Access to data within JobTeaser platform is governed by access rights. JobTeaser has various permission levels for users (student, recruiter, administrators, super-administrators, JobTeaser staff, etc.).

JobTeaser's approach for defining access privileges and roles is to provide pre-defined roles with the appropriate permissions covering the most common use cases and best practices. As so, it keeps it simple to understand for super-administrators (either customers, partners or JobTeaser's staff) that are responsible for giving access privileges to other users. This ensures that the appropriate roles are given to users, fitting their needs, enabling to follow the least-privilege principle. Defining too many roles or enabling too much granularity to define privileges and roles will generally lead into a lower security level because administrators tend to give broader privileges than necessary due to the complexity of the roles configuration.

Roles and permissions differ depending on the application. The main roles are described below.

Students

• Authorized to navigate for his/her own account on the front-office side of the platform to use its features (access content, register to events or apply for jobs, manage its account and preferences...).
• Not authorized to access the back-office side of the platform.

Company administrators

Several roles exist for administrator, providing different set of privileges based on the role of the company's collaborator:

• Recruiters are authorized to manage job applications and access the candidates' information.
• Administrators can edit the company details.
• Super-administrators are allowed to create new members within the company.

School or university administrators

Several roles exist for administrators, depending on their role in the school or university staff. Privileges, in particular access to student data, depend on the role.

• Super-administrators can create school/university administrator users
• Administrators can access all modules in the school/university back-office
• Content managers have access to Companies, Offers, Events, Newsletter and resources modules
• Company content managers have access to Events, Newsletter and Resources modules
• School content managers have access to Events, Newsletter and Ressources modules
• Career advisers have access to Users and Appointments modules
• Company relationship officiers have access to Company, Offers, Events and Talent Banks modules

User registration and de-registration is up to the users and Career Center administrators. Upon registration, the user sets his/her password through a link sent to his/her email address. Upon de-resistration, the user loses access to all the resources previously available.

JobTeaser platform and applications all enforce the following password security policy:

• Minimal length is 8 characters;
• At least 1 character of 2 of the 4 following types must be included: lowercase letters, digits, uppercase letters, symbols.

In case of failed login attempts, an exponential backoff delay is inserted before enabling the user to try again to login after failed attempts.

Single sign-on (SSO) allows schools and universities partners to provide their users (students and staff) with a login solution that does not require them to enter additional credentials on the Career Center. In this case, the security of the user's credentials is managed by the partner instead of JobTeaser.
CAS and SAMLv2 are currently supported. The IDP will also support OpenID Connect.

For Career Centers, JobTeaser enables its schools and universities partners to setup an SSO integration for end-user (students and administrators). Other types of users (e.g. company recruiters) are provided with JobTeaser login (email and password credentials are managed by JobTeaser).

JobTeaser uses a central authentication solution (JobTeaser IDP - IDentity Provider) on its platform and applications. It supports the development of controls: connection attempts monitoring, 2-factor authentication, etc.

Communications between the platform users (students, customer or partner users and administrators or JobTeaser administrators) are encrypted via industry best-practices HTTPS and TLS over public networks. Every three months, JobTeaser checks the relevance of its encryption through the SSL Labs API, any grade lower than "A" is handled as a security incident.

A few communications are sent through email and are inherently less protected. Only public information transits via this method of communication.

All the keys and other secrets used within the application are stored securely following industry best-practices.

JobTeaser follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. The current hash algorithm used for passwords is BCrypt.

JobTeaser follows secure secrets management best practices during all the key management phases:

• Key generation
• Key storage
• Key use
• Key destruction

The AWS data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multifactor identification, physical locks, and security breach alarms.

AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.

Power

The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate and Temperature

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.

Management

AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.

Storage Device Decommissioning

When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.

Policies are in the process of being formalized. They record responsibilities associated with each domain. For now, only the following procedures are validated:

• Backup Policy
• Vulnerability Management Policy

No technical procedure will be written, they are all automated.

JobTeaser uses application server logs which contain all user actions triggering an HTTP request to the application (e.g. loading a page, submitting a form, triggering background HTTP requests, …), as well as some associated data.

These logs include actions performed by administrative accounts.

An automated Web Scanning appliance (by Qualys) is deployed on the JobTeaser preproduction. It alerts the CISO on vulnerabilities found before the platform is deployed. Ths CISO then ensures that the vulnerabilities are corrected. The scan is launched every day.

An automated vulnerability scanner (Dependabot) also runs every day to discover vulnerabilities in the dependencies of the JobTeaser code.

Any responsible disclosure of a vulnerability found on the platform will be handled within a reasonnable time-period. Either for CVEs or for original vulnerabilities, its classification will be based on the CVSS.

The vulnerability classification is categorized as follows:

• Under 5: Low vulnerability
• Between 5 and 8: Medium vulnerability
• Between 8 and 9: High vulnerability
• 9 or above: Critical vulnerability

The allotted time to fix a vulnerability will be determined according to its classification.

Web application firewalls (WAF) are used to protect most JobTeaser's public-facing applications or platform components. Here is the current status for the different components:

• JobTeaser website and Career Centers: protected with an advanced WAF integrated at application-level
• JobTeaser IDP (Identity Provider): protected with AWS WAF

Each source code change goes through several reviews:

• code review by two other members of the development team;
• functional review and/or non-regression testing by the product manager or QA engineers.

All third-parties used for the JobTeaser service are:

A Business Continuity Plan (BCP) is in the process of being formalized and will be reviewed every three years.

JobTeaser's continuity plan hinges on the availability garanteed by AWS: All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be loadbalanced to the remaining sites automatically.

In Europe, AWS is compliant with the following certifications:

• CSA
• ISO 9001
• ISO 27001
• ISO 27017
• ISO 27018
• PCI DSS Level 1
• SOC 1
• SOC 2
• SOC 3
• C5 (Germany)
• Cyber Essentials Plus (UK)
• ENS High (Spain)
• G-Cloud (UK)
• IT-Grundschutz (Germany)

Our platform benefits from those certifications by being hosted in AWS facilities.

Some members of the technical team are given logical access to the platform's systems (servers and administration interfaces). The list of persons who are given this level of access is reviewed every 3 months. Theses accesses are given through the infrastructure-as-code system in place at JobTeaser. Revocation can be done at any moment if necessary, through a change in the code dedicated to this access.

The leader of the infrastructure team is responsible for giving and removing access to members of the technical team. The CISO is responsible of the auditing of those accesses.

All communications with JobTeaser servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and JobTeaser applications is secure during transit.

Personal data will not be transmitted on physical data carriers.

Personal data is only accessible to university administrators and partner recruiters through the application which is accessed on the internet, over an HTTPS secured connection.

JobTeaser has developed, with the help of security management experts, an Information Systems Security Policy. It follows the structure and principles of the ISO-27001 information security standard. This policy has been shared, and made available to all employees and contractors with access to JobTeaser information assets.

The Information Systems Security Policy is reviewed and updated at least every 2 years to take account of changes in:

• the regulatory, organizational or technical context;
• the expectations of JobTeaser's users, customers and partners;
• internal security requirements;
• new threats and vulnerabilities that may apply to JobTeaser's information systems.

JobTeaser’s Information System (IS) is a critical resource enabling JobTeaser to pursue its activities and provide its service to its customers. Ensuring the security of the Information System is a vital step in meeting a number of crucial objectives for JobTeaser:

• Guarantee the confidentiality and integrity of the data users, customers and partners entrust JobTeaser with, and particularly their personal data;
• Ensure the continuity of the services offered to its customers and partners, in particular, the JobTeaser.com website, the Career Center platforms as well as all the other web applications provided by JobTeaser;
• Establish and maintain strong trust between JobTeaser and its partners and customers, by communicating and respecting its commitments regarding the protection of their data;
• Guarantee the confidentiality and the integrity of its collaborators' personal data;
• Respond to regulatory and legal requirements and constraints, in France and internationally;
• Ensure the continuity of JobTeaser’s activities.

For this purpose, the General Management of JobTeaser commits to allocating the means and resources in relation.

JobTeaser has defined the roles and organization for the management of Information Security.

• The Chief Information Security Officer is responsible for defining and updating the policy and control its implementation;
• The Information Security Commitee reviews the security policy and its implementation at a strategic level;
• The Technical Team actively contributes to the implementation of security measures through technical means;
• The Security Guild is an internal community of interest focused on security and supporting transversal security actions throughout JobTeaser.

Regular awareness and training actions are addressed to all JobTeaser employees. These actions cover a large range of subjects, for example:

• general security good practices;
• workstation security;
• management of sensible information;
• awareness of attack vectors (phishing, malwares, etc.).

The on-boarding process includes an information security awareness training session.

Since most of JobTeaser employees should be able to work in mobility or remotely, the internal network used in JobTeaser office is limited to connectivity of workstations to internet and local utility devices (e.g. printers). No critical equipment is hosted on the local network.

This limits the risks related to network intrusions and reduce the corresponding security requirements.

New employees are given access to internal applications on their arrival on a need-to-know basis. Accesses are revoked when the employee leaves the company.

Accesses to sensitive applications are regularly audited.

Awareness about password security has been risen among employees. The Information Security Policy defines the following password policy:

• Minimum 8-character long;
• At least 3 of the following types of characters: digits, uppercase letters, or symbols.

Whenever possible, the internal applications are configured to enforce these requirements. Moreover, the multifactor-authentication is enforced on sensitive applications.

JobTeaser collaborators are provided with a password management solution to improve password security. The solution enables the generation of complex passwords, limits the reuse of existing passwords, and enables secured sharing of passwords when needed.