Q1: Have you assigned a Data Protection Officer for GDPR?
Yes.

Q2: Has your workforce received any training related to GDPR and data privacy?
Yes.

Q3: In which physical geography is the data stored?
Crawley/London.

Q4: What is the incident management process in the case of a data breach?
As an ISO 270001 certified organisation, we have a fully documented process in the event that there was an information security incident which includes reporting, investigation, reporting and recovery. Please ask your Erecruit representative for a copy of the policy.

Q5: What intrusion detection tools and applications do you use?
We use Alertlogic as our Intrusion Detection System and Threat Management.

Q6: What relevant certification do you hold?
We are ISO accredited with current certification for ISO27001 and ISO9001.

Q7: Have your existing data protection policies and procedures and privacy notice to your customers been updated to meet GDPR standards required?
Yes. Please ask your Erecruit representative for a copy of the policy.

Q8: Do you have a policy in place to control access to our personal data that you may process?
Yes. Please ask your Erecruit representative for a copy of the policy.

Q9: Do you currently back-up our personal data held in your systems?
Yes, the last four weeks of client data, including personal data, processed through the service is backed-up and stored offsite. We utilize Iron Mountain for off-site tape backups.
Managed Backups utilize an independent private network for backups running on network equipment. This was done to minimize network security concerns with the following results:
Each server is in a port level VLAN.
Each server can only see the backup servers and no other servers on the network, including their own.
No customer can see any other customer’s server on another port level VLAN.

Q10: Do you use sub-processors in the provision of your services to us and in the provision of storing our personal data?
Yes, Daxtra, Burning Glass, Sovren (for CV parsing)

Q11: Do you have appropriate technical and/or organisational measures in place to protect our personal data in accordance with GDPR?
Yes. We regularly review security of data under the annual audit of ISO27001.

Q12: Would any other third parties have access to our personal data?
Generally no, however, depending on your specific configuration and use, personal data may be processed or transferred via third-party integration to partners Daxtra Search, Cube19, TempBuddy, Mailchimp, Gmail/O365 (by sending email).

Q13: Do you have a current policy and procedure dealing with detection of and notification of personal data breaches pursuant to GDPR?
Yes. Please ask your Erecruit representative for a copy of the policy.

Q14: Do you currently have a program of training on GDPR for your existing employees and other staff whom are under your direction and control?
Yes.

Q15: Do you have a Disaster Recovery Plan in place?
Yes. We have a Disaster Recovery plan in place for our clients hosted systems.

Q16: Do you maintain security measures to protect personal data at rest and in transit?
Yes.
Encryption of personal data in transit by using suitable encryption solutions includes SSL and IPsec VPN connections as applicable to the access of data.
Protection against access of personal data at rest is ensured by the implemented security policies and practicing a least privileged approach to data access.

Q17: Do you maintain a process to address data privacy complaints internally?
Yes. We have a Customer Charter and Complaints Procedure which would be followed in the event of a complaint made about data privacy.

Q18: Do you maintain a process to respond to requests for access to personal data?
Yes. The latest release of Adapt contains a feature for candidates requesting access to personal data. We also have a Subject Access Request process for our own clients/prospects.

Last Revision Date: 22/05/18
©Bond International Software (UK) Limited. All Rights Reserved

Did this answer your question?