Data Privacy FAQ

this guide outlines frequently asked questions from security teams or legal teams please note that this faq page is for informational purposes only although we do our best to keep this information up to date, you should always refer to our https //www ashbyhq com/resources/terms , https //www ashbyhq com/resources/privacy or your signed agreements with ashby for the most accurate information please reach out to support\@ashbyhq com if you have questions not addressed in this page data privacy faq overview protecting the privacy of our customers’ data is very important to us at ashby, just as we know that protecting the privacy of your candidates’ and employees’ data is important to you we offer flexible tools you can use to integrate ashby with your compliance processes, letting your team stay focused on an efficient and effective recruiting pipeline our tools are being used by satisfied customers around the world who are subject to regulatory environments including gdpr, ccpa, and others if you’re an ashby user or admin, all the information you need to use our features is right here on ashby knowledge base, including documentation for the rest of this document contains answer to common questions from customers with more specific technical, operational, or implementation concerns to help you decide if ashby is the right fit for you frequently asked questions ashby permissions what are the ashby permission levels? there are three levels of global access that can be assigned to users limited access elevated access organization admin users are assigned limited access by default elevated access and organization admins can be given specific access roles to jobs, locations and departments to provide or limit access as needed for more information on permissions and to view the default access roles, check out can i create custom access roles? yes, you can create custom access roles to determine the specific areas of ashby that users with that role can access for more information on this, check out can changes to user permissions be viewed? yes on the employees page in admin, organization admins can click on a user’s profile and navigate to the history tab to view a log of permissions changes made the log includes a timestamp, the changes made and the name of the user who made the changes anonymizing and deleting candidates looking for instructions for deleting or anonymizing a candidate? see docid\ dmwv1t1xms0rsjf7bb9vc ashby offers two options for permanently erasing candidate pii hard deletion and anonymization hard deletion permanently removes all data associated with the candidate this includes pii as well as metadata and historical information about the hiring process and outcome this may be preferred when the data is erroneous or is otherwise reducing reporting accuracy anonymization permanently removes pii from the candidate record metadata and non identifiable information is retained for historical reporting purposes most customers prefer this as their default deletion method, since it meets regulatory requirements for data erasure without sacrificing hiring process insights screenshot 2023 08 15 at 12 42 17 pm png when is the data permanently erased? when you anonymize a candidate from within ashby, the erasure takes place immediately and cannot be un done from within ashby when you delete a candidate, it is first “soft deleted”, but this can be un done by the same user, an admin, or by ashby support after 10 days, it is permanently erased from our application database after the backup retention window of 30 days has expired, the data will be permanently erased from ashby's backend what fields are considered pii for the purpose of anonymization? any candidate data field which is tagged internally as potential pii is required to be anonymized when new candidate data fields are added to the platform, we evaluate them to determine if they constitute pii and mark them as such the list of anonymized fields includes but is not limited to name email addresses phone numbers education & employment history candidate custom fields social links notes follow ups files emails scorecards any required fields which can’t be totally removed, such as candidate name, are replaced with random ids, such as e g “candidate 014a9974 b9d4 4619 9276 8e69326dc8f0”, or the string “this data has been anonymized ” does ashby have a fedramp ato? no, ashby is designed to store and process recruiting related data, not sensitive public or governmental records if you decide to use ashby, you’ll need to take responsibility for not sharing this sensitive data with us however, we do have customers with stricter compliance requirements who are happily using ashby after implementing technical measures that guarantee any sensitive data is filtered out before it reaches our systems if you’re considering that, please reach out! can ashby execute a hipaa baa? no, ashby is designed to store and process recruiting related data, not sensitive protected health information if you decide to use ashby, you’ll need to take responsibility for not sharing this sensitive data with us however, we do have customers with stricter compliance requirements who are happily using ashby after implementing technical measures that guarantee any sensitive data is filtered out before it reaches our systems if you’re considering that, please reach out!