Security & Integrity
Eightfold is committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust compliance program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”). Eightfold’s Talent Intelligence Platform meets global standards for security and integrity, with verification from trusted third parties. Our GDPR-compliant platform is designed to meet the exacting requirements of the world’s most sophisticated organizations.
Standard Occupational Classification (SOC)
Eightfold is SOC 2 Type I and SOC 2 Type II certified by third-party auditors.
Eightfold employs many methods to ensure the maintenance of customer data, and to prevent unauthorized access.
- Data segregation. Every customer’s data is stored separately and encrypted at rest.
- Secure API. Eightfold uses secure protocols to connect with customer systems using Transport Layer Security 1.2 for HTTPS encryption, which is authenticated by AES-256 bit encryption.
- Secure web application. The Eightfold platform uses HTTPS by default, and all data is encrypted in transit.
- Internal data encryption. In addition to encrypting API traffic, Eightfold encrypts all internal traffic. All data at rest, from databases to file systems to caches, is encrypted using AES-256, managed through AWS Key Management Service.
- Account Passwords. All passwords are encrypted with bcrypt, a strong cryptographic hashing algorithm with built-in randomly generated salts.
Access to customer data is only provided to select employees to troubleshoot in the event of a customer issue that needs to be resolved. Arbitrary access is prohibited, and every access is logged..
Eightfold uses database replication and periodic snapshots to avoid data loss. In case of a data loss, we can use replicas to quickly recover to a known previous state.
Eightfold does not store any data on-premises. We use AWS for all data storage and processing, which complies with stringent security requirements.
To guard against incidents, Eightfold has procedures in place to disallow external access to data at short notice. We also have strict logging for all access in order to identify breaches.
GDPR, EEO, and OFCCP Compliance
Eightfold does process and store, but does not collect, Personally Identifiable Information including Equal Employment Opportunity (EEO data). For customers that require it, Eightfold can meet record keeping standards established by the Office of Federal Contract Compliance Programs (OFCCP).
Eightfold is a data processor that is fully compliant with the GDPR. No Eightfold customers have required additional internal compliance work.
Access Control and Provisioning
Eightfold supports SAML-based provisioning systems, and has an internal permissions-based account system.
Penetration Testing (Pen Testing)
Eightfold conducts periodic third-party white-box security assessments to verify security controls.
Automated Security Assessment
Eightfold uses Amazon Inspector to automatically assess applications for exposure, vulnerabilities, and deviations from best practices.
Eightfold “Bug Bounty” Program
We have a “bug bounty” program to responsibly collect bug reports from outside parties. For more information, click here.