Security

          Our Infrastructure
        
          My Ally’s computing infrastructure is provided by Amazon Web Services, a secure cloud services platform. Amazon’s physical infrastructure has been accredited under ISO 27001, SOC 1/SOC 2/SSAE 16/ISAE 3402, PCI Level 1, FISMA Moderate, and Sarbanes-Oxley.
We have architected a secure multi-tier network environment on top of Amazon’s infrastructure to ensure that our applications and data are protected and always accessible. Access to our infrastructure is tightly controlled and monitored. In addition to strong security controls, My Ally ensures that the data it collects remains available through full, daily backups, retained for 14 days
We employ secure coding practices and ensure we’re at-minimum protected against the OWASP Top 10. All of the My Ally applications undergo frequent third-party security and vulnerability assessments to catch any security bugs we may have missed. We even have a “bug bounty” program where we pay hackers to responsibly report bugs they find in our applications.

          How does My Ally keep sensitive information private?
        
          The communication between your employees and our servers is encrypted with 128-bit SSL encryption. All sensitive data-user passwords are securely encrypted-hashed; both in transit and at rest passwords are never stored in plain text. All data access is protected by a role-based access-control mechanism, which only lets users view data for which they have permission. It’s impossible for users to view data from organizations other than their own.

          Which employees at my company will use My Ally?
        
          Everyone! Your entire recruiting team will obviously be using My Ally regularly. But interviewers will rely on My Ally to seamlessly have interviews scheduled and submit evaluations in a timely fashion. Management will want to use the reporting features to get an overview of how quickly candidates are moving through the pipeline.
              It can even be used as an internal scheduling tool.

          Our internal processes
        
          Only authorized employees have access to our production infrastructure, passwords are strictly regulated, and access requires multiple factors of authentication. We limit access to customer data to the employees who need it to provide support and troubleshooting on our customer's behalf. Accessing customer data is done solely on an as-needed basis, and only when approved by the customer (i.e. as part of a support request), or to provide support and maintenance.

          Our promise
        
          Why take our word for it? We are ISO 27001:2013 certified. Our systems and processes conform to the ISO/IEC 27001:2013 standard, assuring that our controls relating to security, availability, and confidentiality are well designed and operating effectively.

          Compliance
        
Certifications / Attestations

              ISO 27001:2013

Laws / Regulations / Privacy

              GDPR

Alignments / Frameworks

              EU-US Privacy Shield
Swiss-US Privacy Shield

          EU Data Protection
        
GDPR

              The European Union’s General Data Protection Regulation (GDPR) protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
            
                  add_circleWho does the GDPR apply to?

                  The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
                
                  add_circleWhat has My Ally been doing in preparation for the GDPR?

                  My Ally has been working diligently over the last few months to bring its systems and processes into compliance with the GDPR and to help ensure that customers working with My Ally can meet their GDPR obligations. For instance, we have adopted policies and procedures to ensure that My Ally can assist its customers in responding to any requests by data subjects to exercise their rights under the GDPR.  We have also worked hard to ensure that our systems meet GDPR security standards and are proud to be ISO 27001:2013 certified.  Of course, GDPR compliance is and will be an ongoing process, and as new developments in the law occur, we will respond and update our systems accordingly.
                
                  add_circleDoes My Ally offer a Data Processing Addendum (DPA)?

                  Yes. My Ally offers a GDPR-compliant Data Processing Addendum (DPA), enabling you to comply with GDPR contractual obligations. For more information on how customers can enter into the My Ally Data Processing Addendum, please email us at privacy@myally.ai.
                
                  add_circleIs My Ally a data processor or a data controller?

                  My Ally processes personal data both as a “data processor” -- meaning that it processes data on behalf of others (e.g. using personal data to schedule and manage the job application process for our clients) and as a “data controller” -- meaning that it processes data on its own behalf (e.g. processing personal data My Ally collects on potential clients to market to them).
                
                  add_circleWhom should I contact if I have questions regarding GDPR and My Ally?

                  We recommend that customers with questions regarding data protection or GDPR and My Ally contact their customer success representative first. Question can also be sent to privacy@myally.ai.
                
                  add_circleDoes My Ally have sub-processors?

                  We proactively inform our customers of any sub-processors who have access to content, including content that may contain personal data, here.
                
Privacy Shield Framework

                  add_circleWhat is the Privacy Shield?

                  The U.S. Department of Commerce, with the European Commission and the Swiss government, created the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks to provide companies with a mechanism to transfer personal data from the European Union to the United States in a manner that provides an adequate level of protection for the purpose of European data protection law.
                
                  add_circleIs My Ally certified under the Privacy Shield?

                  My Ally has certified its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield frameworks to the U.S. Department of Commerce. View the certification here.

Sub-Processors

In an effort to provide maximum transparency, we’ve compiled a list of sub-processors My Ally works with along with details on what the data collected through these sub-processors are used for.

Sub-Processors	Why & How data is used
Amazon Web Services	Servers and network infrastructure