Data Security & Privacy Policy

At JobSphere, protecting your personal and professional data is our highest priority. This document outlines our security infrastructure, data handling practices, and your rights regarding your information.

Last Updated: November 15, 2025 Version 4.2.1 Applies to: Global Operations

Our Security Commitment

JobSphere processes sensitive career data, including resumes, contact information, employment history, and application activity. We maintain a defense-in-depth security architecture designed to protect this data at rest, in transit, and during processing.

Our security operations are managed by a dedicated team of certified professionals and are continuously evaluated against industry standards including ISO 27001, SOC 2 Type II, and NIST CSF.

Zero-Knowledge Design for Sensitive Fields

While we encrypt all data, certain highly sensitive fields (e.g., government IDs, financial verification) are handled with tokenization and never stored in raw plaintext on our primary application servers.

Data Collection & Usage

We only collect data necessary to facilitate job matching, applications, and platform functionality. Our data minimization principle ensures we do not retain information beyond its operational purpose.

Candidate Data

  • Profile information (name, email, phone, location, professional titles)
  • Resume/CV documents (stored as encrypted blobs)
  • Application history and employer interactions
  • Device telemetry for security and platform optimization (aggregated & anonymized)

Employer/Recruiter Data

  • Company verification documents (tax IDs, business licenses)
  • Job posting metadata and application screening criteria
  • Team access logs and role assignments

Encryption Standards

All data handled by JobSphere is protected using industry-leading cryptographic protocols:

  • Transit: TLS 1.3 with HSTS enabled. All API endpoints and web traffic are strictly HTTPS.
  • At Rest: AES-256-GCM encryption for all database volumes, object storage (S3-equivalent), and backups.
  • Key Management: Encryption keys are rotated every 90 days and managed via AWS KMS / HashiCorp Vault with hardware security module (HSM) backing.
  • Application Secrets: CI/CD pipelines and runtime environments use dynamic secrets injection with zero permanent credential storage.

Access Control & Authentication

Access to JobSphere systems follows the Principle of Least Privilege (PoLP) and Zero Trust architecture.

  • Authentication: Multi-Factor Authentication (MFA) is mandatory for all administrative, engineering, and customer support accounts.
  • Authorization: Role-Based Access Control (RBAC) with just-in-time (JIT) privilege elevation for maintenance tasks.
  • Session Management: Short-lived JWTs with automatic refresh tokens. Idle sessions expire after 15 minutes for admin panels and 2 hours for user dashboards.
  • Auditing: All access to production data is logged, timestamped, and retained for 24 months for forensic analysis.

Third-Party Integrations

JobSphere integrates with select vendors to enhance platform functionality. Each vendor undergoes rigorous security vetting:

  • Cloud Infrastructure: AWS & GCP (SOC 2 Type II, ISO 27001 certified)
  • Payment Processing: Stripe (PCI DSS Level 1 compliant)
  • Analytics & Monitoring: Mixpanel, Datadog (data pseudonymized before ingestion)
  • Background Checks: Checkr & Certn (direct PII processing with explicit user consent)

Data Sharing Notice

We never sell your data. Third-party sharing only occurs when necessary for service delivery, and all partners are contractually bound by strict Data Processing Agreements (DPAs).

Retention & Deletion

We retain data only as long as necessary to provide our services, comply with legal obligations, and resolve disputes.

  • Active Accounts: Data retained indefinitely until deletion request.
  • Deleted Accounts: PII permanently purged within 30 days. Application records anonymized for aggregate analytics.
  • Employer Data: Closed job postings and associated applicant data are archived for 12 months, then securely destroyed.
  • Backups: Encrypted backups follow the same retention schedule and are overwritten during routine lifecycle management.

Compliance & Audits

JobSphere maintains compliance with global data protection regulations and undergoes regular third-party security assessments:

  • GDPR & CCPA/CPRA: Full compliance with EU and California privacy frameworks. Data Processing Agreements available upon request.
  • SOC 2 Type II: Annually audited by independent certified public accounting firms.
  • ISO 27001:2022: Certified Information Security Management System (ISMS).
  • Vulnerability Scanning: Continuous automated scanning with monthly third-party penetration tests.

Compliance Reports Available

Incident Response

In the unlikely event of a security breach, JobSphere follows a structured incident response plan aligned with NIST SP 800-61:

  1. Detection & Analysis: Automated threat detection systems alert the Security Operations Center (SOC) 24/7.
  2. Containment & Eradication: Immediate isolation of affected systems. Threat actors are blocked at network and application layers.
  3. Notification: Affected users will be notified within 72 hours as required by GDPR/CCPA. Clear communication on impacted data and remediation steps.
  4. Post-Incident Review: Root cause analysis, policy updates, and architecture improvements are implemented within 30 days.

Your Rights & Controls

Depending on your jurisdiction, you have the right to:

  • Access, export, or correct your personal data
  • Request deletion of your account and associated records
  • Opt out of marketing communications and non-essential analytics
  • Lodge a complaint with a supervisory authority (e.g., ICO, CNIL, CPPA)

All requests are processed within 30 days. Use our Privacy Dashboard (Settings > Data Controls) to exercise these rights instantly.

Contact Our Security Team

If you have questions about this policy, need to report a vulnerability, or require a Data Processing Agreement, please reach out:

Need a Vendor Security Form?

Enterprise customers and procurement teams can download our completed CAIQ, SIG, or custom security questionnaire via the Trust Center.