Criteria take the protection of our customers’ data very seriously. We have developed a robust cybersecurity strategy designed to provide ongoing security of data, systems and information collected and used in our core business operations.
This page provides answers to common security-related questions. Our internal security experts are happy to provide further information and to discuss our security protocols in more depth if required.
Is Criteria certified to ISO27001:2013 standard?
Yes. Our global operations are ISO27001:2013 certified as of 06 December 2021.
Which local and international regulations is Criteria compliant with?
We are compliant with:
- European Union General Data Protection Regulations
- California Consumer Privacy Act
- Australian Privacy Principles
- Australian Mandatory Breach Notification Scheme
Have you implemented data classification?
Yes. We have implemented a data classification system which sees data split into 3 high level categories: public, sensitive and private. Each of these categories and sub categories has different controls implemented to ensure the appropriate use of data in those classifications.
Where is your data stored?
Depending on which of our regional offices you are contracted with, your data will be stored in one of the two locations. Generally customers in APAC will have data stored in Australia and those in North America & other regions will have data stored in the United States.
What is your procedure for managing and handling customer data?
There are strict procedures in place for the handling of customer data. Access to customer data is restricted to employees operating in customer service, consulting psychology or R&D. Customer data is accessed by these teams under the following conditions:
- To deal with enquiries and complaints made by you relating to the Criteria Service;
- To address your questions, issues and concerns and improve the Criteria Service
- To monitor and improve the Criteria Service
Do you have Cyber Insurance?
Yes. Criteria maintains a comprehensive cyber insurance policy for applications and data we host.
We have a $5m cyber insurance policy.
What Personally Identifiable Information (PII) do you hold?
The PII held by Criteria is limited to data that is required for us to conduct our core business for our customers.
- Email Address
- Assessment results
- Employers Option: Resume and Application
- Other information may also be collected on a voluntary basis
In addition to the above information we collect:
- Candidate responses to our assessments
- Answers to questions through our TestMaker functionality
- Answers to questions in our video interviewing platform and notes made by interviewers
- Technical information related to:
- Candidates browser
- Browser version
- Operating System
- IP address
- Mobile (Y/N)
How can we access relevant privacy and security policies?
Asia and Pacific Region
What measures have been taken to protect data?
Criteria has implemented a multi-layered approach to protecting systems and data which covers:
- Legal and Regulatory Compliance
- Third party vulnerability and penetration testing
- Technical Controls
- Intrusion detection software
- Data encryption applied to data in transit and at rest
- Restricted Access to servers and data
- Staff awareness and training
Do you have a Disaster Recovery (DR) and Business Continuity Plan (BCP)?
Yes. Criteria maintains active DR and BCP plans which cover:
- Data storage and backups to multiple locations
- Regular testing of restoration of backups
- Utilization of certified data centers
- Adherence to jurisdictional legal requirements for breach notifications
- Escalation and notification procedures in the event of a data breach
Can we request additional security information?
We treat all personally identifiable information we capture with the utmost security, and we are happy to see that you are security-minded as well. Some of our Information Technology Security information is available online, however, there are some documents that are of a more sensitive nature and therefore we require a Non-Disclosure Agreement to be signed prior to its being shared. Please complete the DocuSign and your request will be sent for authentication so we may send you the Security Level 2 information you have requested. Sign NDA.
For more information:
Have questions? Contact us.