Security at Bluebelt

This Privacy and Security Statement outlines the measures Bluebelt, a Canadian-based software company, implements to protect the privacy and security of data related to its Applicant Tracking System (ATS) plug-in. This document is designed for companies considering the integration of Bluebelt’s plug-in, which automates sorting and onboarding, features bi-directional API, SMS capability, email backups, AWS-powered cloud-based infrastructure, and Multi-Factor Authentication (MFA). Our commitment to data protection and compliance with relevant laws is highlighted, ensuring trust and transparency.

1. Overview:

Bluebelt provides an advanced ATS plug-in designed to streamline the recruitment process through automation and efficient data handling. Our software tool incorporates features such as job-fit assessment, skills and personality test records, certifications and qualifications tracking, skills gap analysis, resume building, career mentorship, employer feedback and review systems, SMS/phone communication, candidate status indicators, and notification management.

2. Data Access:

Bluebelt ensures that data access is strictly controlled and limited to authorized personnel only. Our data access policies are built around the principle of least privilege, ensuring that users have the minimum level of access required to perform their job functions. Access to personal information is granted only to those who need it for the provision of our services, and all access is logged and monitored for compliance and security purposes.

3. Data Security and Compliance Standards:

Bluebelt adheres to industry-leading data security standards and compliance requirements, including SOC2, PIPEDA, and FIPPA. We employ robust security measures to protect data, including encryption at rest and in transit, secure coding practices, and regular security audits. Our compliance framework ensures that we meet all federal and provincial privacy laws in Canada, providing our clients with confidence in our data protection capabilities.

4. Data Storage:

Data storage is managed through Supabase, a SOC2 Type 2 and HIPAA-compliant cloud database service known for its robust security features such as row-level security and adherence to best practices. All data is stored within Canada and the United States to comply with data residency requirements of our customers. Personal information is retained only as long as necessary to fulfill the purposes for which it was collected or as required by law. Secure deletion and anonymization policies are in place to handle data that is no longer needed. Data is backed up regularly to ensure business continuity and disaster recovery.

5. Security Protocols and Compliance with Laws in Ontario:

Bluebelt's security protocols are designed to comply with all relevant laws and regulations in Ontario, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Freedom of Information and Protection of Privacy Act (FIPPA). Our protocols include regular security training for employees, incident response planning, and continuous monitoring of our systems for vulnerabilities and potential breaches.

6. Partner and Vendor Compliance:

Vendor security is crucial for safeguarding our systems; we rigorously assess and ensure our vendors adhere to industry standards, implement robust security measures, and maintain open communication channels to uphold a resilient and secure business environment. Our primary partners include:

  • Vercel: Hosting our site and powering our app, Vercel provides a secure wrapper around AWS and adheres to SOC2 compliance standards. More details can be found at Vercel Security.
  • Supabase: Our data storage solution, which ensures data security with SOC2 compliance, row-level access and encryption at rest. Sensitive information like PII and tokens are identified, classified, and stored securely. Access to the information is restricted, and encryption is applied during transmission and storage. More information is available at Supabase Security.
  • OpenAI: Provides enterprise AI solutions used within our ATS plug-in. OpenAI follows strict privacy guidelines and ensures data is deleted within 30 days unless required otherwise by law. For more details, visit OpenAI Enterprise Privacy.
  • BambooHR is our partner for HR management. They are SOC2, and PCI-compliant and adhere to the highest standards of data security. For more information, visit BambooHR Security.
  • Twilio: Provides SMS capabilities for our plug-in. Twilio follows strict security guidelines and is compliant with industry standards. For more information, visit Twilio Security.
  • Postmark: Provides email services for our plug-in. Postmark follows strict security guidelines and is compliant with industry standards. For more information, visit Postmark Security.
  • DataDog: Provides monitoring and alerting services for our systems. DataDog follows strict security guidelines and is compliant with industry standards. For more information, visit DataDog Security.

7. System Architecture:

Bluebelt's system architecture is designed with security and scalability in mind. The architecture diagram below illustrates our setup:

Diagram Description:

  • User Interface (UI): Accessible via web and mobile applications.
  • API Gateway: Facilitates communication between the UI and backend services.
  • Backend Services: Include job-fit assessment, skills tracking, and notification management.
  • Data Storage: Managed by Supabase, ensuring secure data handling.
  • Third-Party Integrations: Vercel for hosting, OpenAI for AI capabilities. Twilio for SMS. Postmark for emails. We integrate with BambooHR as a partner.
  • Observability and Monitoring: Leveraging Vercel Observability and DataDog for monitoring and alerting.

System Architecture

8. Network Security:

Bluebelt employs multiple layers of network security to protect data from unauthorized access and cyber threats. Our network security measures include:

  • Firewall Protection: Monitoring and controlling incoming and outgoing network traffic based on predetermined security rules. Rules are regularly reviewed and updated to mitigate potential threats.
  • DDoS protection: Vercel firewall blocks incoming traffic if it hits abnormal or suspicious levels of incoming requests.
  • Intrusion Detection Systems (IDS): Identifying potential security breaches and responding to threats in real-time.
  • Encryption: Ensuring data is encrypted both in transit and at rest using industry-standard protocols.

9. Account Management:

Account management is handled with a focus on security and user control. Features include:

  • Multi-Factor Authentication (MFA): Adding an extra layer of security to user accounts.
  • Role-Based Access Control (RBAC): Assigning permissions based on user roles to minimize security risks.
  • Regular Audits: Conducting periodic reviews of account activities to detect and prevent unauthorized access.

Bluebelt is committed to maintaining the highest standards of privacy and security for our clients. Our comprehensive measures ensure that your data is protected at all stages of processing, from collection to storage and beyond. For any questions or further information, please contact us through our website at https://www.bluebelt.co/.

10. Incident Management:

Bluebelt has a robust incident management process in place to handle security events and data breaches. Our incident management process includes the following steps:

  • Identification: Detecting and identifying security incidents through Vercel monitoring and alerting systems and Datadog dashboards. Our team is notified of any unusual activity and will respond within minutes.
  • Containment: Isolating and containing the incident to prevent further damage. This may involve shutting down affected systems or networks. We have a kill switch in place to immediately stop any malicious activity.
  • Eradication: Removing the root cause of the incident to prevent recurrence.
  • Recovery: Restoring affected systems and data to normal operation. This may involve restoring from backups or rebuilding systems.
  • Review: Conducting a post-incident review to identify lessons learned and improve incident response processes. We use this information to update our incident response plan and security controls. We will report any data breaches to the relevant authorities and affected individuals as required by law.