privacy & security.
What do we do?
Guide’s candidate experience platform helps organizations personalize the interview experience and automate candidate preparation.
How do we ensure user data is protected?
Guide protects user data throughout the data flows of the Guide product, from account creation and integration through Google’s OAuth service to encryption of data in transit to Guide servers (using browser-based TLS 1.3+) and encryption of sensitive access tokens at rest (using AES-256) to a variety of administrative, physical and technical safeguards designed to create a secure environment for our customers’ data.
We build security into our services to protect your information. Guide is built with robust security features that continuously protect your information. The insights we gain from maintaining our services help us detect and automatically block security threats from ever reaching the client. And if we detect something risky that we think the client should know about, we’ll notify and guide the clients through steps to stay better protected.
We work hard to protect the client’s data from unauthorized access, alteration, disclosure, or destruction of information we hold by:
- Using encryption to keep your data private while in transit (TLS 1.3+)
- Using encryption to keep your most sensitive data (API keys and access tokens) private at rest (AES 256)
- Using Google OAuth, a secure authentication system for user login. Learn more about why we use Google OAuth on our Security page
- Reviewing our information collection, storage, and processing practices, including physical security measures, to prevent unauthorized access to our systems.
- Restricting access to personal information to Guide employees, contractors, and agents who need that information to process it. Anyone with this access is subject to strict contractual confidentiality obligations and may be disciplined or terminated if they fail to meet these obligations
Please contact firstname.lastname@example.org to request a copy of our Security and Compliance Whitepaper, or to report vulnerabilities with the Guide application.
If customers choose to enable key functionality on a per-account basis, two additional G Suite OAuth Scopes may be requested:
Guide optionally allows sending emails to candidates from within our application. We use the Gmail API, requesting the gmail.send scope, and send directly from the user’s email account to ensure that emails do not end up in the Updates or Promotions folder of your candidates’ inboxes. Sending within the application allows us to replace variables such as the candidate’s name and the candidate’s unique Guide URL.
- The gmail.send scope only allows us to send new messages.
- We do not have read access to your users’ inboxes.
- Our application stores a copy of messages sent via Guide to show in the application.
Calendar Invite Sync
When scheduling interviews in your ATS, the candidate is not typically included on the calendar events. Once all interviews have been scheduled, the candidate is typically sent separate calendar invites (or they are sent an email with a text version of the schedule and expected to create their own calendar invites).
Guide uses the gmail.send API to send ICS files via email, where Guide is the organizer so that we get notifications of candidate RSVPs. There is no additional G Suite permission necessary for us to sync calendar invites. We do not have read or write access to your users’ calendars
Phone Screen Scheduling
When a 1-on-1 interview is being scheduled with a candidate, it is often simpler to send the candidate the interviewer’s availability (for instance, the recruiter or hiring manager’s availability), and let the candidate book directly on their calendar. This bypasses the back-and-forth of requesting availability and confirming times over email.
Optionally, Guide can insert the interviewer’s availability directly in the candidate’s guide. The candidate is able to book, and we will automatically send calendar invites to both the interviewer and the candidate.
- We request the calendar permission, a sensitive (not restricted) scope of the G Suite API, to accomplish this
- Guide is granted read, write and delete permissions to the user’s calendars. This is not domain-wide permission - users must individually opt-in
- Guide passes the authenticated token to a 3rd party service called Nylas to interface with the G Suite API. They have enterprise-grade security certifications and we let them handle syncing the calendar data. We only react to and store the specific interviews that are created by our Phone Screen Scheduler.
Guide’s use and transfer to any other app of information received from Google Accounts will adhere to Google API Services User Data Policy, including the Limited Use requirements.
Connecting Guide with your ATS enables you to automatically create, send, and update the content candidates see in their guides based on their current interview stage in your ATS. This also enables the automatic syncing of key information for candidates, such as interviewer profiles and interview schedules.
API Key Permissions
- At a high level, we only require GET permissions to get started. This allows us to create a mirror of the ATS in the Guide system, enabling our service to keep candidate guides up-to-date as information about their application changes in the ATS.
- Additional permissions can be given to the Guide application to maximize usage. One example is our Phone Screen Scheduler feature, which requires enabling POST, PATCH and UPDATE permissions for Scheduled Interviews in your ATS.
What is the GDPR?
The General Data Protection Regulation (GDPR), is a European privacy law that went into effect on May 25th 2018. It is based upon the European understanding that privacy is a fundamental human right. Established by the EU Parliament, the GDPR regulates how individuals and organizations can obtain, use, store, and remove personal data. It gives EU citizens and residents control over their personal data, and simplifies the regulatory environment for international business that takes place in the EU.
What is personal data?
The GDPR defines personal data as any information that can be used to directly or indirectly identify a person, such as a name, photograph, email address, or even an IP address.
What are the requirements of the GDPR?
- The Data Protection Principles include the following requirements: Personal data must be processed in a fair, legal, and transparent way. It should only be used in a way that a person would reasonably expect.
- Personal data should only be collected to fulfill a specific purpose, and it should only be used for that purpose. Organizations must specify why they need the personal data when they collect it.
- Personal data should be held no longer than necessary to fulfill its purpose.
- People covered by the GDPR have the right to access their own personal data. They can also request a copy of their data, and request that their data be updated, deleted, restricted, or transported to another organization.
Why is it important?
GDPR adds new requirements regarding how companies should protect the personal data they collect and process. It also raises the stakes for compliance by increasing enforcement and imposing greater fines for breach. Beyond these facts, it’s simply the right thing to do. At Guide we respect your data privacy and we have solid security and privacy practices in place that go beyond the requirements of this new regulation.
Guide’s commitment to GDPR Compliance and data privacy
Here is an overview how Guide has prepared to meet the new regulation requirements.
Training and awareness
Guide requires that all employees learn about and follow GDPR regulations, and ensures that all employees participate in the necessary training.
Updates to our third party vendor contracts
We reviewed the 3rd party vendors that we use to provide our products and services, and we performed a comprehensive review of their GDPR compliance.
Individual Data Subject’s Rights - Data Access, Portability and Deletion
Risk Assessment (data protection impact assessments)
One of the GDPR requirements is a managed data protection impact assessment (DPIA) process. A DPIA process is a way to help us identify and minimize the data protection risks of a project. The Guide engineering team has always undergone security and privacy due diligence when choosing tools and making implementation decisions, so this requirement is easy for us. Any time we introduce a change to the way we handle personal data, we discuss the potential impact on Guide customers and explore possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution to mitigate the data privacy and security risk to anyone who interacts with the Guide platform. We will continue to execute this risk assessment process as we expand Guide’s offerings.
We updated our existing breach management and communication plan to comply with the GDPR regulations concerning the escalation process and requirements for data subject notification.
We are here for you
We are working with our customers to answer any questions and address any concerns regarding how we protect their personal data. If you have any questions, please don’t hesitate to reach out.