Security and Compliance

Ensuring robust data protection, maintaining strict privacy standards, and implementing a resilient architectural framework.
Custom Button

Scalable, highly reliable platform for online referrals.

Our infrastructure is designed to provide an extremely scalable, highly reliable platform for online referrals. Tens of thousands of employees are simultaneously supported making referrals, sending messages, sharing jobs, and importing contacts from their social networks. Admins are provided with highly secure access to their referral program data and analytics, both via our web interface and API.

Our data centers are hosted by Amazon Web Services (AWS). As such, AWS is primarily responsible for the confidentiality, integrity, availability, and physical security of our data centers.

Our application architecture, database encryption, and access are secured, controlled, audited, and monitored by our in-house engineers.

Our application infrastructure is built and managed according to security best practices and standards. We use redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24×7.

Customer Trust

We are committed to achieving and maintaining the trust of our customers. Integral to this mission is providing a robust security and privacy program that carefully considers data protection matters across our suite of services, including data submitted by customers to our services (“Customer Data”).

Services Covered

This documentation describes the architecture of, the security and privacy-related audits and certifications received for, and the administrative, technical, and physical controls applicable to the services branded as

Third-Party Infrastructure

The infrastructure used by to host customer data submitted to the Employee Referral service is provided by a third-party, Amazon Web Services, LLC (“AWS”). Currently, the infrastructure hosted by AWS in the hosting of customer instances is located in the United States.

Audits and Certifications

The Services undergo security assessments by internal and external personnel, which include infrastructure vulnerability assessments and application security assessments, on at least an annual basis. is SOC 2 Type 2 Certified. A report is available upon request. Information about security and privacy-related audits and certifications received by AWS, including ISO 27001 certification and Service Organization Control (SOC) reports, is available from the AWS Security Web site and the AWS Compliance Web site.

Data Center Certifications

Our data centers are maintained by Amazon Web Services. As such, they are continuously audited with certifications from accreditation bodies across geographies and verticals, including:

ISO 27001.

A widely-recognized international security standard that requires the design and implementation a comprehensive suite of security controls. Our certifying agent is EY CertifyPoint.

PCI DSS Level 1

PCI DSS is a standard that specifies best practices and various security controls in regards to cardholder data. Although most of our financial transactions are handled via invoices, we do process credit cards via from time to time.

SOC 1/SSAE 16/ISAE 3402

xSOC reports are completed to assure compliance with the ISAE 3402 security standards. While the ISAE standards apply specifically to professional accounting practices and their auditors, they’re still provide a strong.

Safe Harbor Compliance

Our European data centers are also fully compliant with applicable EU data protection laws and the Article 29 Working Party Model Clauses. Please note that Safe Harbor compliance is supported on a client-by-client basis with additional fees required for setup.

Scalable, highly reliable platform for online referrals.

Our application infrastructure is built and managed according to security best practices and standards. We use redundant and layered controls, continuous validation and testing, and a substantial amount of automation to ensure that the underlying infrastructure is monitored and protected 24×7.

Monitoring and Logging

We monitor our servers, databases, and network connections 24/7 to ensure stability, reliability, and security.

Deep visibility into API calls, including who, what, when, and from where calls were made.

Log aggregation, streamlining investigations and compliance reporting.

Alert notifications when specific events occur or thresholds are exceeded.

Network Protection

Perimeter firewalls and edge routers block unused protocols. Internal firewalls segregate traffic between the application and database tiers.

Intrusion detection sensors throughout the internal network report events to a security event management system for logging, alerts, and reports.

A third-party service provider continuously scans the network externally and alerts changes in baseline configuration.


All data are backed up at each data center, on a rotating schedule of incremental and full backups.

The backups are cloned over secure links to a secure archive.

Backups are not transported offsite and are securely destroyed when retired.


Our application is built for fast, on-demand scalability. Everything is built with enterprise level clients in mind, and we successfully serve many of the nation’s largest corporations.

Security Procedures, Policies and Logging

The services include a variety of configurable security controls that allow customers to tailor the security of the services for their own use. These controls include:

Administrative access to SSO and other user authentication methods. Customers can also decide if they want to allow access to their program to only individuals who were invited or who have a company email address. Access may also be granted to alumni or other third parties wishing to make referrals.

All logs are kept in a centralized logging service in order to enable security reviews and analysis.

Incident Management maintains security incident management policies and procedures. promptly notifies impacted customers of any actual or reasonably suspected unauthorized disclosure of their respective Customer Data to the extent permitted by law.

User Authentication

Access to the Services requires a valid user ID and password combination, which are encrypted via SSL/TLS while in transmission. Following a successful authentication, a randomly-generated credential is transmitted to the user’s browser or command line interface (CLI). All subsequent requests are authenticated with that credential.

Network Security & Encryption

Our application communications are secured by 128bit encryption using AES_128_GCM with ECDHE_RHSA key exchange over the Secure Socket Layer (SSL). This ensures private communication between our services and your devices.

Physical Security

Production data centers used to provide the services have access system controls in place. These facilities are designed to withstand adverse weather and other reasonably predictable natural conditions, are secured by around-the-clock guards, two-factor card key and biometric access screening and escort-controlled access, and are also supported by on-site back-up generators in the event of a power failure.

Reliability and Backup

Applications deployed on the services and customer data submitted to the services, up to the last committed transaction, are automatically replicated on a near real-time basis at the database layer and are backed up as part of the deployment process on secure, access controlled, and redundant storage. Additional technical information is available here.

Viruses implements practices and software to limit the risk of exposure to software viruses.

Data Encryption

Transport layer security (TLS) is required for any customer instance running on the Service. Customer connections to databases via the Services require SSL encryption.

Return of Customer Data

During the term of the agreement, customers may make copies of their respective Customer Data submitted to the Services by following instructions here. Within 30 days post contract termination, customers may request return of their respective customer data submitted to the services by contacting

Deletion of Customer Data

Upon termination of a customer database for any reason (such as account termination, nonpayment, or customer deletion of the database), Customer Data submitted to the Services is deleted after 365 days. This process is subject to applicable legal requirements.

Sensitive Personal Data

Important: The following types of sensitive personal data may not be submitted to the services:

Government issued identification numbers; financial information (such as credit or debit card numbers, any related security codes or passwords, and bank account numbers); information related to an individual’s physical or mental health; and information related to the provision or payment of health care.

For clarity, the foregoing restrictions do not apply to financial information provided to for the purposes of checking the financial qualifications of, and collecting payments from, customers, the processing of which is governed by the Privacy Statement.

Tracking and Analytics may track and analyze use of the Services for the purpose of helping improve both the Services and the user experience in using the Services. Without limiting the foregoing, may share data about’s customers' or their users' use of the Services (“Usage Statistics”) to’s service providers for the purpose of helping in such tracking or analysis, including improving its users’ experience with the Services, or as required by law.