Committed to responsible information security and privacy

We employ industry-standard encryption algorithms to protect sensitive data both during transit and storage. Personal data are encrypted with a key stored by a third-party broker Thales. Access control policies are in place to ensure that only authorised personnel can access sensitive information. We also have strict authentication mechanisms, such as multi-factor authentication, to prevent unauthorised access. Regular security updates and patches are applied to all our systems to mitigate known vulnerabilities.

We utilize strong encryption protocols, such as AES-256 (Advanced Encryption Standard), to protect user data at rest. For information in transit we use TLS 1.2 or higher to securely encrypt over networks and the internet. Additionally, we apply Key Access Justifications (KAJ) to allow us to view the reason for each request. With Thales we automatically approve or deny these requests, based on the justification.

We retain user data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our data retention policy outlines specific timelines for different types of data. Once the retention period expires, we securely delete or anonymize the data to ensure its ongoing protection. Default data retention is set for customers to 24 months, but this something that the customer can adjust themselves.

We employ data anonymization or pseudonymization techniques to protect user privacy. For example, when conducting data analytics, we aggregate and anonymize data to remove personal data so that individuals cannot be identified. 

We have tight access controls in place to limit data access to authorised personnel only. Our employees undergo background checks before employment and are bound by confidentiality agreements. We enforce the principle of least privilege, granting employees access only to the data necessary to perform their roles. All data is also encrypted to prevent data exposure. Regular monitoring and audit logs help us detect and prevent any unauthorised access attempts or data leaks.

We employ Google SSO and multi-factor authentication as primary access control mechanism to ensure that only authorised individuals can access your information. Our access control policy includes strong password requirements, multi-factor authentication, role-based access controls, deprovisioning guidelines and regular access control reviews. These measures help prevent unauthorised access and protect your data from being compromised.

We follow stringent privacy policies and practices to safeguard your personal information. We limit access to your data to authorized personnel only, and any third-party subprocessors we work with are carefully vetted for their privacy practices. We continiously work to adhere to applicable privacy regulations and regularly review and update our privacy practices to ensure compliance. Furthermore, we provide transparent information on how we collect, use, and store your personal data.

We engage trusted third-party service providers to assist us in handling user data. Before partnering with any third party, we conduct a thorough evaluation of their security and privacy practices. We enter into data protection agreements (DPA) that outline the obligations of the service provider regarding the security and privacy of user data. Regular assessments are performed to ensure their compliance with our standards.

Yes, you have the right to delete or right to access your personal data from our system. Our customer and candidate support team is readily available to assist you in the data deletion process through our chat or by emailing support@alvalabs.io.

Yes, we take privacy regulations seriously and strive to comply with all applicable laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We have implemented measures to ensure that your rights as a user are respected, including providing clear information on data collection, obtaining appropriate consent, and offering mechanisms to exercise your data subject rights.

Transparency and user consent are essential to us. We clearly communicate how and why we collect and use your data through our privacy policy and terms of service. We obtain your consent for specific data processing activities, allowing you to make informed decisions. You have the right to manage your consent preferences and can modify or withdraw your consent at any time.

No, we do not share or sell user data to third parties for marketing or other purposes. We prioritise the privacy of the candidates in our platform and maintain strict confidentiality with respect to their information. However, there may be instances where we need to share data with trusted third-party subprocessors to deliver our services effectively. In such cases, we ensure that appropriate data protection agreements (DPA) are in place to maintain the privacy and security of your information. Furthermore, we have an established Transfer Impact Assessment (TIA) where we have assessed all transfers.

We have implemented a comprehensive information management system based on ISO 27001 that includes robust encryption protocols, zero trust, and tight access control. Additionally, we regularly conduct security audits and security assessments (pentests) to identify and address any vulnerabilities in our systems and deviations in our security practices. Our dedicated security team work proactive and responds to potential threats to safeguard your personal information.

Yes, we conduct security audits and assessments to identify and address any potential vulnerabilities or deviations in our systems. We engage independent third-party security experts to perform comprehensive internal audits, penetration testing, and vulnerability assessments. Also, the information security management system is also subject for external audit once per year. This proactive approach enables us to stay ahead of emerging threats and maintain a robust security posture throughout the whole organisation.

In the unfortunate event of a data breach, we have a detailed incident response plan in place. Our priority is to mitigate the impact of the breach, protect affected users, and prevent further unauthorized access. We promptly investigate any suspected breaches, notify affected users as required by applicable laws, and take appropriate remedial actions. We also work closely with law enforcement authorities and cooperate fully in their investigations.

We employ various security features to safeguard against malware and phishing attacks. Our systems are equipped with Endpoint Detection and Response (Malwarebytes EDR) that scan for potential threats in real-time. We also conduct annual security awareness training for our employees to help them identify and prevent phishing attempts. Additionally, we enforce users to enable multi-factor authentication and provide guidance on maintaining strong passwords.

Yes, we adhere to industry best practices from ISO 27001. 

Our platform enforce strong password policies to ensure password security (thanks to Dropbox) to safeguard our users accounts. Passwords and credentials are stored using a PBKDF2 function. 

This includes requiring users to create passwords that meet certain complexity requirements, such as a combination of uppercase and lowercase letters, numbers, and special characters. We also encourage the use of single-sign on from Google or Microsoft Azure AD, which adds an extra layer of security and the possibility to require a second form of verification, such as a unique code sent to your mobile device.

We provide a user-friendly process where you can contact our customer and candidate support team in order to exercise your rights regarding your personal information. Upon receiving a request for access, correction, or deletion, we verify the identity of the requester to ensure the security of your data. We respond to such requests promptly and take appropriate actions to fulfill your rights, in accordance with applicable laws and regulations.