Data protection information for the use of softgarden Software as a Service
Data protection and information security are central components of softgarden’s products and services. The protection of your data and your trust are very important to us.
We have therefore implemented technical and organizational measures to ensure the security of processing, which we are continuously developing.
1. General Information
How does softgarden deal with data protection requests from data subjects?
As a processor, we have a high interest in handling confidential information and personal (applicant) data in a data protection-compliant manner. This also includes the protection of rights, in particular the processing and fulfilment of requests from data subjects. Due to legal obligations, all requests from data subjects must be answered and fulfilled by the data controller within four weeks. Requests are forwarded to our data protection team and reviewed according to established processes. Before you receive a request we will pre-qualify it.
How does softgarden deal with potential data breaches and security incidents?
The high integrity interests of our customers also include the handling of data protection and security incidents. Due to the legal obligation to report all data protection incidents to the competent supervisory authority within 72 hours if the data protection incident is likely to result in a risk to the rights and freedoms of natural persons, a swift, structured review of security incidents is important and you will be informed without delay. Potential breaches can be detected by the information security structures or reported to and reviewed in detail by the information security and data protection team through the designated internal processes. In this way, we also review supposedly insignificant incidents and regularly train our employees on data protection and IT security compliance.
How does softgarden implement the information obligations under Art. 13 and 14 GDPR?
softgarden provides comprehensive data protection information for the Talent Acquisition Suite (recruiters) and the career pages (applicants). The information is modular, the content is based on the booked product scope and is regularly updated by softgarden. According to the GDPR, the information obligations under data protection law fall within the area of responsibility of the client company (responsible party in the sense of Art. 4 No. 7 GDPR). For this reason, we offer the option for our customers to use their own data protection declaration. The latter option is used in particular if there are company-specific requirements for information obligations due to the processing activity.
Please contact our Customer Service at support@softgarden.de.
How are data protection and information security guaranteed in the home/mobile office?
softgarden has established comprehensive security measures. Special technical and organisational precautions have been taken for the home and mobile office area to ensure data protection and data security. The work devices are additionally equipped with a Virtual Private Network (VPN) and encrypted. Customer data is only kept in the data centres, access to the software is via https, access to the system level by administrators is only possible for selected administrators via VPN. Special work guidelines exist for the home/mobile office area.
2. Data Processing Agreement (DPA)
What data is processed?
The scope of the processing of personal data mainly results from the description of processed data categories (Annex 1 of the contract for commissioned data processing). The annex to our contract for commissioned data processing also covers special categories of personal data. The exact scope of the data processed by you depends on the one hand on the requirements of the job advertisements and on the other hand on the scope of the data provided by the applicant. The data categories described in Annex 1 are therefore “broad”.
Where can I find a description of the technical and organisational measures?
A description of the technical and organisational measures (TOMs for short) can be found in Annex 2 to our contract for commissioned processing. To prove compliance with and further development of these measures, softgarden conducts regular internal and external audits and reviews in addition to a data protection and information security management system (DSMS/ISMS).
Who is responsible for data processing?
softgarden provides all services related to the Talent Acquisition Suite (applicant management system) as a processor, insofar as personal data are not expressly processed for its own business purposes and may be processed legitimately. Pursuant to Art. 4 No. 7 GDPR, the data controller for the use of the softgarden Talent Acquisition Suite (applicant management) is the customer company. In addition, processors (softgarden) are also data controllers within the meaning of the GDPR, for example with regard to their own subcontractors or processing for their own business purposes.
Is data transferred to third countries?
A third-country transfer of applicant data in the applicant management system does not take place and is not planned. Our software is hosted in data centres in Germany. Maintenance and operation are also carried out from Germany by softgarden employees. Furthermore, a third country transfer is only considered if the special data protection requirements are guaranteed.
Are there any subcontractors for order processing by softgarden and if so, which ones?
You can find a current list of our subcontractors in our terms of use: Appointed subcontractors
You can find the certificates and certifications of our subcontractors here:
softgarden uses Zendesk for support processing. Why is Zendesk not a subcontractor?
softgarden uses Zendesk as a tool to process support requests. In our relationship with Zendesk, we see ourselves as a data controller in the sense of data protection laws. Thus, Zendesk is not a subcontractor in the sense of order processing. We base the use of Zendesk in the context of support and thus the disclosure of our customers’ data (specifically, the business email address of the user submitting the request) on the legitimate interest pursuant to Art. 6 (1) lit. f GDPR. Alternatively, it is possible to contact the direct contacts with a request, e.g. by email. Zendesk stores data in the USA.
Are softgarden employees regularly trained in data protection and committed to confidentiality?
Training and committing employees to the confidentiality of personal data and customer information is part of both onboarding and offboarding as well as data protection and information security management at softgarden. For this purpose, we regularly conduct internal data protection and awareness trainings with a focus on data protection and information security. Our experts in this area are available to all colleagues as contact persons.
Is a backup concept in place and which tools are used? Have restorative tests been carried out?
In the event of a failure, a restore can usually take place immediately or on the same day. Files, databases and complete hard disks are backed up. There is redundant mirroring of the productive environment, so that even in the event of a failure of one data centre, productive operation can be started up in another data centre. Backups are geo-redundantly saved on encrypted data carriers. Among others, rsnapshot and cepth rbd are used. Restore tests are carried out on a random basis. Backups are monitored and verified.
3. Applicant Management Software
How long is data kept?
In order to meet the legal requirements for data erasure, a global erasure concept has been established at process and product level. One focus is thus on the softgarden products, which, in order to meet the requirements of “privacy by design”, contain implementations for data deletion. An essential component is the automated deletion of applicant data, which can be set by the responsible party according to operational requirements. softgarden recommends setting the retention period for applicant data at six months.
Is there a description for the register of processing activities?
We provide our customers with the information for the legally obligatory register of processing activities. However, the description of softgarden’s processing activities with regard to commissioned processing does not replace the controller’s obligation to include the processing in its own directory.
Social share buttons for job advertisements
Within the job advertisements, it is possible to activate so-called “social share buttons” (XING, LinkedIn, Facebook, etc.). The buttons are not plugins of the social networks. Unless expressly specified, only external links are used. This means that data is only transmitted to the social networks when the website user clicks on the link.
Are accesses / activities logged in the system?
The system history logs access attempts to the applicant management system and modifying operations on records.
Downloads of PDF summaries of applications are also logged.
4. Jobportal (Standard)
How does softgarden count how often a job ad was viewed / clicked?
On the job ads that are displayed on career sites and various portals, there is a tracking pixel, a small image that is retrieved from our server tracker.softgarden.de every time the job ad is viewed. Thereby neither personal data is collected nor tracked, it is only counted how often a job ad was displayed. The number can be seen in the applicant tracking system as “views”. The number of “clicks” is calculated from the number of times the online application button was clicked. Again, no personal data is collected or tracked. It is not possible to draw conclusions about a specific user.
Why is there no cookie banner on the standard frontend?
Only technically necessary cookies are used here.
5. Compliance
Hosting made in Germany
At softgarden, all hosting is “Made in Germany”. Our certified data centers, WIIT AG (formerly myLoc managed IT AG) and Equinix Germany GmbH in Frankfurt am Main and Düsseldorf, offer the highest security standards for the storage and availability of your data.
Privacy policy
For softgarden, the protection and confidentiality of your data is of particular importance. Click here for the privacy policy of softgarden products. We have prepared a template for the data protection declaration for your own career portal: Simply check, customize and store it.
General Data Protection Regulation (GDPR)
The e recruiting solutions from softgarden offer you the possibility to work GDPR-compliant. This is also confirmed by an external data protection assessment by procado Consulting, IT- & Medienservice GmbH. Our data protection management has been audited and certified by DEKRA.
6. Certificates & Contract Templates for Download
Certified quality management
softgarden is certified according to ISO 9001, ISO 27001 and also fulfills the requirements of ISO 27017 and ISO 27018.
DEKRA thus recognizes softgarden for its high product and service quality as well as its high standards in the area of information security. The continuous improvement of quality and security is a top priority for softgarden.
Terms of use and contract templates
Read the terms of use of softgarden e-recruiting GmbH for the use of the e-recruiting system “softgarden” here.
You can download our order processing contract to fill out here or sign it digitally here.
Penetration test certificate
softgarden’s software undergoes regular security tests. Click here for the current penetration test certificate.
7. Contact
Questions about data protection and security
If you have any further questions about data protection and data security at softgarden, you can submit a request using the following link: Submit a request
Notice and action mechanisms (Art. 12 DSA)
The contact point for users pursuant to Art. 12 DSA can be reached at
- by email to support@softgarden.de or info@softgarden.de
- by telephone on +49 (0)30 884 940 400
The contact point for Member State authorities, the EU Commission and the European Digital Services Board pursuant to Art. 11 DSA can be reached at support@softgarden.de. Any communication/inquiry can be made in German and English.