At Entelo, the security of your data and your compliance with legal requirements is our top priority. Entelo’s platform has robust security measures in place to safeguard the transmission and storage of the information you share with us.
We rely on the most secure service providers to ensure that your information is safe. Entelo’s services run on Amazon Web Services (AWS), which is physically secure, employs modern software security techniques, and requires multi-factor authentication for access. The AWS cloud infrastructure is constantly monitored, highly automated, and highly available. It meets many global security standards including ISO 27001, SOC, PCI, and FedRAMP.
We protect your information as its transmitted between systems. Entelo integrates seamlessly with your applicant tracking system (ATS) without compromising the security of your data. Communication through ATS partner APIs is HTTPS encrypted using TLS 1.2. The connection is encrypted and authenticated using AES-128 bit encryption. The Advanced Encryption Standard (AES) is used by the U.S. government to protect classified information and also used commercially to protect sensitive data in software.
We make your data unreadable to those who shouldn’t be reading it. In addition to encrypting API traffic to your ATS, Entelo encrypts other sensitive company data you share with us. We use the Key Management Service (KMS) through AWS to control and separate encryption keys used to encrypt your data. KMS employs Hardware Security Modules (HSMs) to protect the security of keys. Keys can never be exported from the service. All data is encrypted at rest and in transit between nodes, so you can be sure your data is secure.
We don’t hold on to your passwords – we never even see them. Entelo never stores user passwords. We utilize a one-way, cryptographic hashing algorithm known as Bcrypt, an industry standard for password hashing.
We protect customer data from other customers. Choosing a recruiting platform without strong access protections in place can pose serious security risks. Entelo does not share your data with our other customers. Rigorous access controls restrict customers to their data only. Personally identifiable information from your applicants will never be available to others.
Don’t just take our word that our systems are secure. We don’t. Entelo has partnered with a reputable, global information assurance specialist, NCC Group, to perform objective, third-party security audits on an annual basis. Vulnerability scans are performed at both the network and application level. The testing methods assure our compliance with both WASC (Web Application Security Consortium) and OWASP (Open Web Application Security Project) standards.
We prepare for the worst, just in case. To become fully operational in the case of a disaster, Entelo’s data is stored in an AWS multi-Availability Zone (AZ) database instance. Each AZ runs its own physically distinct, independent infrastructure and is designed to be highly reliable. In case of an infrastructure failure, it performs an automatic failover to a standby. Entelo’s Infrastructure team practices db failovers and replaces production nodes on a quarterly basis. In an emergency, you can be sure we will respond in a calm and quick manner.
Our staff is trained to handle your data correctly. Entelo employees with access to sensitive customer data can only access information on a need-to-know basis for troubleshooting purposes and are required to adhere to strict privacy guidelines. For access to our production systems, all engineers use multi-factor authentication and are restricted by IP location – a process we closely track and audit. Customer data is never copied locally onto employee computers. Additionally, all new hires are subject to a pre-employment background check in order to verify identity, references, criminal history, etc. As part of their onboarding, all Entelo engineers agree to an Information Security Management System. The goal of an ISMS is to minimize risk and ensure business continuity by proactively limiting the impact of a security breach. Additionally, all of Entelo’s engineers go through yearly security training on OWASP vulnerabilities.
We help your team follow security best practices too. We know that the HR team members using Entelo products are not seasoned security experts. As part of our customer onboarding process and user training, our customer success team provides basic security best practices and recommendations to all Entelo product users.
Soc 2 – Type I
Entelo has completed SOC2 Type I compliance. This type of compliance addresses security of customer data and the reliability of Entelo’s systems. From Sales to Engineering, and everything in between, we go through yearly audits to make sure that your data is secure.
Entelo has established and maintains a company-wide information security management system per the requirements of ISO 27001 and the AICPA Trust Services Principles, including security policies, standards, and procedures. The standard sets forth a risk-based approach that focuses on adequate and proportionate security controls that protect information assets and give confidence to interested parties.
The EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were designed to provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data. Entelo is certified under the EU-U.S. Privacy Shield framework and has committed to comply with the Framework’s requirements. This commitment is enforceable under U.S. law.
Skyhigh Networks performs objective and thorough evaluations of the enterprise-readiness of cloud services based on a detailed set of criteria developed in conjunction with the Cloud Security Alliance (CSA). Services designated as Skyhigh Enterprise-Ready are the services receiving the highest CloudTrust™ Ratings, which fully satisfy the most stringent requirements for data protection, identity verification, service security, business practices, and legal protection.
The European Union’s General Data Protection Regulation (GDPR) will take effect on May 25, 2018, and we’ve already made great strides to become compliant. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. Entelo has already obtained a SOC 2 Type 1 report, is currently in compliance with the EU/US Privacy Shield framework, and has undergone an ISO 27001 Stage 1 review. Our privacy team is well ahead of this deadline to meet and exceed these new requirements. Entelo will be GDPR compliant by May 25, 2018.
Entelo’s publicly accessible privacy notice is available here.