Security

How we keep our data secure

We live in a world where cyber incidents happen every day. In 2021, cybercrime rose 600%, violating the privacy of millions of individuals. We acknowledge this threat and understand that information security is of the utmost importance.

Our products are secure and sovereign by design

We’ve partnered with AWS, taking full advantage of their Cloud services. These services enable us to capture, process and store data securely while respecting data sovereignty. AWS data centres employ world class security practices to protect from threat actors and geographical disaster.

AWS provides us with:

  • 24/7 surveillance
  • Physical security
  • High availability (power, AZs)
  • Geographical risk mitigation
  • Serverless infrastructure, meaning patches are always applied as soon as they’re out

Visit the AWS website for more information on its data security measures.

We engage in secure coding practices and utilise SAST tooling. We consistently engage in penetration testing on our application, to catch and remediate bugs that do make it through. This ensures that we’re building the most secure product we can.
For added assurance, our live product environment is protected with web application firewalls, denial of service protection and intrusion detection systems.

Why this matters to you

These practices proactive put security at the forefront of our product, ensuring it’s built and operated securely, rather than retrospectively added in.

Our culture respects data

Our candidates trust us with their data, and it’s our duty to protect them. That’s why we go beyond GDPR compliance – we’ve built a culture where all PII, regardless of its origin, should be treated to the same high standard at every stage of its life cycle. The following describes our standards:

  • Data processing. All data is processed within AWS, accessed from computers in the same geography as the data is stored, continuously tested for bias
  • Data protection. Stored in AWS, Encryption at rest 256-bit, encryption in transit TLS 1.3, secure envelope secret storage
  • We have an intra-group data transfer agreement enabling the lawful transfer of this data
  • Our sub-processors (who may process data outside of the sovereign location of the Client) are reviewed for security governance and controls. We enter into Data Processing Agreements with our third parties and suppliers, where we are required to do so by data privacy legislation. As of October 2021, we only use Amazon Web Services (AWS) as a sub-processor
  • Data sovereignty. Sapia respects data sovereignty standards and is fully GDPR compliant.
  • Data destruction. The data retention period is set within our platform to enable auto-deletion at the end of the retention period.
  • Sapia retains anonymised PII and interview data indefinitely. We do this as a means to build and maintain predictive models, as well as to create analytical and statistical data to improve or modify services or develop new products.

Why this matters to you

With data practices such as these, you and your candidates can trust Sapia to handle data with the care and respect they deserve.

Our product: Process and practice

Security doesn’t stop with our product. At Sapia, we have teams dedicated to security and risk. They are responsible for:

  • Business continuity planning
  • Breach prevention and response
  • Operational risk
  • Operational security
  • Security posturing

We maintain ISO 27001:2013 certification, and we’re actively working towards SOC 2 accreditation.

Why this matters to you

You can be confident we have a team working to actively maintain security and business contingency risk, proactively preventing incidents before they can happen.