All Collections
Employer
General Terms & Conditions - Data, API, Incident Management, Monitoring and Access Management.
General Terms & Conditions - Data, API, Incident Management, Monitoring and Access Management.
Pawan Mishra avatar
Written by Pawan Mishra
Updated over a week ago

Service Overview


1) Provide an overview of the service or offering.

  • Testlify offers a cutting-edge talent HR Tech platform that helps businesses streamline their talent assessment process.


2) Will customer information be accessible or processed by this service or offering? (SSN, account login information etc.)

  • No, Our service does not directly process or access sensitive customer information such as SSN, account login information, etc.


3) Is other sensitive data in use? (address, phone number, email, IP, etc.)

  • We do not store the sensitive data of the test takers to enable companies to make better hiring decisions such as:

    First Name, Last Name, Email, Phone, IP address, Browser settings (location, mic & camera), Candidate's snapshot, Videos, and Audio as per assessment settings.

    Some of these data points are optional and collected at the client’s discretion.


4) How do the client's systems, data, or people interact with your software or service?

  • The Client's systems, data, or people can interact with our software or service through our web application GUIs, APIs, and customer support.


5) What type of APIs are available?

  • We offer REST APIs.


6) How will these services be hosted? Please describe the hosting environment and services.

  • Our services are hosted on the cloud using the following services in a dedicated environment:

    - AWS, Vercel, Heroku and MongoDB Atlas


7) If using virtualization, are your services on a shared farm or dedicated hardware?

  • No, Our services are hosted on dedicated hardware.


8) Which country/location is the data centre or hosting provider that provides this service/offering located?

  • The data centre for our hosting providers is located in the Ireland, EU region.


9) Have you had a security breach in the last 12 months?

  • No, We have not experienced any security breach until now.


Monitoring


1) Are systems and procedures in place to monitor the use of information processing facilities and to take corrective action to respond to system irregularities?

  • Yes, we have systems and procedures to monitor our information processing facilities and respond to system irregularities.


2) Is a commercially available Network Intrusion Detection/Prevention System implemented and operational?

  • Yes, we have implemented a commercially available Network Intrusion Detection/Prevention System.


3) Are all production segments of the network and systems actively being monitored?

  • Yes, All production segments of the network and systems are actively monitored.


4) Is the provided in-scope service or offering monitored 24x7 for security violations?

  • Yes, our service is monitored 24x7 for security violations.


5) Do you have SLA for uptime?

  • Yes, we provide a Service Level Agreement (SLA) with a guaranteed uptime of 99.95%.


6) Do you have performance metrics? If yes, can you share and how often?

  • Yes, we have performance metrics in place. We can share them as per the customer's request at an additional fee.


Logging


1) Does the organization maintain the system, application, and other security logs?

  • Yes, we maintain system, application, and security logs.


2) Do application and system logs contain activity info, errors, start and finish times, information security events, user, system administrator and system operator activities?

  • Yes, these logs contain activity info, errors, start and finish times, information security events, user, system administrator, and system operator activities.


3) How long are logs retained?

  • Logs are retained for a period of 30 days.


4) Is access to the system and application logs restricted?

  • Yes, access to the system and application logs is restricted to authorized personnel only.


5) Are these logs available to monitor or investigate?

  • Yes. Upon request, these logs can be made available to monitor or investigate at an additional fee.


6) Do any of your logs contain sensitive data (sensitive PII, etc) in the clear?

  • No, our logs do not contain sensitive data (sensitive PII, etc) in the clear.


Incident Management


1) Is there a documented process in place to report incidents, observed or suspected security weaknesses?

  • Yes. We have a documented process in place to report incidents, observed, or suspected security weaknesses


2) Is there a 24x7x365 security incident response team and plan with clearly defined and documented roles and responsibilities?

  • Yes. We have a 24x7x365 security incident response team with clearly defined and documented roles and responsibilities.


3) Does the Incident Response Plan require the notification of customers in the event of an incident?

  • Yes. Our Incident Response Plan requires the notification of customers in the event of an incident.


4) Is Root Cause Analysis (RCA) provided to customers?

  • Yes. We provide a Root Cause Analysis to our customers after resolving the incident at an additional fee.


5) Do you have a Disaster Recovery Plan/Business Continuity Plan? If so can you share?

  • Yes, we do have a Disaster Recovery Plan and a Business Continuity Plan. Due to confidentiality policies, we cannot share the complete plan, but we can provide a high-level summary upon request at an additional fee.


6) Does the change include an assessment of potential operational impact and rollback procedures?

  • Yes. All changes are evaluated for potential operational impact and appropriate rollback procedures are implemented.


7) Is there sufficient redundancy capacity to ensure services are not impacted during peak usage and above?

  • Yes. We have implemented sufficient redundancy and scalability measures in our cloud architecture to ensure service continuity even during peak usage times.


8) What is the release frequency of applications created and released into production for this service?

  • We follow on QA approval release cycle for our application updates and enhancements. Critical security patches are applied immediately as they become available. We release updates multiple times a week.


9) Is there a formal process to ensure clients are notified prior to changes being made which may impact their service?

  • Yes. All clients are notified via email at least 3 days before any scheduled maintenance that might impact the service.


API Management


1) Do you have APIs to manage Users and Permissions?


2) Do you have APIs for all the services that are provided?


3) Do you support restful services?

  • Yes. We fully support RESTful services.


4) Do you have proper documentation for APIs?

  • Yes. We have comprehensive API documentation.


5) Are there APIs for getting reporting data?

  • Yes. We have APIs that can be used to retrieve candidate assessment report data. Detailed documentation is available at https://docs.testlify.com/


6) Are there any governance limits and usage on API?

  • We do have rate limiting on our APIs to ensure fair usage and maintain system performance. Detailed documentation is available at https://docs.testlify.com/


Data Storage & Processing


1) Is all sensitive information electronically destroyed (e.g.deleted using certified information shredding product) before a system is decommissioned or recommissioned?

  • Yes. All sensitive information is securely deleted before a system is decommissioned or recommissioned.


2) Are you compliant with GDPR?

  • We are fully compliant with GDPR. We ensure that all data is handled, stored, and processed according to GDPR guidelines. Please refer to details at https://testlify.com/gdpr-compliance/


3) Can a customer request its own Data for reporting? If yes, how can you make the data available?

  • Yes. The customer can request its data for reporting purposes. Upon request, these data can be made available at an additional fee.


4) Are vendor staff able to access customers' data in an unencrypted state?

  • No. Vendor staff do not have access to unencrypted customers' data.


5) Is customers' data encrypted in transit and at rest?

  • Yes. Customers' sensitive data is encrypted both in transit and at rest using industry-standard encryption protocols.


6) How often are backups performed on production data?

  • Yes. Backups of production data are performed daily.


7) Any customer data fields that will persist in the app?

  • Only non-sensitive, necessary fields such as user preferences and system configuration data persist in the app.


8) How is GDPR/CCPA supported?

  • Yes. We ensure GDPR/CCPA compliance through stringent data handling, processing, and storing policies. All data subject requests (access, rectification, deletion) are facilitated within the regulatory timeframe.


9) Do you provide multiple environments?

  • Yes. We provide separate environments for development, staging, and production.


Access Management


1) Do you support SSO login (OIDC, SAML etc)?

  • Yes. We support SSO login using SAML to our white label plan or higher customers.


2) Can users be provisioned (account creation) through external IDPs?

  • Yes. We support user provisioning through external identity providers (IDPs).


3) Are user permissions managed via roles, groups etc? If yes can they be provisioned during account creation?

  • User permissions are managed via roles (Admin, Member), and these can be provisioned during account creation.


4) Can users be activated, deactivated or deleted on termination?

  • Yes, user accounts can be activated, deactivated, or deleted upon termination.


5) Do you support just-in-time account creation?

  • Yes, we support just-in-time (JIT) account creation.

Did this answer your question?