Scalable, highly reliable platform for online referrals.
Our infrastructure is designed to provide an extremely scalable, highly reliable platform for online referrals. Tens of thousands of employees are simultaneously supported making referrals, sending messages, sharing jobs, and importing contacts from their social networks. Admins are provided with highly secure access to their referral program data and analytics, both via our web interface and API.
Our data centers are hosted by Amazon Web Services (AWS). As such, AWS is primarily responsible for the confidentiality, integrity, availability, and physical security of our data centers.
Our application architecture, database encryption, and access are secured, controlled, audited, and monitored by our in-house engineers.
Our application infrastructure is built and managed according to security best practices and standards. We use redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24×7.
Customer Trust
We are committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).
Services Covered
This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to the services branded as EmployeeReferrals.com.
Third-Party Infrastructure
The infrastructure used by EmployeeReferrals.com to host customer data submitted to the Employee Referral service is provided by a third-party, Amazon Web Services, LLC (“AWS”). Currently, the infrastructure hosted by AWS in the hosting of customer instances is located in the United States.
Audits and Certifications
The EmployeeReferrals.com Services undergo security assessments by internal and external personnel, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis. EmployeeReferrals.com is SOC 2 Type 2 Certified. A report is available upon request. Information about security and privacy-related audits and certifications received by AWS, including ISO 27001 certification and Service Organization Control (SOC) reports, is available from the AWS Security Web site and the AWS Compliance Web site.
Data Center Certifications
Our data centers are maintained by Amazon Web Services. As such, they are continuously audited with certifications from accreditation bodies across geographies and verticals, including:
ISO 27001.
A widely-recognized international security standard that requires the design and implementation a comprehensive suite of security controls. Our certifying agent is EY CertifyPoint.
PCI DSS Level 1
PCI DSS is a standard that specifies best practices and various security controls in regards to cardholder data. Although most of our financial transactions are handled via invoices, we do process credit cards via stripe.com from time to time.
SOC 1/SSAE 16/ISAE 3402
xSOC reports are completed to assure compliance with the ISAE 3402 security standards. While the ISAE standards apply specifically to professional accounting practices and their auditors, they’re still provide a strong.
Safe Harbor Compliance
Our European data centers are also fully compliant with applicable EU data protection laws and the Article 29 Working Party Model Clauses. Please note that Safe Harbor compliance is supported on a client-by-client basis with additional fees required for setup.
Scalable, highly reliable platform for online referrals.
Our application infrastructure is built and managed according to security best practices and standards. We use redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24×7.
Monitoring and Logging
We monitor our servers, databases, and network connections 24/7 to ensure stability, reliability, and security:
Deep visibility into API calls, including who, what, when, and from where calls were made.
Log aggregation, streamlining investigations and compliance reporting.
Alert notifications when specific events occur or thresholds are exceeded
Network Protection
Perimeter firewalls and edge routers block unused protocols.
Internal firewalls segregate traffic between the application and database tiers.
Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.
A third-party service provider continuously scans the network externally and alerts changes in baseline configuration.
Backups
All data are backed up at each data center, on a rotating schedule of incremental and full backups.
The backups are cloned over secure links to a secure archive.
Backups are not transported offsite and are securely destroyed when retired.
Scalability
Our application is built for fast, on-demand scalability. Everything is built with enterprise level clients in mind, and we successfully serve many of the nation’s largest corporations.
Security Procedures, Policies and Logging
The EmployeeReferrals.com Services include a variety of configurable security controls that allow customers to tailor the security of the EmployeeReferrals.com Services for their own use. These controls include:
Administrative access to SSO and other user authentication methods. Customers can also decide if they want to allow access to their program to only individuals who were invited or who have a company email address. Access may also be granted to alumni or other third parties wishing to make referrals.
All logs are kept in a centralized logging service in order to enable security reviews and analysis.
Incident Management
EmployeeReferrals.com maintains security incident management policies and procedures. EmployeeReferrals.com promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data to the extent permitted by law.
User Authentication
Access to the EmployeeReferrals.com Services requires a valid user ID and password combination, which are encrypted via SSL/TLS while in transmission. Following a successful authentication, a randomly-generated credential is transmitted to the user’s browser or command line interface (CLI). All subsequent requests are authenticated with that credential.
Network Security & Encryption
Our application communications are secured by 128bit encryption using AES_128_GCM with ECDHE_RHSA key exchange over the Secure Socket Layer (SSL). This ensures private communication between our services and your devices.
Physical Security
Production data centers used to provide the EmployeeReferrals.com Services have access system controls in place. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor card key and biometric access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.
Reliability and Backup
Applications deployed on the EmployeeReferrals.com Services and Customer Data submitted to the EmployeeReferrals.com Services, up to the last committed transaction, are automatically replicated on a near real-time basis at the database layer and are backed up as part of the deployment process on secure, access controlled, and redundant storage. Additional technical information is available here.
Viruses
EmployeeReferrals.com implements practices and software to limit the risk of exposure to software viruses.
Data Encryption
Transport layer security (TLS) is required for any customer instance running on the EmployeeReferrals.com Service. Customer connections to databases via the EmployeeReferrals.com Services require SSL encryption.
Return of Customer Data
During the term of the agreement, customers may make copies of their respective Customer Data submitted to the EmployeeReferrals.com Services by following instructions here. Within 30 days post contract termination, customers may request return of their respective Customer Data submitted to the EmployeeReferrals.com Services by contacting support@employeereferrals.com.
Deletion of Customer Data
Upon termination of a customer database for any reason (such as account termination, nonpayment, or customer deletion of the database), Customer Data submitted to the EmployeeReferrals.com Services is deleted after 365 days. This process is subject to applicable legal requirements.
Sensitive Personal Data
Important: The following types of sensitive personal data may not be submitted to the EmployeeReferrals.com Services: government issued identification numbers; financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care.
For clarity, the foregoing restrictions do not apply to financial information provided to EmployeeReferrals.com for the purposes of checking the financial qualifications of, and collecting payments from, customers, the processing of which is governed by the EmployeeReferrals.com Privacy Statement.
Tracking and Analytics
EmployeeReferrals.com may track and analyze use of the EmployeeReferrals.com Services for the purpose of helping EmployeeReferrals.com improve both the EmployeeReferrals.com Services and the user experience in using the EmployeeReferrals.com Services. Without limiting the foregoing, EmployeeReferrals.com may share data about EmployeeReferrals.com’s customers' or their users' use of the EmployeeReferrals.com Services (“Usage Statistics”) to EmployeeReferrals.com’s service providers for the purpose of helping EmployeeReferrals.com in such tracking or analysis, including improving its users’ experience with the EmployeeReferrals.com Services, or as required by law.
