Because of the volume of security-related questions, we have compiled multiple help articles to house them all. For the next section (Part 2) of our security documentation, click here.
What are the core features of the Findem platform?
Findem is a trusted talent solution that leverages AI to increase candidate quality worldwide. With offices in Canada, the Philippines, India, and the US, Findem’s clients range from Fortune 500 companies to stealth start-ups. Findem partners with the highest level of leadership to create material talent acquisition impact. Findem’s current offerings include candidate/executive sourcing, ATS integrations, CRM, and business intelligence analytics. Findem is aggregating data from 100,000+ websites to allow users the ability to search, not relying on one data source allowing organizations to see candidates beyond resumes, consolidation by leveraging 3 strategies, Reactive (Search Sourcing), Proactive (CRM), and Capture/rediscovery (ATS Matching,) in one tool, and analytics, integrated with internal and external data for custom reporting to identify where to take business action.
Can Findem manage multiple job openings and track their progress individually?
Yes. The Findem platform can connect to multiple open job requisitions to identify inbound talent while dispositioning candidates directly from Findem throughout the stages within a client's ATS. Findem users will also have access to full (top and bottom) candidate funnels to identify bottle necks and opportunities within the current TA workflow.
Can Findem automatically score and rank candidates based on a predefined criterion?
Yes. The Findem platform can automatically score/group each candidate into either a "Great Match", "Good Match", "OK Match", or "Poor/Not a Match" based on the criteria set by the user. The relevant ranking of each candidate search result page is based on relevance to the user's predefined criteria by (1) ensuring all must-have skills are included and (2) the number of nice-to-have skills the candidate fulfills.
How will Findem provide the Scoped Services to us (the buyer)? (e.g. How is data sent/received?)
Findem is a web-based SAAS platform for recruiting purposes. All of the data can be consumed through the website.
Does Findem have any fields that are not adjustable?
No. The Findem attributes and platform are built in-house and can be fully configured to a client's use case.
Please provide data flow documentation (high-level diagrams are acceptable) to depict the data involved
If integrations are required, please provide the relevant integration documentation for GreenHouse.
Integrating Greenhouse ATS with Findem
Does Findem's Application/Platform(s) support SAML/SSO with the buyer?
Yes.
If SAML/SSO is not supported, is policy and account lockout policy enforcement supported?
Yes.
Please provide a link or attachment to Findem's SBOM and/or VDR for services in scope if available
Not relevant to Findem.
Describe and diagram the data structure of Findem's data lake (supply & demand if separate).
Findem's data model overlays an internal data structure, providing flexibility in the creation and configuration of objects over time. As the needs of clients evolve, this overlay can accommodate changes. The data lake includes thousands of attributes grouped by Location, Skill, Role, Title, Tenure, Overall Experience, Gender, Ethnicity, Verified Code Repositories, Patents, Awards, and more. If additional attributes are required, Findem can build queries to index them. The data structure allows clients to access a flat tabular structure and model it according to their needs. Examples of attributes include Skill, Job, Country, Title, Tenure, and City.
How does Findem maintain the quality of its data (accurate, complete, consistent, etc), including deduplication?
Findem references multiple data points to build and identify profiles, including LinkedIn, email addresses, work experience, and location. This approach enables Findem to drill down to the person level and act as signals to identify duplication. Findem employs machine learning models in the backend to continuously review, consolidate, and deduplicate profiles as part of its data quality management.
Describe the different roles Findem's application provides. If Findem's application also offers custom role definitions, be sure to mention that.
Findem can set up each user or organization account with different access and permissions based on the client's requirements and specifications. Custom platform setup is a collaborative effort between Findem's Product team and the user organization.
Detail the steps in Findem's recommended approach to generate insights about contingent labor supply and demand while addressing known limitations & risks. Provide a real-life example from another client. How does Findem determine if a talent works for JNJ or a contingent labor supplier?
Findem builds a query leveraging multiple signals to infer contingent labor, such as employment at known agencies, contractor or consultant roles, and short-term projects. Findem can determine if a talent works for JNJ or a contingent labor supplier based on employment history, project duration, and agency affiliations. Common agencies include RANSTAD, KMS, Manpower, Kelly, CPL Group, CapGEMINI, Ausy, Ordina West, and Wanxing Outsourced LLC, among others.
Please provide details on the ATS integration use case (i.e. What does the integration access? What data is pulled, processed, stored, transmitted? etc.)
Findem's ATS integration allows users to search, match, rediscover, and update candidate data in one consolidated view. The integration accesses data such as Jobs, Candidates, Applications, Users, Attachments, Notes, Tags, Offers, EEOC, Interviews, and Email templates. All data pulled from the ATS is stored in the client's sandbox environment, isolated from the Findem global data lake and accessible only to users from the client's end. Data is transmitted securely through APIs, with permissions controlled by the ATS admin on the client's end.
Does the use of production data in non-production environments require a documented business justification?
N/A - Findem does not allow the use of production data in other lower environments. Findem simulates fake candidate data in a lower environment to test functionalities.
Describe Findem's production password policy to include complexity, expiration, reuse, and lockout.
Findem supports an email/password workflow for logging into the platform, protecting all passwords through AES256 encryption. Users are locked out after five login attempts. Findem also supports MFA + SSO login (Gmail / OKTA).
Describe Findem's organization's mobile device security policy and how it is enforced, as it relates to customer data.
N/A - Findem does not support mobile applications. Access controls are in place to ensure the security of customer data, including segregation of duties and two-factor authentication.
PASSWORD ADMINISTRATION: Does Findem follow NIST 800-53 for password administration, including minimum length, complexity, expiration, and re-use?
Yes, Findem adheres to NIST 800-53 standards for password administration. Passwords used to access Box Data must meet the specified requirements for minimum length, complexity, expiration, and re-use.
ENCRYPTION: What encryption measures does Findem have in place for Media in transit and at rest?
Findem implements encryption measures for Media in transit using at least TLS1.2 and for Media at rest using at least AES algorithm with a default value of 256-bit strength. Additionally, Findem maintains an auditable encryption key access process and regularly evaluates and updates the list of Authorized Persons with access to encryption keys.
LOGGING AND MONITORING: Does Findem generate immutable authentication and activity logs for each Authorized Person's activity?
Findem generates authentication and activity logs for systems or applications used to access, process, store, communicate, and/or transmit Box Data. These logs are reviewed regularly, at least monthly, and maintained in accordance with record retention obligations. However, ongoing access to client logs is not provided.
NETWORK AND HOST SECURITY: What network and host security methods does Findem have in place?
Findem employs commercially reasonable network intrusion detection, firewalls, and anti-virus protection. Operating systems and applications associated with Box Data are patched, updated, and secured promptly upon awareness of security vulnerabilities. Industry standards are followed to prevent infection by harmful code.
PHYSICAL SECURITY: Does Findem meet NIST 800-53 requirements for physical security safeguards?
Yes, Findem's physical security safeguards meet or exceed NIST 800-53 requirements. Physical safety and security measures at facilities where access to Box Data is required are implemented and documented.
BACKUP AND DISASTER RECOVERY: What backup and disaster recovery measures does Findem have in place?
Findem maintains a standard backup process for orderly and timely recovery of Box Data in case of interruptions. A contemporaneous backup that can be recovered immediately is maintained, with a disaster recovery plan including specific objectives for recovery time and recovery point. Disaster recovery tests are conducted annually, and results are shared promptly upon request.
How does the Findem platform enhance the candidate experience?
Findem enhances the candidate experience by aggregating data from over 100,000 websites, allowing users to leverage attributes for advanced searches. These attributes enable users to see candidates beyond resumes, consolidating Reactive (Search Sourcing), Proactive (CRM), and Capture/rediscovery (ATS Matching) strategies in one tool. Analytics integrated with internal and external data provide custom reporting to reduce time to hire. Additionally, Findem has a fully built integration with ChatGPT to streamline workflows.
Are there tools for creating and managing email campaigns to nurture candidate relationships?
Yes, Findem provides users with options to create and manage email campaigns to nurture candidate relationships. Users can upload their own email templates, use Findem-approved templates, or utilize ChatGPT to write email campaigns.
Does Findem have a mobile-friendly application?
No, Findem currently does not support a mobile application. Users are encouraged to leverage the desktop version for the best experience.
Please provide the technical guide or documentation on how to configure single sign-on for your product?
Yes, Findem supports single sign-on with either Google or Okta. Technical documentation for configuration can be provided upon request.
How does Findem collect, store, and secure its data?
Findem collects candidate data from various sources, including direct input from candidates, automatic collection through the services, public records, third-party vendors, advertising partners, social networks, and web scraping. The data is stored securely with appropriate physical, technical, organizational, and administrative security measures. Findem retains personal data as necessary for providing services, meeting legal obligations, resolving disputes, or as permitted or required by applicable law.
Does the Findem system comply with relevant data protection and privacy regulations?
Yes, Findem complies with relevant data protection and privacy regulations. Full details can be found in Findem's privacy policy and security and trust documentation.
How does Findem remove bias from the platform?
Findem ensures compliance by not collecting or discriminating against sensitive personal information (SPI) data. The platform removes bias by allowing users to dictate search inputs directly, not tracking user searches, and segregating data to prevent bias in recommendations. Human intervention is minimal but includes in-house built models for testing data accuracy, monitoring user workflows, and manually reviewing candidate data points and sources.
How quickly does the Findem data refreshes happen? Are your system reports real-time, or do they have a lag?
Findem's data refreshes occur through five triggers:
- Data import from data vendors on a monthly/quarterly basis.
- Appearance of a profile in the top ~1000 search results.
- Shortlisting of a profile for campaigning.
- Visit to a LinkedIn profile using the Findem Chrome extension.
- Profile appearing in search with a detected change triggering a refresh process, prioritizing the request, retrieving profile data, and running the profile scraper.
Please describe the customer data you require to provide your service: personal information, financial data, confidential/sensitive data, government data.
To provide the service, Findem requires only the full name and email address of the user approved to use the service. If the user wishes to connect their email for outreach functionality, an OAuth connection with their email is also required.
How do you encrypt customer data (in transit, at rest, etc)?
Findem encrypts customer data at rest and in transit using AES256 standard encryption. Relevant documentation can be provided upon request.
Which groups of staff (individual contractors and full-time) have access to customer personal and sensitive data?
Findem restricts access to customer data to specific staff members based on job roles and responsibilities. Sensitive data is not collected, and access is strictly controlled.
Describe how offsite backups occur and how they are secured.
All data is stored in AWS Ohio servers, with backups stored in AWS Oregon servers to ensure 100% availability and continuity of services without disruption for clients.
How do you ensure strong security for employee authentication?
Findem requires employees to use MFA and Okta SSO for authentication. Strong password policies are enforced, and additional details are provided in the SOC2 policy documents.
Does the system support custom fields for candidate, job, or workflow records?
Yes, Findem supports custom fields for candidates, jobs, and workflows, allowing for flexibility in data management.
Can the system be configured without the assistance of technical support?
Users have the ability to configure the system, including creating attributes and reports. However, technical support is recommended for ATS/API integrations.
Does a sandbox instance exist as part of your solution?
Yes, Findem offers an ATS staging environment for testing, along with a temporary license to test real platform workflows.
How do you conduct internal audits of the service?
Tech leads conduct internal audits quarterly or bi-annually to identify potential risks and resolve them promptly.
How do you conduct external audits of the service?
Findem undergoes annual audits conducted by third-party services like TAC security, as well as SOC audits.
Please provide a copy of the most recent report (as per Service Introduction tab, section 5).
Findem has provided the most recent report, including a Letter of Audit Completion and SOC2 report, as per the Service Introduction tab.
Are there industry, regulatory, or contractual compliance requirements that need to be considered for this vendor's service?
Yes, GDPR compliance is a significant consideration for Findem's service.
Does the vendor encrypt customer data?
Yes, Findem encrypts customer data both in transit and at rest.
Does the vendor have formal Disaster Recovery and Business Continuity planning?
Yes, Findem has formal Disaster Recovery and Business Continuity planning in place.
Which IT operational, security, privacy-related standards, certifications, and/or regulations do you comply with?
Findem complies with SOC2 standards.
Please upload your most recent ISO 27001/18 and Statement of Applicability (SOA).
Findem is SOC2 type 2 and GDPR compliant, and relevant documents can be shared upon request.
Please upload your most recent PCI-DSS certifications dated within the past 12 months.
Findem is a talent platform and does not work with payment data, so PCI-DSS certifications are not applicable.
If Applicable - Please upload the remediation plan or a regression test report if vulnerabilities were identified.
Findem conducts continuous monitoring of vulnerabilities through Vanta, managed by the head of engineering.
Please provide a copy of the most recent report (as per Service Introduction tab, section 5).
Findem has provided the most recent SOC2 report and a Letter of Audit Completion.
Please provide a link or attachment to your SBOM and/or VDR for services in scope if available.
Findem does not have an active bug bounty program but acknowledges bug reports from external users. SOC2 compliance is maintained.
Do you seek a right to use or own customer-derived data for your own purposes?
Findem collects, uses, and shares data as outlined in its privacy policy.
Is your Privacy Notice/ Privacy Policy externally available?
Yes, Findem's Privacy Policy is externally available at the provided URL.
Are all personnel required to sign Confidentiality Agreements to protect customer information?
Yes, signing Confidentiality Agreements is a part of employee onboarding at Findem.
Are all personnel required to sign an Acceptable Use Policy?
Yes, an Acceptable Use Policy is in place at Findem.
Please identify whether you have any of the following policies: Code of Conduct, Anti-Bribery/Corruption Policy.
Findem has a Code of Conduct policy and an anti-bribery policy in place.
Who are Findem's sub-processors?
Data is hosted on AWS, while sensitive data is masked and sent to Open AI for additional context.
Software development is expected to follow a Secure Software Development Framework.
Yes, Findem is in compliance with secure software development standards.
What Frameworks does Findem require to run the application?
Findem's platform is hosted on the cloud and can be accessed with active login credentials.
Will the vendor use their own software to perform their work, including compilers?
Findem's code is developed in-house and not outsourced.
Is Sensitive or Confidential information being processed in any way by this vendor?
No, sensitive or confidential information is not processed by Findem.
What level of access to Motional data is required or handled by the vendor?
Findem writes, transmits, and hosts data but does not transfer data from Motional.
Is Motional data expected to be transferred from Motional to the vendor?
No, Motional data is not expected to be transferred to the vendor.
Is Motional data going to be transferred across borders?
No, Motional data is not expected to be transferred across borders.
Are high privileges access accounts or admin rights expected?
Yes, high privileges access accounts or admin rights are expected.
Is Motional data shared with other parties?
No, Motional data is not shared with other parties.
Describe the type of training provided for employees who will work on PayPal matters.
Employees undergo annual cybersecurity awareness training covering various topics such as internet safety, personalized threats, malware, and passwords.
Describe the services being provided, with particular focus on the type of data that will be accessed and handled.
Findem collects personally identifiable information (PII) via AI as part of the diversity, equity, and inclusion (DEI) process, but the PII data is suppressed to users and cannot be found within the Findem platform.
Describe your organization's external storage media security policy and how it is enforced.
Findem's Data Management Policy addresses external storage media security.
Describe your organization's security incident response process.
Findem defines incidents and communicates them to clients within the SLA based on severity. More details are provided in the incident response plan.
Physical Security Controls: Findem's Physical Security Policy outlines the measures implemented to protect against unauthorized access to systems and data.
Network Security Solutions: Findem has an intrusion detection system for continuous monitoring and early detection of potential security breaches.
Logical and Physical Segregation of Data: Data is logically segregated by customer in individual databases. Physically, systems with data are located in private AWS subnets accessible only via VPN.
Static Application Security Testing (SAST) Tools: Findem utilizes its own static and dynamic security testing tools on cloud infrastructure for threat monitoring and security analysis.
SSL Configuration Review: Regular reviews ensure that only secure protocols and ciphers are offered to clients.
Forward Secrecy Support: Findem's server supports ECDHE and DHE ciphers for forward secrecy.
HTTP Strict Transport Security (HSTS): HSTS is configured with a max-age value of at least 6 months.
Web Application Security: The web application is exclusively reachable over HTTPS with no support for HTTP.
API Rate Limiting: No rate limits are imposed on Findem's API.
API Token Validity: API tokens are valid for as long as the customer allows access.
Personal Device Security Policy: Findem provides encrypted laptops with admin configurations and firewalls to employees, monitored via Vanta.
Logical Security Controls: Technical risks and vulnerabilities are outlined in Findem's Operations Security Policy.
Security Vulnerability Reporting: External researchers can report security vulnerabilities through a published security email contact.
Security Testing Methodology: The process is overseen by the head of engineering, with periodic evaluations and patch classifications based on severity.
Patching and Updates Evaluation: Periodic evaluations, patch testing, risk assessments, change management, and client communications are conducted for patches and updates.
Endpoint Device Management: All laptops connecting to production networks are centrally managed via Vanta for security monitoring.
Required Device Security Configurations: Corporate-issued laptops/desktops are fully encrypted with configured firewalls and monitored through Vanta.
What systems does Findem have in place to mitigate classes of web application vulnerabilities?
Findem employs various systems to mitigate classes of web application vulnerabilities. These include:
-
Web Application Firewall
-
Content Security Policy (CSP)
-
Secure Coding practices
-
Regular patching and updates
-
Vulnerability scanners
-
Authentication and authorization mechanisms
-
Security headers
-
Session Management and tokenization
-
Regular Security audits and penetration testing
Do you have operational breach detection systems, deception solutions and/or anomaly detection with alerting?
Yes, Findem has intrusion detection systems in place to continuously monitor the network for early detection of potential security breaches.
How does Findem store passwords?
Findem securely stores passwords using a cryptographic one-way hash function, such as SHA-256, combined with salt for added security.
Describe Findem's secrets management strategy:
Findem utilizes various secret management strategies depending on the context, including authentication tokens, passwords, and certificates.
Are all security events (authentication events, SSH session commands, privilege elevations) in production logged?
Yes, all security events, including authentication events, SSH session commands, and privilege elevations, are logged in production logs for monitoring and analysis.
Is the production network segmented into different zones based on security levels?
Yes, the Findem production environment is segmented and partitioned based on security levels to mitigate the impact of security breaches.
What is the process for making changes to the network configuration?
Findem has a defined process, outlined in the SOC2 documentation, for making changes to the network configuration.
What cryptographic frameworks are used to secure data in transit over public networks, passwords, data at rest?
Findem utilizes cryptographic frameworks to secure data in transit over public networks, passwords, and data at rest. More details can be found in the cryptography policy and SOC2 documentation.
Where is the SSL connection between the user and Findem's application terminated?
SSL connections between users and the Findem application are terminated at the load balancer.
Are Findem's SSL/TLS private keys appropriately protected on web servers?
Yes, Findem ensures that SSL/TLS private keys are appropriately protected on web servers.
How is traffic between the load balancer and the application servers protected?
Traffic between the load balancer and application servers is encrypted, and certificates are validated to ensure secure communication.
How are cryptographic keys (key management system, etc.) managed within Findem's system?
Findem follows established cryptographic key management practices, as outlined in the cryptography policy document.
Describe Findem's security awareness program for personnel throughout the organization. Is it mandatory? Describe the frequency. Is it general or targeted for certain teams?
Findem mandates annual security training for all personnel, with both general and targeted sessions based on team roles.
How does Findem log and alert on relevant security events?
Security events are logged at multiple levels, and email and Slack alerts are generated for certain workflows.
Describe or attach Findem's Security Incident Response Program.
Findem has a documented Security Incident Response Program, details of which can be found in the incident response plan.
Do you have formally defined criteria for notifying a client during an incident that might impact the security of their data or systems? What are your SLAs for notification?
Yes, Findem has formally defined criteria for notifying clients during incidents that might impact the security of their data or systems, with SLAs based on the severity of the incident.
Please describe how Findem authenticates users. If passwords are used, describe complexity requirements, and how passwords are protected. Is MFA supported? If SSO is supported, please describe the available options. If different service tiers are available, please describe.
Findem supports various authentication methods, including email/password, MFA, and SSO (Gmail/OKTA), with passwords protected using AES256 encryption.
Does Findem's application enable custom granular permissions and roles to be created? Please describe the roles available.
Findem follows an ACL standard to provide custom granular permissions to users based on the service agreement.
Which audit trails and logs are kept for systems and applications with access to customer data?
Audit trails and logs are maintained for systems and applications with access to customer data, with customer data itself excluded from audit logs for privacy reasons.
How does Findem's application store API keys?
Findem utilizes AWS Key Management Service (KMS) to securely store API keys.
Has Findem's company or any of its owners, board of directors, or senior management been convicted of a crime involving bribery or corruption or been the subject of an inquiry or investigation involving bribery or corruption? If so, please provide details.
No.
Do you have any pre-existing relationships with current or former Government Officials, including current or former Government Officials on your payroll, that are relevant to the services you will perform?
No.
Are any of these categories current or former (past 2 years) Government Officials? Significant shareholders (10%+), ultimate beneficial owners, senior management, board of directors, and/or any employee who has day-to-day relationship management of the Client account, or their immediate family (parents, grandparents, siblings, or children (biological or step) of the person or the person's spouse.
No.
Please upload your most recent SOC2 document performed within the last 12 months (SOC2 Type I, SOC2 Type II, SOC 3...etc.)
SOC reviews can be provided via PDF for upload.
Please upload your PCI-DSS certifications dated within the past 12 months
Findem is a talent platform. We do not work with payment data in the platform.
In what countries does your Organization access, handle, or store client data?
All of the data is stored primarily in US AWS servers.
Has your organization experienced any security incidents in the past 3 years?
No.
Has your organization established and documented a formal Secure Software Development Lifecycle (SSDLC) Policy and Procedures as part of the development process?
Yes.
Does your organization have technical controls and tools in place to enforce the Secure Development Lifecycle Standard?
Yes.
Has your organization established and formally documented a secure development lifecycle training program?
Yes.
Does your organization require annual secure development lifecycle training for software developers and other affected personnel?
Yes.
Does your organization subject code to static code analysis and/or static application security testing prior to release?
Yes.
Does your organization use manual source-code analysis to detect security defects in code prior to production? (e.g. Peer or 3rd party code review)
Yes.
Does your organization separate the production environment logically and/or physically from development, test, and staging environment(s)?
Yes.
Does your organization allow the use of production data in non-production testing or development environments?
No.
If yes, does the use of production data in non-production environments require a documented business justification?
Not Applicable.
If yes, do the security controls in place for the non-production environments meet or exceed those of the production environments?
Not Applicable.
Does your organization remove test data and accounts from system components before moving to production?
Yes.
Does your organization restrict access to source code to only authorized personnel? (RBAC, Least privilege, Separation of Duties)
Yes.
Does your organization perform annual penetration testing of the production environments for the scoped system(s)?
Yes.
Does the vendor outsource application development to 3rd parties?
No.
Does your organization use any third party code, including open source code in the development of the scoped Application/Platform(s)? If yes, please explain.
Yes. We use open source NPM packages & libraries.
Does your organization's Application/Platform(s) have a default session timeout?
Yes, 7 days.
Comments
0 comments
Please sign in to leave a comment.