Owned by: CTO
Approved by: CEO
Date of last revision: September 2022


This document describes the measures and procedures in place to ensure that the Jobylon-platform is maintained, developed and built in a secure way, and that information including personal information is handled in compliance with applicable laws.


Information Security Program and Certifications

Jobylon hosts the database in AWS data centers and AWS complies with the following assurance programs: SOC 1/ISAE 3402, SOC 2, SOC 3, ISO 9001, ISO 27001, ISO 27017 and ISO 27018. Click here to read more about compliance at AWS.

AWS will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Jobylon secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the AWS Network, and (c) minimize security risks, including through risk assessment and regular testing. AWS will designate one or more employees to coordinate and be accountable for the information security program.

Facilities and On-Site Security

Physical components of the AWS Network are housed in nondescript facilities (the “Facilities”). Physical barrier controls are used to prevent unauthorized entrance to the Facilities both at the perimeter and at building access points. Passage through the physical barriers at the Facilities requires either electronic access control validation (for example, card access systems, etc.) or validation by human security personnel (for example, contract or in-house security guard service, receptionist, etc.). Employees and certain contractors are assigned photo-ID badges that must be worn while the employees and contractors are at any of the Facilities. Visitors and any other contractors are required to sign-in with designated personnel, must show appropriate identification, are assigned a visitor ID badge that must be worn while the visitor or contractor is at any of the Facilities, and are continually escorted by authorised employees or contractors while visiting the Facilities.

AWS provides access to the Facilities to those employees and contractors who have a legitimate business need for such access privileges. When an employee or contractor no longer has a business need for the access privileges assigned to him/her, the access privileges are promptly revoked, even if the employee or contractor continues to be an employee of AWS or its affiliates.

All access points (other than main entry doors) are maintained in a secured (locked) state. Access points to the Facilities are monitored by video surveillance cameras designed to record all individuals accessing the Facilities. AWS also maintains electronic intrusion detection systems designed to detect unauthorised access to the Facilities, including monitoring points of vulnerability (for example, primary entry doors, emergency egress doors, roof hatches, dock bay doors, etc.) with door contacts, glass breakage devices, interior motion-detection, or other devices designed to detect individuals attempting to gain access to the Facilities. All physical access to the Facilities by employees and contractors is logged and routinely audited.

Click here for more information regarding AWS data center controls.

Continued Evaluation

AWS will conduct periodic reviews of the security of its AWS Network and adequacy of its information security program as measured against industry security standards and its policies and procedures. AWS will continually evaluate the security of its AWS Network and associated Services to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews.

Data Hosting Location

Jobylon has chosen data residency EU, which means that we only utilize AWS data centers in Europe.


Encryption in Transit

All communications with the service are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you/your users and the service is secure during transit. Exceptions for encryption may include any use of in-product SMS functionality, any other third-party app, integration, or service subscribers may choose to leverage at their own discretion.

Encryption at Rest

Our databases (AWS RDS and AWS OpenSearch) and filestorage (AWS S3) are encrypted at rest in AWS using AES-256 key encryption. The keys are held, managed and rotated using AWS KMS.


The Jobylon platform has functions for pseudonymization.



An illustration of the Jobylon architecture can be provided upon request.

Network protection

Our network is protected through the use of application servers hardened and secured by our platform provider Heroku, key AWS security services, integration with our Cloudflare edge protection networks and WAF, regular audits, and application monitoring with anomaly detection.

Network Vulnerability Scanning

The network is hardened and scanned by our platform provider Heroku. The network is protected by a combination of Cloudflare web application firewall and DDoS-protection as well as the security measures our platform provider (Heroku) provides us, such as firewalls, DDoS-mitigation, spoofing/sniffing protection and port scanning (more on this can be found here on Herokus website).

Third-Party Penetration Tests

In addition to our extensive internal scanning and testing program, each year Jobylon employs third-party security experts to perform a broad penetration test on the system. On top of that, we invite our customers to run their own penetration tests and audits if and when requested.

Security Incident Event Management

Our logging as well as APM systems gather extensive logs from our host systems. The systems alert on triggers that notify the engineering team based on correlated events for investigation and response.

DDoS Mitigation

Jobylon uses a multi-layer approach to DDoS mitigation. Cloudflare provides network edge defense as well as WAF, whilst Heroku/AWS provides horizontal scaling and protection.

Logical Access

Logical access is limited to a small number of key personnel in the organization. All access is restricted to named accounts, forcing SSO (where possible) using our IdP and MFA.

Security Incident Response

We have an implemented incident management routine applicable to all employees. In short, the routine consists of the following steps:

  1. Suspicion of a security incident arises, e.g. a library has been scanned and a security vulnerability has been discovered, a general vulnerability is announced in the community, testing has discovered vulnerability in our code e.g. during third party pentesting and anomaly detected by APM and log tools.
  2. The suspicion is immediately reported to Jobylon’s CTO.
  3. Investigation begins if necessary, collecting information such as what data has been involved e.g. personal or not
  4. Evaluation of risk
  5. CTO involves Legal
  6. If personal data has been affected Jobylon’s personal data breach routine applies
  7. Documentation of findings and carry out potential action plan


Authentication and Authorization

Systems and Servers

Authentication to systems and servers are limited to a small number of staff, with authorization based on responsibilities. All access requires MFA and where possible are linked to Jobylon’s IdP. All accounts are named and personal.

Backoffice Access

Authentication is forced to use SSO using Jobylon’s IdP and MFA. All accounts are named and personal. Authorization limited to the customers that the employee supports.

Customer Application Access

Jobylon has several different authentication options:
- Username / password
- Single sign-on (SSO) with JIT candidate creations

With SSO authentication enabled, linked to the customer’s own IdP; users are created Just In Time (JIT) and roles can be set based on groups.

Service Credential Storage

Jobylon stores service credentials following best practices by never storing passwords in human-readable format, and only as the result of a secure, salted, one-way hash.

IP Restrictions

Upon a customer’s request, we can restrict access to the platform to users within a specific range of IP addresses. Only users from the allowed IP addresses will then be able to sign in to and use the service.

Role-Based Access Control

Permissions are role-based and assigned in accordance with functions involved in the processing activities.


Jobylon is hosted on a combination of platforms that support horizontal scaling across multiple datacenters and availability zones. Data is backed up at least once per day and kept for up to 30 days, with the possibility of restoring to a point in time. The continuity strategy is tested on an annual basis at the same time as we run our yearly external pentesting and internal risk assessments.


Development Process

Jobylon has a strong process in place starting from requirements, all the way throughout development and delivery and monitoring. All new features have a section on the requirements about security considerations. All new code are automatically scanned for vulnerabilities and reviewed against a security checklist based on OWASP Top-10. Security tests are part of our automated test suite and we manually pen-test our features. We automatically scan our libraries for security updates and evaluate and update if needed. We run yearly 3rd party security reviews and yearly internal risk assessments. Our platform is automatically kept up to date and security patches are deployed by our platform providers.

Framework Security Controls

Jobylon leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance

All new features are reviewed in the development teams before tis it pushed to our staging environment where they are verified before publishing i production. We systematically review every development using peer code reviews as well as check against a security checklist based on OWASP Top 10.

Separate Environments

Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.


Audit Logs

For security reasons we have audit logs that include all activity and actions a user taken on the platform.

Activity Logs

Activities connected to job ads, applications and candidate cards are logged so that our customers’ users can see which actions have been made with regard to a specific job ad and/or application and candidate card.


Dynamic Vulnerability scanning

Jobylon uses APM and logging to constantly monitor the performance and quality of the application. Source code is tested at all stages in the development process from requirements to development, test and delivery. We continuously scan our core applications against common web application security risks, including, but not limited to the OWASP Top 10 security risks. All new code is run through static code scanning tools and a strict security checklist. All libraries are scanned for updates and security patches and applied in an as timely manner as possible.


This policy and the implemented security measures shall be continuously tested, reviewed, assessed, evaluated and updated as necessary to ensure that the measures are appropriate in relation to the development of the platform, new industry standards and the personal data processing activities at hand.


Want to see Jobylon in action?

Get a product tour of our talent acquisition platform and discover why we are loved by recruiters, hiring managers, and HR leaders across the world's largest employers!

Book a demo