Data protection information for the use of softgarden Software as a Service
Data protection and information security are central components of softgarden’s products and services. The protection of your data and your trust are very important to us.
Therefore, we have implemented technical and organisational measures to ensure the security of processing, which we are continuously developing.
How does softgarden deal with data protection requests from data subjects?
As a processor, we have a high interest in handling confidential information and personal (applicant) data in a data protection-compliant manner. This also includes the protection of rights, in particular the processing and fulfilment of requests from data subjects. Due to legal obligations, all requests from data subjects must be answered and fulfilled by the data controller within four weeks. Requests are forwarded to our data protection team and reviewed according to established processes. Before you receive a request we will pre-qualify it.
How does softgarden deal with potential data breaches and security incidents?
The high integrity interests of our customers also include the handling of data protection and security incidents. Due to the legal obligation to report all data protection incidents to the competent supervisory authority within 72 hours if the data protection incident is likely to result in a risk to the rights and freedoms of natural persons, a swift, structured review of security incidents is important and you will be informed without delay. Potential breaches can be detected by the information security structures or reported to and reviewed in detail by the information security and data protection team through the designated internal processes. In this way, we also review supposedly insignificant incidents and regularly train our employees on data protection and IT security compliance.
How does softgarden implement the information requirements according to Art. 13 and 14 of the GDPR?
softgarden provides comprehensive data protection information for the Talent Acquisition Suite (recruiters) and the career pages (applicants). The information is modular, the content is based on the booked product scope and is regularly updated by softgarden. According to the GDPR, the information obligations under data protection law fall within the area of responsibility of the client company (responsible party in the sense of Art. 4 No. 7 GDPR). For this reason, we offer the option for our customers to use their own data protection declaration. The latter option is used in particular if there are company-specific requirements for information obligations due to the processing activity.
Please contact our Customer Service at firstname.lastname@example.org.
How are data protection and information security ensured in the home/mobile office?
softgarden has established comprehensive security measures. Special technical and organisational precautions have been taken for the home and mobile office area to ensure data protection and data security. The work devices are additionally equipped with a Virtual Private Network (VPN) and encrypted. Customer data is only kept in the data centres, access to the software is via https, access to the system level by administrators is only possible for selected administrators via VPN. Special work guidelines exist for the home/mobile office area.
2. Data processing
Which data are processed?
The scope of the processing of personal data mainly results from the description of processed data categories (Annex 1 of the contract for commissioned data processing). The annex to our contract for commissioned data processing also covers special categories of personal data. The exact scope of the data processed by you depends on the one hand on the requirements of the job advertisements and on the other hand on the scope of the data provided by the applicant. The data categories described in Annex 1 are therefore “broad”.
Where can I find a description of the technical and organisational measures?
A description of the technical and organisational measures (TOMs for short) can be found in Annex 2 to our contract for commissioned processing. To prove compliance with and further development of these measures, softgarden conducts regular internal and external audits and reviews in addition to a data protection and information security management system (DSMS/ISMS).
You can find the latest proofs here:
Who is responsible for data processing?
softgarden provides all services related to the Talent Acquisition Suite (applicant management system) as a processor, insofar as personal data are not expressly processed for its own business purposes and may be processed legitimately. Pursuant to Art. 4 No. 7 GDPR, the data controller for the use of the softgarden Talent Acquisition Suite (applicant management) is the customer company. In addition, processors (softgarden) are also data controllers within the meaning of the GDPR, for example with regard to their own subcontractors or processing for their own business purposes.
Is data transferred to third countries?
A third-country transfer of applicant data in the applicant management system does not take place and is not planned. Our software is hosted in data centres in Germany. Maintenance and operation are also carried out from Germany by softgarden employees. Furthermore, a third country transfer is only considered if the special data protection requirements are guaranteed.
Are there any subcontractors for the commissioned processing by softgarden and if so, which ones?
It is important to us that our subcontractors meet adequate security standards. For example, in the context of contract processing, we pay particular attention to compliance with the GDPR and additionally to common security standards, such as certification according to ISO27001.
Our data centres provide us with housing services, i.e. they provide us with power, rack space and internet, including firewalls, load balancers and secure SSL certificates. Maintenance and installation of hardware and software is done by softgarden. The used data centres are checked and audited by softgarden in regular intervals. The data centres are an unconditional contractual component of the service and order processing, without which we cannot provide our products. Currently, data centres of the following providers are used.
- myLoc managed IT AG, Am Gatherhof 44, 40472 Dusseldorf, Germany
- PlusServer GmbH, Welserstraße 14, 51149 Cologne, Germany
- Equinix Germany GmbH, Kruppstraße, 60388 Frankfurt am Main, Germany
For the so-called “CV parsing” we use a service of Textkernel B.V. Nieuwendammerkade 26 A 5, (1022AB) Amsterdam, the Netherlands. Textkernel is a subcontractor verified by softgarden in the context of order processing. As “CV parsing” is an optional and not an unconditional part of the contract, the use by our customers must be confirmed separately in the recruiter backend (so-called “opt-in”). Textkernel uses AI technologies to analyse CVs and to put them into a structured format. This data is temporarily stored by Textkernel on a server in Germany and cleaned once a week.
For calendar integration, softgarden uses a service provided by Cronofy Limited, 1 Broadway, Nottingham, NG1 1PR, England. Cronofy is a subcontractor of softgarden within the framework of order processing and represents an optional contractual component of the applicant management system. Cronofy can be used by our customers after a separate “Opt-In” in the Recruiter backend. The service is not activated by default. Further information on the technology and data protection can be found in the proofs provided by Cronofy.
You can find the proofs and certifications of our subcontractors here:
softgarden uses Zendesk for support processing. Why is Zendesk not a subcontractor?
softgarden uses Zendesk as a tool to process support requests. In our relationship with Zendesk, we see ourselves as a data controller in the sense of data protection laws. Thus, Zendesk is not a subcontractor in the sense of order processing. We base the use of Zendesk in the context of support and thus the disclosure of our customers’ data (specifically, the business email address of the user submitting the request) on the legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Alternatively, it is possible to contact the direct contacts with a request, e.g. by email. Zendesk stores data in the USA.
Are softgarden employees regularly trained in data protection and committed to confidentiality?
Training and committing employees to the confidentiality of personal data and customer information is part of both onboarding and offboarding as well as data protection and information security management at softgarden. For this purpose, we regularly conduct internal data protection and awareness trainings with a focus on data protection and information security. Our experts in this area are available to all colleagues as contact persons.
Is a backup concept in place and which tools are used? Have restorative tests been carried out?
In the event of a failure, a restore can usually take place immediately or on the same day. Files, databases and complete hard disks are backed up. There is redundant mirroring of the productive environment, so that even in the event of a failure of one data centre, productive operation can be started up in another data centre. Backups are geo-redundantly saved on encrypted data carriers. Among others, rsnapshot and cepth rbd are used. Restore tests are carried out on a random basis. Backups are monitored and verified.
3. Applicant management (Just Hire)
How long is data kept?
In order to meet the legal requirements for data erasure, a global erasure concept has been established at process and product level. One focus is thus on the softgarden products, which, in order to meet the requirements of “privacy by design”, contain implementations for data deletion. An essential component is the automated deletion of applicant data, which can be set by the responsible party according to operational requirements. softgarden recommends setting the retention period for applicant data at six months.
Is there a description for the register of processing activities?
We provide our customers with the information for the legally obligatory register of processing activities. However, the description of softgarden’s processing activities with regard to commissioned processing does not replace the controller’s obligation to include the processing in its own directory.
Social share buttons for job advertisements
Within the job advertisements, it is possible to activate so-called “social share buttons” (XING, LinkedIn, Facebook, etc.). The buttons are not plugins of the social networks. Unless expressly specified, only external links are used. This means that data is only transmitted to the social networks when the website user clicks on the link.
Video interview with Jitsi
We provide our customers in applicant management with the possibility to conduct job interviews quickly and easily via video interviews. For this purpose, we use the Jitsi software, which is operated in a separate installation within the softgarden infrastructure. In case of two communication partners, the connection is established via a so-called “P2P” technology (“peer to peer”), i.e. the connection does not run via the softgarden servers, but only directly between the interview partners. If there are more than two participants in the interview, the softgarden server acts as an intermediary. There are no recordings or recordings of any kind. The video data is exchanged directly between the communication partners.
Since the Jitsi server is operated by softgarden, there is no subcontracting relationship with a subcontractor.
Are accesses / activities logged in the system?
The system history logs access attempts to the applicant management system and modifying operations on records.
Downloads of PDF summaries of applications are also logged.
4. Jobportal (Standard)
How does softgarden count how often a job ad was viewed / clicked?
On the job ads that are displayed on career sites and various portals, there is a tracking pixel, a small image that is retrieved from our server tracker.softgarden.de every time the job ad is viewed. Thereby neither personal data is collected nor tracked, it is only counted how often a job ad was displayed. The number can be seen in the applicant tracking system as “views”. The number of “clicks” is calculated from the number of times the online application button was clicked. Again, no personal data is collected or tracked. It is not possible to draw conclusions about a specific user.
5. All certificates and important attachments at a glance
Hosting made in Germany
At softgarden, all hosting is “Made in Germany”. Our certified data centres Plusserver GmbH in Cologne and Düsseldorf, myLoc Managed IT AG in Dusseldorf, as well as Equinix Germany GmbH in Frankfurt/Main, offer the highest security standards for the storage and availability of your data. Compliance with the requirements of ISO 27001 is confirmed by TÜV Süd Management Service GmbH.
Data Protection Declaration
We have prepared a sample data protection declaration for your own career portal: Simply check, individualise and store it.
General Data Protection Regulation
The e recruiting solutions from softgarden offer you the possibility to work GDPR-compliant. This is also confirmed by an external data protection assessment by procado Consulting, IT- & Medienservice GmbH. Our data protection management has been audited and certified by DEKRA.
Certified quality management
Since 23.03.2020 softgarden has been certified according to ISO 9001-2015. With this, DEKRA distinguishes softgarden for its high product and service quality. The continuous improvement of this quality is softgarden’s top priority.
- Certificate DIN EN ISO 9001
- Certificate DIN EN ISO 27001
- Attestation DIN EN ISO/IEC 27017:2021 und DIN EN ISO/IEC 27018:2020
We protect you
softgarden’s software undergoes regular security tests. Click here for the current penetration test certificate.