Security
Control and visibility
We’ve developed tools that empower recruiters to customize Testlify to their organization’s particular needs. Testlify dashboard provides control and visibility features, and provides tools to protect their accounts across various user interfaces. The Testlify Integration API also allows for partner product integrations with core IT processes. We help you ensure that only the right people can access your company’s information in Testlify.
Identity and access management
Protecting our customers’ information and their users’ and candidates’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.
Testlify has invested heavily in building a robust security team, one that can handle a variety of issues – everything from threat detection to building new tools. In accordance with GDPR requirements relating to security incident notifications, Testlify will continue to meet its obligations and offer contractual assurances.
If you’d like to learn more about Testlify’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, and includes a white paper on how Testlify ensures user data security in particular, including our technical and organisational measures(TOMs), as well as our encryption standards.
- Directory services integration & Single sign-on (SSO): Enterprises can simplify provisioning and de-provisioning by automatically adding and removing users from existing internal directories. Your Testlify account manager can help you pick the right plans that give you access to our identity management providers and SSO (Single sign-on) capabilities.
- Advanced fraud protection: Super admins can request advanced login protection: This feature ensures users can log in only from one device at a time and identify fraudulent access to your Testlify accounts.
Sharing controls
Super admins of Testlify have comprehensive control of their team’s abilities in the Testlify dashboard. This includes whether members can invite other members and give controlled access to different portions of the Testlify dashboard. Super admins can restrict only a set of recruiters to have the capabilities to edit test settings, create new tests and new public links to tests. Users with view-only access to tests can only administer the test to candidates but would not be able to change the proctoring capabilities of a test.
Administrative actions and visibility
Testlify provides an extensive toolbox for super admins to manage your Testlify account and adhere to your organization’s internal security policies. Some restricted features of Testlify are only visible to super admins. These include:
- Tracking account usage
- Permanently deleting and anonymizing candidates data
- Deleting, deactivating, and activating other recruiter logins
- Access to hiring insights and usage reports
- Access to complete audit logs
- Access to billing information including downloadable invoices
Additionally, super admins can work with Testlify account managers for any data requests such as account transfer, remote wipe. Note that some of these features are available to only enterprise customers and depend on the plan you subscribe to.
Automation, integrations & API
We extended the power of the Testlify Platform through automation and integrations to help businesses integrate Testlify into their core IT processes and support custom workflows. The automation helps recruiters communicate with candidates without the overhead of tracking candidate activity. This includes automated invite, reminder, shortlist and rejection emails. Only a handful of these features are enabled by default. Your account manager works with you to customize our automated features to best fit your recruiting processes. Our ATS (application tracking system) integrations help you administer Testlify assessments without leaving your hiring systems. You can invite a candidate to an assessment, track their assessment progress, view the candidate score and scorecard right within your ATS. To further customize your workflow, we provide an Integration API that gives you access to Testlify features. To know more about pricing and details of our integration API, speak with your Testlify account manager.
Information security
By default, Testlify encrypts data for all of our customers. We further protect your data with tools such as audit logs, data backups and recovery. We’re always assessing risks and improving the security, confidentiality, integrity, and availability of our systems. We regularly review and update security policies, provide our employees with security training, perform application and network security testing (including penetration testing).
Testlify policies safeguard your information
Testlify has strict risk management policies regarding user information assurance. We are committed to ongoing risk assessment and continually improving the security testing, confidentiality, and data integrity of Testlify systems. Key areas include:
- Access and Authentication Requirements
- Content Policies
- Retention and deletion
- Discovery and Classification
- Data Loss Prevention
How Testlify protects your information
Team access controls: Employee access to data is granted based on role based access control and all access requires layers of authentication.
Change management: The Testlify Engineering team’s Formal Change Management Policy ensures that changes have been authorized prior to implementation into production environments.
Infrastructure security: Our underlying infrastructure is designed with modern security concepts like defense in depth and based on a zero trust model. Our security controls are tested extensively by our own security team.
Content and data controls: Testlify safeguards your recruiting data with granular permissions and policies and legal holds.
Information security requires transparency
Transparency is everything when it comes to building trust and protecting the rights of our users. To that end, Testlify account managers work with enterprise recruiters to communicate about how we handle government requests for user data.
Architecture overview
Testlify is designed with multiple layers of protection, including secure data transfer, encryption, network configuration, and application-level controls distributed across a scalable, secure infrastructure. Testlify offers governance and risk-management capabilities flexible enough to meet your organisation’s needs, no matter what they are. This includes global retention policies and custom terms of service.
Dashboard/ app infrastructure
Testlify recruiters can access their Testlify dashboard/ account at any time from the web and mobile clients, or through third-party applications connected to the Testlify application via our integration APIs. All of these clients connect to secure servers to provide access to the Testlify dashboard, access/ create/ edit Testlify test library, access/ create/ delete candidate invites, view candidate scorecards, and manage the candidate pipeline. Our dashboard infrastructure comprises of following components:
Metadata storage servers
Metadata/Secondary data collected from candidates during the conversational assessment is used by the Testlify application to generate scorecards. This metadata includes any files submitted by the user and proctoring information collected by our bot during the assessment. Dedicated storage services are deployed for different types of secondary data based on function and format.
Organization databases
Organization information required for access management, storing purchased assessments, and administering the assessments are stored in a MySQL-backed database service and are sharded and replicated as needed to meet performance and high availability requirements.
Secondary app servers
Testlify secondary app servers are responsible for scheduling and running automated tasks and notifications. These sub-services are responsible for automating recruiters’ workflow and are customizable. Automated tasks include monitoring conversational assessments and ending the unended sessions. They also take care of canceling unused invites so that recruiters can claim the credits and use them for more invites. Our dedicated notification sub-services are responsible for alerting recruiters and candidates via emails. This includes sending reminder emails for inactive candidates and custom test request email notifications.
Primary app servers
Testlify Primary app servers are built to automatically scale based on recruiters’ usage. They handle the logic, data processing, and data synchronization of all organization data. They are responsible for authentication, customization, and accessing entire organization data. Security is built into multiple layers of our app servers ensuring that every action is logged and served only based on a user’s roles and permissions.
Infrastructure: behind the scenes
Our engineering team works continuously to innovate and implement secure practices in every layer of our applications. Here are some common segments:
Data centers
Testlify’s infrastructure is securely hosted in Ireland through third-party service provider Amazon Web Services (AWS), one of the most secure global computing environments. While our providers handle physical and environmental security, Testlify manages logical, network, and application security. We uphold strict security protocols, perform daily data backups, and are fully GDPR compliant. Your data is private and protected.
Encryption
Testlify data at rest is encrypted using 256-bit Advanced Encryption Standard (AES). To protect data in transit between apps (currently API, or web) and our servers, Testlify uses Secure Sockets Layer (SSL)/Transport Layer Security (TLS) for data transfer, creating a secure tunnel protected by 128-bit or higher Advanced Encryption Standard (AES) encryption. Similarly, data in transit between an Testlify client (API, or web) and the hosted services is encrypted via SSL/TLS.
Certificate pinning
Testlify does certificate pinning in modern browsers that support the HTTP Public Key Pinning specification in most scenarios and implementations. Certificate pinning is an extra check to make sure that the service you’re connecting to is really who they say they are and not an imposter. We use it to guard against other ways that skilled hackers may try to spy on your activity.
Perfect forward secrecy
For endpoints we control and modern browsers, we use strong ciphers and support perfect forward secrecy. By implementing perfect forward secrecy, we’ve made it so our private SSL key can’t be used to decrypt past Internet traffic. This adds extra protection to encrypted communications with Testlify, essentially disconnecting each session from all previous sessions. Additionally, on the web, we flag all authentication cookies as secure and enable HTTP Strict Transport Security (HSTS).
Key management
Testlify’s key management infrastructure is designed with operational, technical, and procedural security controls with very limited direct access to keys. Encryption key generation, exchange, and storage are distributed for decentralized processing.
