Talentspace Security Policy
At Talentspace, your data and information security are of the highest importance for us. On this page, you will find a comprehensive overview and description of the measures we undertake to ensure the integrity and security of the Talentspace platform.
This section describes the security measures relative to Talentspace’s website and platform (www.talentspace.io and app.talentspace.io)
Access Control Policy
Access to data within the Talentspace platform is governed by access rights. Talentspace has various permission levels for users (organizer, talent, recruiter) that encompass different data access rights.
Talentspace's approach for defining access privileges and roles is to provide predefined roles with the appropriate permissions covering the most common use cases and best practices. As such, it is easy to understand for administrators (either organizers, recruiters, or Talentspace's staff) who are responsible for giving access privileges to other users. This ensures that the appropriate roles are given to users that fit their needs, enabling them to follow the least-privilege principle. Defining too many roles or enabling too much granularity to define privileges and roles will generally lead to a lower security level because administrators tend to give broader privileges than necessary due to the complexity of the roles configuration.
Roles and permissions differ depending on the application. The main roles are described below.
User Groups on Talentspace
Authorized to navigate for his/her own account on the front-office side of the platform to use its features (access content, register to events or apply for jobs, manage its account and preferences, etc.).
Not authorized to access the back-office side of the platform.
Create and invite companies/teams to their events
Invite recruiters to the event
Invite and give access to additional recruiters
See all talent profiles of event applicants
Manage event applications
Overview of all event contents (companies/teams, jobs, speeches, sessions, live booths, 1-1 chats)
See analytics on the event and interaction during the event
Recruiters are usually invited by event organizers to attend events on behalf of their companies or teams.
Able to view profiles of event participants as defined by the organizer (either all confirmed event participants or a sub-group)
Edit company/team details (Info, FAQ, Files)
Create/edit speeches and sessions
Invite colleagues to the event
Set 1-1 chat availability
Manage 1-1 chats
User Registration and De-registration
User registration and de-registration are determined by the users. Upon registration, the user sets his/her password. Upon de-registration, the user loses access to all the resources and features previously available.
User Access Provisioning
The Organizer Dashboard allows organizers to configure users according to roles they need to attribute to others.
Multi-Factor Authentication (MFA)
Talentspace plans to develop multi-factor authentication which can be rolled out for the platform and applications.
Privileged Access Rights
Talentspace administrators handle user registration and de-registration.
Administration Interfaces Access
Access to administration interfaces is encrypted via industry best-practices HTTPS and TLS over public networks.
Information Access Restriction
All partner information is segregated from other partners' information in the application.
The most sensitive data and information on Talentspace are personal CV data and interaction data. Talentspace neither collects nor stores financial data (such as credit card or bank details), as well as no private personal data (such as social security information or personal addresses).
Data in Transit
Talentspace uses modern and industry best practices encryption schemes (HTTPS and TLS) to encrypt data in transit and communications between the platform users (talents, recruiters, organizers, or Talentspace staff). Talentspace only supports TLS 1.2 in favor of deprecated protocols like TLS 1.0 and 1.1.
A few communications are sent via email and are inherently less protected. Only public information transits through this method of communication.
Data at Rest
The AWS infrastructure ensures encryption at rest of all data-stores containing non-public information using an industry-standard AES-256 encryption algorithm.
Secrets and Keys
All the keys and other secrets used within the application are stored securely following industry best practices. Talentspace follows secure credential storage best practices by never storing passwords in human-readable format, and only as a result of a secure, salted, one-way hash. The current hash algorithm used for passwords is BCrypt which is based on Blowfish cipher.
Talentspace abides by secure secrets management best practices during all the key management phases:
- Key generation
- Key storage
- Key use
- Key destruction
Physical and Environmental Security
Physical Perimeters and Location
Our platform is hosted in Amazon Web Services (AWS) facilities. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Physical Access Control
The AWS data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multi-factor identification, physical locks, and security breach alarms.
AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
Protecting Against External and Environmental Threats
Fire Detection and Suppression
Automatic fire detection and suppression equipment have been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms, and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide backup power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide backup power for the entire facility.
Climate and Temperature
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
Storage Device Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.
Operational Procedures and Responsibilities
Policies are in place. They record responsibilities associated with each domain.
Talentspace's development cycle is based on the Agile project management philosophy, and more specifically is based on Scrum methodology. Agile is a project management approach that breaks projects into short, iterative cycles called “sprints”. At its core, Agile is based on the assumption that circumstances change as a project develops. That’s why, in an Agile project, the planning, design, development, and testing cycles are never done. They continue to change as the project takes form. Change management is directly integrated within the process.
Talentspace has implemented security tests as part of the CI/CD pipeline. Code security and dependency checks are performed before every deployment. Furthermore, the access to source code is heavily restricted, and a version control tracks all changes to source code.
Development, testing, and pre-production environments are divided physically and logically from the production environment. Service data is used after anonymization to provision the pre-production environment, enabling realistic anonymous data to be used for a more robust manual testing of changes. For development and testing environments, service data may be used after anonymization and subsetting (reduction of the dataset to a representative subset).
Protection from Malware
Servers are protected from malware.
Our backup policy guarantees that platform data on Talentspace is replicated in several geographical locations. The replication instances are configured and reliant. Our production databases are backed up and versioned every day. Those backups are kept for seven days.
Logging and Monitoring
Talentspace uses application server logs which contain all user actions that prompt an HTTP request to the application (e.g. loading a page, submitting a form, triggering background HTTP requests etc.), as well as some associated data.
These logs include actions performed by administrative accounts.
Access to the logs is restricted to certain members of the technical team.
Technical Vulnerability Management
An automated Web Scanning appliance is deployed on the Talentspace platform pre-production. It sends alerts on vulnerabilities found before the platform is deployed. The Chief Technical Officer (CTO) then ensures that the vulnerabilities are prioritized and subsequently corrected. The scan is launched every day.
An automated vulnerability scanner also runs daily to discover vulnerabilities in the dependencies of the Talentspace code.
Static Code Analysis
We're using an automated service to monitor code quality, reliability, and security, automatically detecting bugs, vulnerabilities, code smells, and other issues in our codebase.
Talentspace regularly contracts a third-party security specialist to perform external penetration tests of different scopes of our platform and applications. The full scope of our public-facing products is tested and reviewed once a year.
Any responsible disclosure of a vulnerability found on the platform will be handled within a reasonable time period.
Network Security Organisation
Our network security architecture is built upon multiple security zones. Sensitive systems, like database servers, are protected in the most trusted zones, where only traffic coming from the internal network is authorized. Traffic between different zones is filtered using firewalls.
Segregation in Networks
Our AWS infrastructure utilizes several AWS network security features to isolate our infrastructure from external traffic and filter any unauthorized traffic (AWS VPC - Virtual Private Cloud - and Security Groups - virtual stateful firewalls).
Access to the Talentspace production infrastructure is restricted to specific members of the Talentspace technical team, following the least-privilege principle. By default, members of the technical team do not have access and have to request access during a certain time frame.
Network monitoring on our AWS infrastructure is managed through our global infrastructure monitoring.
Technical Network Security
Network Vulnerability Scanning
We perform regular internal scans for vulnerability scanning of infrastructure. Where issues are identified these are tracked until remediation.
Intrusion Detection and Prevention
Intrusion detection and prevention appliances are installed on the infrastructure to detect and warn of system breaches.
We leverage threat detection services within AWS to continuously monitor for malicious and unauthorized activity.
We use a number of protection strategies and tools layered to mitigate DDoS threats.
System Acquisition, Development, and Maintenance
Secure Development Awareness
Talentspace strongly encourages security awareness in its technical team through regular communications and staff awareness programs.
Members of the technical team meet monthly to discuss and share best practices, information, and resources, and identify security actions that need to be taken. Security articles and presentations are regularly shared within the team through internal communication channels and the monthly “tech learning” afternoons.
Secure Development Training
Talentspace is currently working with a third party for secure code training, covering the OWASP security flaws and other common attack vectors.
Secure Development Environment
Platform development is undertaken on the local developer machines which are provided and centrally administered by Talentspace. This system is hosted by Github in private repositories. Github guarantees an appropriate level of confidentiality, availability, integrity, and traceability.
In the case that Talentspace is working with subcontractors, they will be given secure development training. External developers have only limited access rights to Talentspace Git repositories, according to the least-privilege principle.
System Change Control procedures
Web Frameworks Security Controls
Talentspace employs modern web frameworks (e.g. React) and continuously applies security assessments to examine the platform and to tests for known web application vulnerabilities (e.g. OWASP Top 10). These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
Technical Review of Applications after Platform Changes
Each source code change goes through several reviews:
code review by two other members of the development team;
functional review and/or non-regression testing by the product manager or QA engineers;
Security-sensitive changes will get flagged specifically and go through an additional process of review & testing involving the CTO, Head of Engineering, and wider team.
Information Security in Third-party Relationships
Third-parties used for Talentspace’s services are:
Customer service software
Google Tag Manager
Application & Error Monitoring
Addressing Security within Third-party Agreements
All third parties used for the Talentspace platform and applications have been vetted and approved by Talentspace's CTO. They all comply with Talentspace's security level.
Addressing Security Within Third-party Agreements
Monitoring and Review of Third-party Services
Third-party services are reviewed before contracts are signed.
Managing Changes to Third-party Services
If a change or update on a third-party service used by Talentspace affects the security on the platform and applications, Talentspace will notify all affected partners within a reasonable time frame.
A law firm regularly revises the confidentiality agreements of all third-parties services employed in the running of Talentspace’s platform and applications. The last audit was performed in February 2021.
Information Security Incident Management
Responsibilities and Procedures
Security incident management and crisis management are the responsibility of the Chief Technology Officer (CTO). A security incident is handled as a production incident, and a task force is assigned to fix the issue.
Reporting Information Security Events
In the event that a security incident occurs on the platform, Talentspace will notify the competent authorities and its affected clients within a reasonable time frame.
Assessment of and Decision on Information Security Events
Classification of an incident is done by the task force assigned to the incident. Major decisions are approved by the CTO.
Learning from Information Security Incidents
All security incidents are recorded and analyzed by the CTO. Action plans can result from this analysis.
Collection of Evidence
If a collection of evidence is necessary for judicial reasons, Talentspace will hire a specialized third party to do it.
Business Continuity Plan
A Business Continuity Plan (BCP) is in the process of being formalized and will be reviewed every three years.
Talentspace's continuity plan depends on the availability guaranteed by AWS: All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that should a data center failure occur, there is sufficient capacity to enable traffic to be load-balanced to the remaining sites automatically.
Implementing Information Security Continuity
Critical components of the infrastructure, such as web servers, application servers and data-stores are clustered and redundancy ensures availability in case of a system failure. Our backup policy guarantees that our platform data is replicated in several geographical locations. Our replicated instances are set up according to our policy and their reliance is assured by AWS.
Talentspace undertakes an infrastructure-as-code approach to infrastructure management, thus enabling a faster recovery in the event of a major disaster necessitating re-building the whole infrastructure.
Disaster Recovery Testing
The configuration for the whole platform and all applications is scripted. In the event of a disaster, the technical team will be able to restore the platform by deploying running configuration scripts. Databases are restored automatically from their snapshots to a point in time between zero and five minutes from the time of the disaster. Configurations are used every day, and they are tested all the time.
Availability of Services
Talentspace is committed to a 98.5% uptime of the platform's core features. The platform's monitoring system measures uptime. An internal system-status service is used to trace incidents and provide an additional uptime measure.
Talentspace uses Amazon Web Services (AWS) to host the Talentspace application and to manage data storage, system back-ups, server management, and cloud management tools. AWS is an industry leader in data security. You can learn more about the work AWS is doing to ensure protection here: https://aws.amazon.com/security/
AWS’ infrastructure has been vetted for compliance against industry standards.
AWS is compliant with the following certifications:
Cyber Essentials Plus
Our platform benefits from those certifications by being hosted in AWS facilities.
General Data Protection Regulation (GDPR)
As outlined in the GDPR legislation, Talentspace is defined as a “Data Processor”, and the Organizer the “Data Controller”. Talentspace has a “Data Processing Agreement” on file for all third-party technologies employed in the Talentspace platform and has a draft agreement on file for use by organizers. DPAs can be requested by emailing the Talentspace privacy team at firstname.lastname@example.org
Financial Data Security
Talentspace does not handle, process, store, or transmit sensitive financial data.
Other Security Measures
Destruction of Data Storage Mediums
Physical destruction of data storage mediums is handled by our hosting provider AWS.
Patch management is operated by our infrastructure upgrade policy. Our goal is to never have to patch anything by being consistently up-to-date on our infrastructure systems.
This section describes the security measures relative to data protection at Talentspace.
Some members of the technical team are given logical access to the platform's systems (servers and organizer interfaces). The list of persons given this level of access is reviewed every three months. These accesses are given through the infrastructure-as-code system in place at Talentspace. Revocation can be performed at any moment, if necessary, through a change in the code dedicated to this access.
The leader of the infrastructure team is responsible for giving and removing access to members of the technical team. The CTO is responsible for auditing those accesses.
Privileged accesses are only available through certain source IP addresses.
All uploaded files are only accessible to allowed users.
All communications with Talentspace servers are encrypted using industry-standard HTTPS over public networks. This ensures that all traffic between users and Talentspace’s applications is secure during transit.
Personal data will not be transmitted on physical data carriers.
Personal data is only accessible to organizers and recruiters through the application which is accessed on the internet, over an HTTPS secured connection.
Email Signing (DKIM/DMARC)
Emails sent and received by Talentspace are secure.
Employee devices (smartphones and laptops) are monitored and handled through a mobile device manager.
Automated Sensitive Information Discovery
The discovery of sensitive information is not yet automated.
Content Moderation, Spam Filtering
Content is moderated on the platform.
Internal and Operational Security
This section describes the internal security measures in place within Talentspace's company organization and processes. They apply to all employees unless otherwise specified.
Information Security Management
Information Systems Security Policy (ISSP)
With the help of security management experts, Talentspace has developed an Information Systems Security Policy. It follows the structure and principles of the ISO-27001 information security standard. This policy has been shared and made available to all employees and contractors with access to Talentspace information assets.
The Information Systems Security Policy is reviewed and updated at least every 2 years to take account of changes in:
the regulatory, organizational, or technical context;
the expectations of Talentspace's users, customers, and partners;
internal security requirements;
new threats and vulnerabilities that may apply to Talentspace's information systems.
General Management Commitment
Talentspace’s Information System (IS) is a critical resource enabling Talentspace to pursue our activities and provide services to our customers. Ensuring the security of the Information System is integral in meeting a variety of crucial objectives for Talentspace:
Guarantee the confidentiality and integrity of the data users, customers, and partners who entrust Talentspace with, and particularly, their personal data;
Ensure the continuity of the services offered to our customers and partners, in particular, the Talentspace website and platform, as well as all the other web applications provided by Talentspace;
Establish and maintain strong trust between Talentspace and our partners and customers, by communicating and respecting our commitments to the protection of their data;
Guarantee the confidentiality and the integrity of our customers and partners’ personal data;
Adhere and react to regulatory and legal requirements and constraints;
Ensure the continuity of Talentspace’s activities.
For this purpose, the General Management of Talentspace commits to allocating the means and resources necessary.
Roles and Responsibilities
Talentspace has defined the roles and organization for the management of Information Security.
The Chief Technology Officer (CTO) is responsible for defining and updating the policy and control its implementation;
The Managing Directors assess and review the security policy and its implementation at a strategic level;
The technical team actively contributes to the implementation of security measures through technical means;
Hiring Process Controls
Skills and education are controlled for all hires during the hiring process. Before a new employee joins Talentspace, our team verifies the individual’s education and previous employment and performs internal and external reference checks. The extent of these background checks is dependent on the desired position.
All employees agree to the internal rules and chart of usage of information systems, including security guidelines and mandatory practices.
Talentspace's employment contracts contain a Confidentiality and Non-Disclosure Agreement clause. All employees sign a confidentiality agreement.
Awareness and Training
Regular awareness and training actions are shared with and addressed to all Talentspace employees. These actions cover a large range of subjects, for example:
general security good practices;
management of sensible information;
awareness of attack vectors (phishing, malware, etc.).
All new employees go through an information security training session as part of their onboarding training.
Talentspace premises are protected by individual identification badges and CCTV video surveillance. Office doors are locked before 7am and after 10pm, and during weekends.
The internal network provided by Talentspace to our employees is protected by an industry-standard firewall solution. All incoming traffic is forbidden by default.
Several network areas have been defined to isolate the different roles of Talentspace staff and networked devices. In particular, printers and personal devices are associated with different network areas which are isolated from employee workstations.
Low-risk Internal Network Strategy
As most Talentspace employees are given the option to work remotely, the internal network used in the Talentspace office is limited to the connectivity of workstations to the internet and local utility devices (e.g. printers). No critical equipment is hosted on the local network.
This limits the risks related to network intrusions and reduces the corresponding security requirements.
All workstations are protected using an industry-standard malware protection solution.
All workstation hard drives are fully encrypted.
Internal Information Systems Security
New employees are given access to internal applications on a need-to-know basis. Accesses are revoked when the employee leaves the company.
Accesses to all sensitive applications are regularly audited.
Talentspace’s Information Security Policy defines the following password policy:
Minimum of eight characters long;
At least three of the following types of characters: digits, uppercase letters, or symbols.
Where possible, the internal applications are set up to enforce these password requirements. Moreover, multi-factor authentication is enforced for sensitive applications.
Talentspace employees are provided with a password management solution to improve password security. The solution enables the generation of complex passwords, limits the reuse of existing passwords, and allows secure sharing of passwords when needed.
All communications between Talentspace's employees and internal applications are encrypted via industry best-practices HTTPS and using TLS 1.2 or above. This includes client-server interactions, server-server interactions, and interactions with external services.