Yes, we offer features that enable you to work in compliance with the GDPR. These include obtaining consent during the recruitment process for the extended storage of candidate data, managing retention periods and supporting the exercise of data subjects’ rights (e.g. access to or deletion of their personal data).

Yes, we provide a Data Processing Agreement (DPA) in accordance with Article 28 of the GDPR. This agreement governs the processing of personal data on your behalf. Signing this agreement is a prerequisite for beginning work with us.

Yes, like almost all SaaS providers, we use sub-processors. We carefully evaluate them before implementation. The Data Processing Agreement (DPA) provides a detailed overview of the sub-processors we use, the processing activities they perform, where the processing takes place and whether they are optional or mandatory.

We process your data exclusively in accordance with your instructions and only store it for as long as you require. You can delete or export your data at any time.

We implement a wide range of technical and organisational measures, as outlined in our Data Processing Agreement (DPA). These include encryption of data during transmission and at rest, tenant separation, and regular security testing, such as penetration tests and vulnerability scans. We also use antivirus software and firewalls. We have also put measures in place to promptly restore the availability of and access to data in the event of an incident. Organisational measures include developing and implementing security policies, providing regular training for our employees in data protection and information security, and using access controls and a rights management system.

Yes, security is embedded in our development process from the outset. We take security aspects into account from the beginning, relying on proven practices including automated tests (Continuous Integration) and additional security tests to detect errors and vulnerabilities early on. We also use isolated test environments to review new features before rollout and conduct regular vulnerability scans to identify weaknesses in our applications and infrastructure. We also carry out regular manual penetration tests by external security experts and conduct regular reviews of our products based on established standards to systematically address the most common and critical security risks for web applications.

Yes, data protection and information security are firmly embedded in our corporate culture. From the moment they join the company, our employees receive training on these topics and are required to comply with internal policies. We place great importance on ensuring that these measures are followed in practice. Through regular discussions and further training, we emphasise the importance of data protection and information security, answer questions and support our employees in adhering to requirements. We have also implemented a mandatory Security Awareness Training programme that includes monthly cybersecurity training sessions to raise awareness of current threats.

We support you with various security features to help prevent unauthorised access. These include logging in via Single Sign-On (SSO) or two-factor authentication (2FA). You can also configure key security settings yourself, such as specifying password strength requirements or setting up automatic logouts after a defined period of inactivity. This allows you to adapt the level of security to your internal requirements and risk profile.

We have a comprehensive Business Continuity Management (BCM) system with clearly defined objectives, roles, and processes. This enables us to respond quickly in the event of disruptions or emergencies. This includes measures for the early detection of threats and disruptions, minimising the impact of critical situations and the technical and organisational preparation of our team and infrastructure. We conduct regular exercises and tests to continuously review the resilience of our systems and internal procedures, making targeted improvements where needed.

Employee and applicant data is hosted on ISO 27001-certified servers within the EU.

Yes, we implement additional safeguards to protect your data. Data is encrypted during transmission and at rest using a Key Management System (KMS), and we retain control of the encryption keys. Passwords are protected using strong hashing algorithms and additional techniques such as salting.

Yes, we have a comprehensive backup management system in place to ensure that data can be quickly restored when needed. This includes the use of redundant storage locations and regular backup testing.

We are aware of the specific requirements arising from regulations such as NIS2 and DORA for some of our customers. Our services are designed to meet high security standards and support compliance obligations. Please inform us before concluding the contract if your organisation is subject to such requirements, so that we can appropriately take your needs into account.

Our Data Processing Agreement (DPA) can also be used outside the EEA, particularly in Switzerland and the United Kingdom. If your situation requires specific adjustments, we are happy to work with you to develop bespoke solutions and ensure the smooth use of our services.