Security Statement

Image Description

Security Statement

Data Center & Data Location

LiveHire is 100% cloud native company. We make use of the Infrastructure as a Service (IaaS) provided by our Cloud Service Provider (CSP).

Our CSP has adequate controls to protect the physical servers hosting LiveHire information. From the documentations provided by our CSP, The IT infrastructure that CSP provides to its customers is designed and managed in alignment with best security practices and a variety of IT security standards. The following is a partial list of assurance programs with which CSP complies:

  • SOC 1/ISAE 3402, SOC 2, SOC 3
  • FISMA, DIACAP, and FedRAMP
  • PCI DSS Level 1
  • ISO 9001, ISO 27001, ISO 27017, ISO 27018

As systems are built on top of Cloud infrastructure provided by our CSP, compliance responsibilities are shared and hence on a yearly basis, LiveHire reviews the ISO 27001 scope and SOC2 reports of our CSP, to ensure adequate assurance on security controls.

Production Environment

The production environment is kept separate from development and testing environments, with no network connectivity between the two. Maintenance of the production environment is performed mostly automatically, and maintenance activities are mostly carried out from separate hardened jump boxes.

Network Security

LiveHire uses next-GEN Web Application Firewall (WAF)/Cloud Distribution Network (CDN) systems. We periodically review the rules and whitelisted applications to ensure LiveHire is protected against potential malicious activities such as OWASP Top 10 attacks.

Vulnerability Detection and Penetration Tests

Automated scans of LiveHire’s infrastructure are performed every week. An external service provider is engaged to perform a penetration test at least on an annual basis. LiveHire takes security seriously, and prioritises remediation of identified risks.

Application Login security

SAML 2.0 SSO is supported for LiveHire users. All users are able to use either Google, Facebook, or LinkedIn authentication services. In these cases, the login security settings of the authentication service will be used. If logging in directly to LiveHire we require an email and password with passwords being hashed and stored securely in our secure data repositories.

User Access

LiveHire treats all user data as protected and access is granted by principle of least privilege. Select few authorised members of the LiveHire team have direct access to production data and systems. A further limited list of authorised users are permitted to view aggregate data for reporting purposes. We maintain a list of members of the LiveHire team with access to the production environment and all LiveHire staff must undergo a police background check.

Third Party Access

Candidate data is not shared with clients or third parties other than through candidate instructions, or through specific service providers. For example, to deliver best quality CV parsing, or email and SMS delivery, minimum required information is sent to providers of that service, and retained only for the time needed to provide the service. LiveHire takes all reasonable measure to ensure the privacy of this data in accordance with our Privacy Policy, including ensuring service providers are committed to Australian Privacy regulations and GDPR compliance and implement all best practice security measures.

Data Encryption

LiveHire uses standard Transport Layer Security (TLS 1.2 or above) and AES 256 encryption for all data in transit and data at rest, respectively. This includes all data sent between back end components such as web and database layers. In addition, insecure cipher suites have been disabled in accordance with best-practise. All user data is stored on drives that are whole-disk encrypted. This also includes all backup sets.

Encryption Keys

All encryption keys are managed using our CSP’s service for key management. All keys remain entirely within our cloud environment , and are managed internally. Archived backup sets stored within a separate cloud environment and have separate keys.

Removing/Deleting Data from LiveHire

At the request of any user, all data belonging to the requesting party can be removed from the system.

Development, Patch and Configuration Management

All changes to LiveHire systems and code are required to undergo both peer-review and testing within separate sand-boxed environments. All changes therefore are required to pass through at least two environments successfully before being approved for implementation in production. All operating systems undergo a similar patching regime, where patches must first pass through DEV and TEST environments before being approved and tested for installation within the production environment. Patches are generally prioritised dependent on relevance and level of security impact. Patches and system configuration are managed from a central system to ensure consistency across the server fleet.

Event Logging

LiveHire logs events in multiple ways. Logical event actions are logged within the application database. All web traffic is also logged to a separate internal data store for analysis, capacity planning, and diagnostic purposes in the event of any issues. Other system logs also go to the same location for a clear picture across the environment if faults need this level of triage. Error logs and metrics are also sent to external logging services that keep logs for a limited time, to assist in alerting and monitoring. These external logs do not contain Personally Identifying Information.

Asset Management

LiveHire is a cloud native platform and does not need to dispose of server hardware. Staff laptops/workstation policy is outlined in a further section below. Where virtual assets are required to be decommissioned, our CSP guarantees that deleted volumes are irrecoverable once destroyed. As there are several layers of abstraction across redundant systems, there is practically no way to recover any data once this occurs.

Backup and recovery

A full backup of the core database is taken every 24 hours. All backups are encrypted and stored at different locations to mitigate risk. These backups have a test restore performed every night to verify consistency. All backups are encrypted at rest using the 256-AES encryption scheme. LiveHire maintains a monthly set of backups indefinitely, while daily backups are kept for 40 days. Transaction Log backups are also kept for 40 days to enable point-in-time restores, usually for diagnostic purposes. Backup locations have strict access rules, and only authorised LiveHire administrators have permission to retrieve and restore backups. Attachments such as CV’s and other user documents are not required to be backed up, as they rely on our CSPs internal storage redundancies.

Incident Response

LiveHire has an incident response and data breach response plans that are aligned to the requirements of the Australia’s Privacy Act, New Zealand’s Privacy Act, Canada’s Personal Information Protection and Electronic Documents Act and applicable laws of the US.. LiveHire treats every event that impacts functionality seriously, with our response plan triggering technical triage and remediation, as soon as we’re aware of potential issue. Uptime and functionality is our primary goal, and a balance is struck between the severity of site degradation, and time to patch, versus time to remediate . Root cause analysis is performed once we are satisfied our users are no longer impacted.

Workstation Security

All personnel computers are subject to LiveHire’s internal security policies, which includes full disk encryption, Next-Gen anti-virus and anti-malware, as well as password policies. As production data is prevented from leaving the data centre, LiveHire has no need to use portable or removable media for user data. As described above, data is always protected with strong encryption both in transit and at rest. Upon disposal, all equipment must pass through our internal infrastructure team, to ensure all data is wiped and devices are returned to a factory state.

Remote access

LiveHire has a flexible working policy for personnel , and does not maintain any infrastructure on-site at offices (other than basic internet connectivity). This means that personnel are able to work from any location, as well as from LiveHire offices. In turn, this means that all connections to any back-end services are accessible only via encrypted channels such as VPNs, Workspaces, etc. Any analytics and reporting work is therefore also required to be worked on within specialised remote sessions, which are only granted to a very limited number of trained personnel. A limited number of engineering staff have access to the Platform, and must also traverse VPNs in order to perform their maintenance tasks within LiveHire’s various environments. Production services are kept completely separate from Development and Testing environments, as well as support services.

Security and Hiring Process

As part of the LiveHire onboarding process, personnel are made aware of and provided with training or instruction regarding LiveHire’s security policies and requirements. Any changes to security policies or procedures are distributed to personnel in LiveHire’s regular ‘all-hands’ meetings and through internal company communications. All personnel contracts contain confidentiality and non-disclosure and intellectual property use clauses, which apply both during and after employment or engagement. Independent contractors that are required to work near production data must also sign a confidentiality and non-disclosure agreement and contracts that include clauses restricting use of intellectual property clauses . All LiveHire personnel must undergo a standard police-check or other background checks, prior to employment or engagement. This includes independent contractors, will also undergo the same process if in their role they are required to work near production data, or LiveHire’s codebase.

Password Requirements

LiveHire uses an enterprise grade password manager, which requires all staff to have a strong password for, as well as 2FA. Where possible, other systems in use by LiveHire require strong passwords, and 2FA is strongly encouraged for systems storing sensitive LiveHire information.

Planned Maintenance

LiveHire’s systems are architected in such a way that regular maintenance should not cause any disruption of service. When larger maintenance is required, this is always performed outside of business hours, within a weekend outage window that occurs from 2AM AEST through till 8AM AEST, on both Saturday and Sunday. These times have been chosen as the quietest times in order to minimise impact to users. We frequently evaluate our outage windows in order to make sure this impact minimisation continues.

Unplanned Maintenance

In rare circumstances, unforeseen events may require us to perform more urgent maintenance. When this occurs, our main concerns are the usability and stability of the platform. The impact of the required maintenance is weighed up against any current degradation of site reliability and performance, and we will endeavour to only perform the bare minimum required during business hours to restore functionality, while pushing as much as we can out of hours to minimise this impact.

Need to report a vulnerability?

If you have a vulnerability or security concern to report, send it through to our security team here at LiveHire on security@livehire.com