This section describes the security measures relative to JobTeaser platform (JobTeaser.com website and Career Centers)
Access Control Policy
Access to data within JobTeaser platform is governed by access rights. JobTeaser has various permission levels for users (student, recruiter, administrators, super-administrators, JobTeaser staff, etc.).
JobTeaser's approach for defining access privileges and roles is to provide pre-defined roles with the appropriate permissions covering the most common use cases and best practices. As so, it keeps it simple to understand for super-administrators (either customers, partners or JobTeaser's staff) that are responsible for giving access privileges to other users. This ensures that the appropriate roles are given to users, fitting their needs, enabling to follow the least-privilege principle. Defining too many roles or enabling too much granularity to define privileges and roles will generally lead into a lower security level because administrators tend to give broader privileges than necessary due to the complexity of the roles configuration.
Roles and permissions differ depending on the application. The main roles are described below.
JobTeaser and Career Centers
- Authorized to navigate for his/her own account on the front-office side of the platform to use its features (access content, register to events or apply for jobs, manage its account and preferences...).
- Not authorized to access the back-office side of the platform.
Several roles exist for administrator, providing different set of privileges based on the role of the company's collaborator:
- Recruiters are authorized to manage job applications and access the candidates' information.
- Administrators can edit the company details.
- Super-administrators are allowed to create new members within the company.
School or university administrators
Several roles exist for administrators, depending on their role in the school or university staff. Privileges, in particular access to student data, depend on the role.
- Super-administrators can create school/university administrator users
- Administrators can access all modules in the school/university back-office
- Content managers have access to Companies, Offers, Events, Newsletter and resources modules
- Company content managers have access to Events, Newsletter and Resources modules
- School content managers have access to Events, Newsletter and Ressources modules
- Career advisers have access to Users and Appointments modules
- Company relationship officiers have access to Company, Offers, Events and Talent Banks modules
User registration and de-registration
User registration and de-registration is up to the users and Career Center administrators. Upon registration, the user sets his/her password through a link sent to his/her email address. Upon de-resistration, the user loses access to all the resources previously available.
JobTeaser platform and applications all enforce the following password security policy:
- Minimal length is 8 characters;
- At least 1 character of 2 of the 4 following types must be included: lowercase letters, digits, uppercase letters, symbols.
In case of failed login attempts, an exponential backoff delay is inserted before enabling the user to try again to login after failed attempts.
Single sign-on (SSO) allows schools and universities partners to provide their users (students and staff) with a login solution that does not require them to enter additional credentials on the Career Center. In this case, the security of the user's credentials is managed by the partner instead of JobTeaser.
CAS, SAMLv2 and OAuth2 are currently supported.
User Access Provisioning
The administration interface for Career Center administrators allows administrators to provision users according to roles they need to attribute to others.
Review of user access rights
User access rights are reviewed regularly.
For Career Centers, JobTeaser enables its schools and universities partners to setup an SSO integration for end-user (students and administrators). Other types of users (e.g. company recruiters) are provided with JobTeaser login (email and password credentials are managed by JobTeaser).
JobTeaser uses a central authentication solution (JobTeaser IDP - IDentity Provider) on its platform and applications. It supports the development of controls: connection attempts monitoring, 2-factor authentication, etc.
Two-factor authentication (2FA)
Two-Factor Authentication is mandatory for JobTeaser staff on the platform and applications. It will be supported on the JobTeaser IDP during the year for other users.
API Security & Authentication
Authentification to the platform is processed through the JobTeaser dedicated OpenID module. This module can act as an Identity Provider as well as a Service Provider, depending on the partner's needs.
Privileged Access Rights
JobTeaser administrators handle user registration and de-registration. Access rights are detemined according to the user functional role in the company.
Administration Interfaces access
Access to administration interfaces are encrypted via industry best-practices HTTPS and TLS (1.2 and 1.3) over public networks.
Information access restriction
All partner information is segregated from other partners information in the application.
Data in transtit
Communications between the platform users (students, customer or partner users and administrators or JobTeaser administrators) are encrypted via industry best-practices HTTPS and TLS over public networks. Every three months, JobTeaser checks the relevance of its encryption through the SSL Labs API, any grade lower than "A" is handled as a security incident.
A few communications are sent through email and are inherently less protected. Only public information transits via this method of communication.
Data at rest
The AWS infrastructure ensures encryption at rest of all data-stores containing non-public information.
Secrets and Keys
All the keys and other secrets used within the application are stored securely following industry best-practices.
JobTeaser follows secure credential storage best practices by never storing passwords in human readable format, and only as the result of a secure, salted, one-way hash. The current hash algorithm used for passwords is BCrypt.
JobTeaser follows secure secrets management best practices during all the key management phases:
- Key generation
- Key storage
- Key use
- Key destruction
These best-practices are enforced through Hashicorp's Vault solution.
Physical and Environmental Security
Physical Perimeters and Location
Our platform is hosted in Amazon Web Services facilities, in the European Union region. AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.
Physical access control
The AWS data center facilities feature a secured perimeter with multi-level security zones, 24/7 manned security, CCTV video surveillance, multifactor identification, physical locks, and security breach alarms.
AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.
Protecting against external and environmental threats
Fire Detection and Suppression
Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.
The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.
Climate and Temperature
Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.
AWS monitors electrical, mechanical, and life support systems and equipment so that any issues are immediately identified. Preventative maintenance is performed to maintain the continued operability of equipment.
Storage Device Decommissioning
When a storage device has reached the end of its useful life, AWS procedures include a decommissioning process that is designed to prevent customer data from being exposed to unauthorized individuals. AWS uses the techniques detailed in NIST 800-88 (“Guidelines for Media Sanitization”) as part of the decommissioning process.
Operational procedures and responsibilities
Policies are in the process of being formalized. They record responsibilities associated with each domain. For now, only the following procedures are validated:
- Backup Policy
- Vulnerability Management Policy
No technical procedure will be written, they are all automated.
JobTeaser's development cycle is based on the scrum framework, specifically Agile. Agile is a project management approach that works by breaking projects into short, iterative cycles called “sprints”. At its core, Agile is based on the assumption that circumstances change as a project develops. That’s why, in an Agile project, the planning, design, development, and testing cycles are never done. They continue to change as the project takes form. Change management is diretly intergrated within the process.
Development, testing and pre-production environments are separated physically and logically from the production environment. Service data is used after anonymization to provision the pre-production environment, enabling realistic anonymous data to be used for a more robust manual testing of changes. For development and testing environments, service data may be used after anonymisation and subsetting (reduction of the dataset to a representative subset).
Protection from malware
Servers are protected from malware.
Our backup policy ensures our platform data is replicated in several geographical locations (in the West-Europe region). The replication instances are configured and reliant. Our production databases are backed-up every day. Those backups are kept for 7 days.
Logging and Monitoring
JobTeaser uses application server logs which contain all user actions triggering an HTTP request to the application (e.g. loading a page, submitting a form, triggering background HTTP requests, …), as well as some associated data.
These logs include actions performed by administrative accounts.
Logs are accessible to members of the technical team according to their scope of work. Access is read-only.
The platform servers are currently synchronized internally. We intend to switch to the Time Sync Service from AWS, which will allow us to be synchronized through NTP and smooth out leap seconds.
Analysis and log correlation
Annalysis and correlation of our logs is done through Kibana and scripts. It can also be done manually for specific issues.
Technical Vulnerability Management
An automated vulnerability scanner (Dependabot) runs every day to discover vulnerabilities in the dependencies of the JobTeaser code.
An automated vulnerability scanner (Trivy) runs on all Docker images created.
Static code analysis
Static code analysis is used for each change to the source code through our Continuous Integration (CI) pipeline to identify and notify potential security vulnerabilities.
JobTeaser sollicits every year a security-specialist third-party to perform external penetration tests on different scopes of our platform and applications.
At Jobteaser, we consider the security of our systems a top priority. But no matter how much effort we put into system security, there can still be vulnerabilities present.
If you discover a vulnerability, we would like to know about it so we can take steps to address it as quickly as possible. We would like to ask you to help us better protect our clients and our systems.
Please do the following:
- E-mail your findings to firstname.lastname@example.org,
- Do not take advantage of the vulnerability or problem you have discovered, for example by downloading more data than necessary to demonstrate the vulnerability or deleting or modifying other people's data,
- Do not reveal the problem to others until it has been resolved,
- Do not use attacks on physical security, social engineering, distributed denial of service, spam or applications of third parties, and
- Do provide sufficient information to reproduce the problem, so we will be able to resolve it as quickly as possible. Usually, the IP address or the URL of the affected system and a description of the vulnerability will be sufficient, but complex vulnerabilities may require further explanation.
What we promise:
- We will respond to your report within 3 business days with our evaluation of the report and an expected resolution date,
- If you have followed the instructions above, we will not take any legal action against you in regard to the report,
- We will handle your report with strict confidentiality, and not pass on your personal details to third parties without your permission,
- We will keep you informed of the progress towards resolving the problem,and
- In the public information concerning the problem reported, we will give your name as the discoverer of the problem (unless you desire otherwise).
We strive to resolve all problems as quickly as possible, and we would like to play an active role in the ultimate publication on the problem after it is resolved.
Network Security Organisation
Our network security architecture is built upon multiple security zones. Sensitive systems, like database servers, are protected in the most trusted zones, where only traffic coming from the internal network is authorized. Traffic between different zones is filtered using firewalls.
Segregation in networks
Our AWS infrastructure utilizes several AWS network security features to isolate our infrastructure from external traffic and filter any unauthorized traffic (AWS VPC - Virtual Private Cloud - and Security Groups - virtual stateful firewalls).
Access to the JobTeaser production infrastructure is restricted to specific members of the Tech Team, following the least-privilege principle. By default, members of the tech team don't have access and have to ask to gain access during a certain time frame. Employees accessing the production infrastructure are required to do it through the company VPN and use multiple factors of authentication.
Network monitoring on our AWS infrastructure is handled through our global infrastructure monitoring.
Technical Network Security
Network vulnerability scanning
No network vulnerability scanner is put in place yet.
Intrusion detection and prevention
Intrusion detection and prevention appliances are installed on the infrastructure.
Threat intelligence program
No threat intelligence program has been designed on the platform.
A DDoS mitigation infrastructure will be put in place on the platform in a few months.
System acquisition, development and maintenance
Secure development awareness
JobTeaser strongly encourages security awareness in its Technical Team through regular communications and staff awareness programs. A community of interest regroups membres of the Tech Team twice every month to discuss and share good practices, information and resources, and identify security actions to be lead. Security articles and presentations are regularly shared within the team through internal communication channels and the bi-monthly Tech Sharing afternoons.
Secure Development Training
JobTeaser is currently evaluating options for a secure code training provided by third-party experts, covering the OWASP Top 10 security flaws and other common attack vectors.
Secure development environment
Platform development is undertaken on the local developer machines, with a Git versionning system. This system is hosted by GitHub, in private repositories. GitHub garantees an appropriate level of confidentiality, availability, integrity and traceability.
JobTeaser subcontractors have secure development training. Externalized developer have limited access rights to JobTeaser Git repositories, according to the least-privilege principle.
System change control procedures
Web frameworks security controls
JobTeaser utilizes modern web framework (e.g. Ruby on Rails, Phoenix) and makes use of its security controls to limit exposure to OWASP Top 10 security flaws. These include inherent controls that reduce our exposure to Cross Site Scripting (XSS), Cross Site Request Forgery (CSRF), and SQL Injection (SQLi), among others.
Web application firewalls
Web application firewalls (WAF) are used to protect most JobTeaser's public-facing applications or platform components. Here is the current status for the different components:
- JobTeaser website and Career Centers: protected with an advanced WAF integrated at application-level
Technical review of applications after platform changes
Each source code change goes through several reviews:
- code review by two other members of the development team;
- functional review and/or non-regression testing by the product manager or QA engineers.
For development and testing environments, an anonymised subset of production data is automatically created every day.
Information Security in third-party relationships
All third-parties used for the JobTeaser service are:
|Amazon Web Services||Cloud hosting|
|SendGrid||Email delivery service|
|Sqreen||Web Application Firewall within the source code|
|Zendesk||Customer service software|
|BugSnag||Software Error Management service|
|New Relic||Software Error Management service|
|Google Analytics||Web tracking|
|Google Tag Manager||Web tracking|
|Pubble||Live chats service|
|Cloudflare||DDOS protection and Web Application Firewall|
|Twilio||SMS service for Two-factor authentication|
Addressing security within third-party agreements
The third-parties used for the JobTeaser service have been vetted by JobTeaser's CISO and CTO. They all comply with JobTeaser's security level. JobTeaser is allowed to audit all its third-parties' services.
Addressing security within third-party agreements
Monitoring and review of third-party services
Third-party services are reviewed before contractualization.
Managing changes to third-party services
If a change on a third-party service used by JobTeaser platform affects the security, JobTeaser will notify partners within a reasonable timeframe.
The Jobteaser legal department handles all confidentiality agreements.
Information security incident management
Responsibilities and procedures
Security incident management is the responsibility of the Chief Information Security Officer. Crisis management is the responsibility of the Chief Technical Officer. From a practical viewpoint, a security incient is handled way as a production incident: a task force is assigned to fix the problem and regular status reports are publicly available on status.jobteaser.com.
Reporting information security events
If a security incident occurs on the platform, JobTeaser will notify the competent authorities and its impacted clients within a reasonable timeframe.
Assessment of and decision on information security events
Classification of an incident is done by the task force assigned to the incident. Major decisions are approved either by the CISO or the CTO.
Response to information security incidents
In case of a system alert, events are escalated to our operations and security monitoring. Our employees are trained on security incident response processes, including communication channels and escalation paths.
Learning from information security incidents
All security incidents are recorded and analysed by the CISO. Action plans can result from this analysis.
Collection of evidence
If a collection of evidence is necessary for judicial reasons, JobTeaser will hire a specialized third-party to do it.
Business Recovery Plan
A Disaster Recovery Plan (DRP) is formalized. It will be reviewed every three years and on major changes in the infrsatructure.
JobTeaser's recovery plan hinges on the availability garanteed by AWS: All data centers are online and serving customers; no data center is “cold.” In case of failure, automated processes move customer data traffic away from the affected area. Core applications are deployed in an N+1 configuration, so that in the event of a data center failure, there is sufficient capacity to enable traffic to be loadbalanced to the remaining sites automatically.
Implementing information security continuity
Critical components of the infrastructure, such as web servers, application servers and data-stores use clustered and redundancy ensures availability in case of a system failure. Our backup policy ensures our platform data is replicated in several geographical locations. Our replicated instances are configured according to our policy and their reliance is assured by AWS.
JobTeaser focuses on an infrastructure-as-code approach to infrastructure management, enabling a faster recovery in the event of a major disaster necessiting re-building the whole infrastructure.
Disaster Recovery Testing
The configuration for the whole and all applications is scripted. In the event of a disaster, the operations team is able to restore the platform by deploying running configuration scripts. Databases are restored automatically from their snapshots to a point in time between 0 and 5 minutes from the time of the disaster. Configurations being used every day, they are tested all the time.
Availability of services
JobTeaser is committed to a 99.8% uptime of the platform's core features. The uptime is measured through the platform's monitoring system. An internal system-status service is used to trace incidents and provide an additional uptime measure. History about these uptimes can be shared with customers and partners on demand.
For now, JobTeaser is not ISO 27001 certified. However, JobTeaser follows ISO 27002 guidelines in implementing its security.
In Europe, AWS is compliant with the following certifications:
- ISO 9001
- ISO 27001
- ISO 27017
- ISO 27018
- PCI DSS Level 1
- SOC 1
- SOC 2
- SOC 3
- C5 (Germany)
- Cyber Essentials Plus (UK)
- ENS High (Spain)
- G-Cloud (UK)
- IT-Grundschutz (Germany)
Our platform benefits from those certifications by being hosted in AWS facilities.
The JobTeaser French DPO is a member of the French Association for correspondants to the protection of personnal data (AFCDP).
Other security measures
Destruction of data storage mediums
Physical destruction of data storage mediums is handled by our hosting provider: AWS.
Patch management is handled through our infrastructure upgrade policy. Our goal is to never have to patch anything by being permanently up-to-date on our infrastructure systems.
This section describes the security measures relative to data protection at JobTeaser.
Some members of the technical team are given logical access to the platform's systems (servers and administration interfaces). The list of persons who are given this level of access is reviewed regularly. Theses accesses are given through the infrastructure-as-code system in place at JobTeaser. Revocation can be done at any moment if necessary, through a change in the code dedicated to this access.
The leader of the infrastructure team is responsible for giving and removing access to members of the technical team. The CISO is responsible of the auditing of those accesses.
Two-factor authentication is mandatory for all privileged accesses.
All uploaded files are only accessible to allowed users.
All communications with JobTeaser servers are encrypted using industry standard HTTPS over public networks. This ensures that all traffic between you and JobTeaser applications is secure during transit.
Personal data will not be transmitted on physical data carriers.
Personal data is only accessible to university administrators and partner recruiters through the application which is accessed on the internet, over an HTTPS secured connection.
Email signing (DKIM/DMARC)
Emails sent and recieved by JobTeaser are secure.
Employee devices (smartphones and laptops) are monitored and handled through a mobile device manager.
Automated sensible information discovery
Discovery of sensible information is not yet automated.
Content moderation, spam filtering
Content is moderated on the platform.
This section describes the security measures put in place internally in JobTeaser's company organization and processes. They apply to all employees, unless specified otherwise.
Information Security Management
Information Systems Security Policy (ISSP)
JobTeaser has developed, with the help of security management experts, an Information Systems Security Policy. It follows the structure and principles of the ISO-27001 information security standard. This policy has been shared, and made available to all employees and contractors with access to JobTeaser information assets.
The Information Systems Security Policy is reviewed and updated at least every 2 years to take account of changes in:
- the regulatory, organizational or technical context;
- the expectations of JobTeaser's users, customers and partners;
- internal security requirements;
- new threats and vulnerabilities that may apply to JobTeaser's information systems.
General management commitment
JobTeaser’s Information System (IS) is a critical resource enabling JobTeaser to pursue its activities and provide its service to its customers. Ensuring the security of the Information System is a vital step in meeting a number of crucial objectives for JobTeaser:
- Guarantee the confidentiality and integrity of the data users, customers and partners entrust JobTeaser with, and particularly their personal data;
- Ensure the continuity of the services offered to its customers and partners, in particular, the JobTeaser.com website, the Career Center platforms as well as all the other web applications provided by JobTeaser;
- Establish and maintain strong trust between JobTeaser and its partners and customers, by communicating and respecting its commitments regarding the protection of their data;
- Guarantee the confidentiality and the integrity of its collaborators' personal data;
- Respond to regulatory and legal requirements and constraints, in France and internationally;
- Ensure the continuity of JobTeaser’s activities.
For this purpose, the General Management of JobTeaser commits to allocating the means and resources in relation.
Roles and responsibilities
JobTeaser has defined the roles and organization for the management of Information Security.
- The Chief Information Security Officer is responsible for defining and updating the policy and control its implementation;
- The Information Security Commitee reviews the security policy and its implementation at a strategic level;
- The Technical Team actively contributes to the implementation of security measures through technical means;
- The Security Guild is an internal community of interest focused on security and supporting transversal security actions throughout JobTeaser.
Hiring process controls
Skills and education are controlled for all hires during the hiring process. Past employment verifications are done for sensitive positions.
All employees agree to the internal rules and chart of usage of information systems including security guidelines and mandatory practices.
JobTeaser's employment contracts contain a Confidentiality and Non-Disclosure Agreement clause. All contractors sign a confidentiality agreement.
Awareness and training
Regular awareness and training actions are addressed to all JobTeaser employees. These actions cover a large range of subjects, for example:
- general security good practices;
- workstation security;
- management of sensible information;
- awareness of attack vectors (phishing, malwares, etc.).
The on-boarding process includes an information security awareness training session.
JobTeaser premises are protected by individual identification badges and CCTV video-surveillance. Office gates are closed before 7am and after 10pm, and during weekends.
The internal network provided by JobTeaser to its employees is protected by an industry-standard firewall solution. All incoming traffic is forbidden by default.
Several network areas have been defined to isolate the different roles of JobTeaser staff and networked devices. In particular, printers and personal devices are associated to different network areas which are isolated from employee workstations.
Low-risk internal network strategy
Since most of JobTeaser employees should be able to work in mobility or remotely, the internal network used in JobTeaser office is limited to connectivity of workstations to internet and local utility devices (e.g. printers). No critical equipment is hosted on the local network.
This limits the risks related to network intrusions and reduce the corresponding security requirements.
All workstations are protected using an industry-standard malware protection solution.
All workstation hard-drives are fully encrypted.
Internal information systems security
New employees are given access to internal applications on their arrival on a need-to-know basis. Accesses are revoked when the employee leaves the company.
Accesses to sensitive applications are regularly audited.
Awareness about password security has been risen among employees. The Information Security Policy defines the following password policy:
- Minimum 8-character long;
- At least 3 of the following types of characters: digits, uppercase letters, or symbols.
Whenever possible, the internal applications are configured to enforce these requirements. Moreover, the multifactor-authentication is enforced on sensitive applications.
JobTeaser collaborators are provided with a password management solution to improve password security. The solution enables the generation of complex passwords, limits the reuse of existing passwords, and enables secured sharing of passwords when needed.
All communications between JobTeaser's collaborators and internal application are encrypted via industry best-practices HTTPS and TLS over public networks.