jobs, but you could reduce Cost Per…

Hiring Subprocesses Can Kill Candidate Experience

I often talk about the “hiring process.” But THE hiring process is really made up of many hiring subprocesses. And…

Meet Survale’s Latest Partner HappyDance

Survale’s partner ecosystem provides our clients with high quality services and technologies that can enhance Survales value or vice versa.…