iCIMS Transfer Impact Assessment FAQ

FAQ sections

General Privacy Compliance

Back to top

The iCIMS Talent Cloud platform continually meets rigorous privacy and compliance standards and regulations to ensure that your data remains secure, including providing our customers product functionality to support their compliance with CCPA/CPRA and GDPR.  

iCIMS provides product functionality and documentation to support our customers’ GDPR compliance. This includes support for Data Subject Rights, configuration options to meet data minimization requirements, and managing consent, where applicable. Details can be found here. 

iCIMS processes customer personal data per its Subscription Agreement, and we do not sell job applicant data to third parties nor use or share subscriber data for advertising purposes except when that is the type of service being provided by iCIMS’ products. iCIMS provides customers with product functionality and documentation to support your compliance with the CCPA/CPRA. Details can be found here. 

iCIMS processes customer personal data per its Subscription Agreement, and we do not sell job applicant data to third parties nor use or share subscriber data for advertising purposes except when that is the type of service being provided by iCIMS’ products. 

iCIMS is a private entity. Where iCIMS processes personal data on behalf of its customers upon their instructions and in accordance with the Subscription Agreement, iCIMS is considered a data processor under the GDPR and a Service Provider under the CCPA/CPRA.  

Yes, iCIMS processes personal data on behalf of its customers in accordance with its Subscription Agreement or upon instruction. For more information, please see the Data Processing Addendum located here. 

Although iCIMS is not required to appoint a DPO, we do have a designated DPO and data protection and privacy team. 

Yes, iCIMS employees and contractors are required to complete security and privacy trainings annually and upon onboarding. This training is subject to internal and external audits as part of our ISO 27001 and ISO 27701 certifications.  

Yes, iCIMS has a designated DPO and data protection and privacy team that are responsible for data protection and privacy. The iCIMS privacy program is designed to comply with global data protection and privacy laws, regulations, and best practices. The iCIMS privacy program is ISO 27701 (PIMS) certified and is subject to rigorous internal and external audits.  

Yes, iCIMS completes a PIA/DPIA for each of its records of processing activities. 

Yes, the iCIMS Data Processing Addendum includes the Standard Contractual Clauses and is incorporated in our Subscription Agreement. The iCIMS DPA and the iCIMS Subscriber Data Security Addendum incorporate specific measures and obligations that are required to comply with global data protection and privacy laws and regulations. You can find them here. 

On a quarterly basis, iCIMS conducts privacy audits to identify potential privacy risks and to ensure proper tracking and resolution of legal, regulatory and compliance issues. Additionally, iCIMS conducts these privacy audits to determine the applicability of relevant legislation and/or regulations and to assess and implement the necessary actions to address the identified privacy requirements. 

iCIMS maintains a host of internal and external privacy notices, policies and procedures. Some policies are available at www.icims.com/gc. In addition, the iCIMS Privacy Notice is available at https://www.icims.com/legal/privacy-notice-website/, while the iCIMS Services Privacy Notice, which relates to iCIMS products and services, is available at https://www.icims.com/legal/privacy-notice-services/. These policies are reviewed at least annually. 

Processing of Personal Data

Back to top

iCIMS processes personal data on behalf of its customers in accordance with its Subscription Agreement or upon instruction. As the data controller, the customer determines what personal data elements are processed and who the data subjects are.  

The iCIMS Talent Cloud platform does not require sensitive data, but an iCIMS customer may choose to collect and process sensitive data through the iCIMS Talent Cloud platform. As the data controller, the customer determines what personal data elements are processed and who the data subjects are. As a data processor, iCIMS does not decide which data elements will be collected or how they will be used. 

As the data controller, the customer is responsible for providing notice to its candidates. The iCIMS platform allows customers to configure their own privacy notice. The iCIMS Services Privacy Notice can be found here. 

iCIMS processes customer personal data on a continuous basis in accordance with the frequency of use of iCIMS’ products by a customer’s candidates and users. 

As the Data Controller, the customer determines the volume of data collected based on the number of job openings and number of applications it receives.  

Yes, customer data will be deleted within 30 days (but kept for up to 1 year for backups) upon termination or expiration of contract, which is outlined in the iCIMS Subscription Agreement and DPA. Likewise, a customer may request a copy of their data within 10 days of the termination or expiration of contract. As the data controller, data retention requirements are determined by the customer and are configurable within most of the products that make up the iCIMS platform. If a product does not have configurable data retention functionality, iCIMS can support its customers with the deletion of data, upon request.  

Yes, as the data controller, iCIMS’ customers are responsible for managing data subject requests (i.e., determining validity, verifying identity, responding, etc.). The majority of the products that make up the iCIMS platform allows customers to receive and respond to data subject requests (i.e., know, update, delete) and are configurable by the customer. If the product does not have native functionality to respond to such requests, iCIMS will assist its customers with taking action on a data subject request upon instruction from the customer. More information is available here 

Data Transfers and Access

Back to top

iCIMS has data centers in the US, Germany, Ireland, and Canada. The processing and storage location depends on which iCIMS data center a customer chooses to have their data hosted in and the specific product(s) that the customer subscribes to. 

The countries where customer personal data is transferred depend on the specific iCIMS products that a customer subscribes toiCIMS can host data in the U.S., EU, and Canada for certain products. However, personal data is transferred outside of the EU when processed by our subprocessors and when iCIMS employees remotely access personal data to provide implementation services, support, and maintenance servicesFor any data that needs to be transferred from the EU to outside of the EU, iCIMS will execute the EU Standard Contractual Clauses. For more information, please see the iCIMS Data Processing Addendum here and Subprocessor List here.  

As the data controller, user access is determined by the customer. iCIMS allows customers to implement role-based access control to manage access to data hosted in the Talent Cloud.  If access to customer data is required, only iCIMS staff with need-to-know permissions will be able to access customer data. All access by iCIMS is strictly for administering and delivering the Subscription, such as for support and security reasons. iCIMS logs and monitors all access to productions systems that host or process customer data.Please reference the Subscriber Data Security Addendum located here. 

iCIMS is self-certified to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and it will maintain its self-certification for the immediate future. However, iCIMS does not rely on Privacy Shield for cross-border data transfers. The iCIMS standard Data Processing Addendum (DPA) includes language that automatically applies the SCCs to personal data transfers from the EU, UK, and Switzerland to the U.S. Additionally, iCIMS ensures all subprocessor agreements include the Standard Contractual Clauses.  

The iCIMS standard Data Processing Addendum (DPA) includes language that automatically applies the SCCs to personal data transfers from the EU, UK, and Switzerland to the U.S. Additionally, iCIMS ensures necessary agreements are in place with applicable subprocessors, vendors, partners, and service providers to support cross-border transfers when applicable, which could include a DPA, Standard Contractual Clauses, and/or Binding Corporate Rules. Additionally, although iCIMS does not rely on Privacy Shield for cross-border data transfers, iCIMS maintains its EU-US and Swiss-US Privacy Shield self-certifications and continues to adhere to the Privacy Shield principles. iCIMS is also certified to comply with the APEC PRP standards to support data controllers in compliance with the APEC Cross Border Privacy Rules. 

Yes, the iCIMS DPA includes the 2021 EU SCCs and/or other applicable current model clauses, such as the UK IDTA.  

Yes, iCIMS has performed a Transfer Impact Assessment for all the countries to which we transfer or from which we access personal data from the EEA and/or UKiCIMS maintains a robust vendor risk management program that includes Transfer Impact Assessments and that is subject to rigorous internal and external audits as part of our ISO certifications.  

The subprocessors used depend on the specific iCIMS products that a particular customer subscribes to. The iCIMS subprocessor list is available here. 

Yes, iCIMS reviews each subprocessor contract to ensure it meets iCIMS’ requirements and the requirements of applicable law, including GDPR. iCIMS has executed standard contractual clauses with each subprocessor. 

Yes, depending on the purchased iCIMS products in scope, iCIMS may transfer personal data to iCIMS subprocessors and affiliates. iCIMS maintains a robust vendor risk management program that includes Transfer Impact Assessments and that is subject to rigorous internal and external audits as part of our ISO certifications. Additionally, iCIMS has executed Standard Contractual Clauses (SCCs) and DPAs with all subprocessors. A list of our subprocessors can be found here 

The EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield is still enforceable under US law and iCIMS continues to adhere to the Privacy Shield principles. Moreover, there is a chance an alternative arrangement may be reached between the EU, Switzerland, and U.S. If one is reached, maintaining self-certification will allow iCIMS to transition to any new arrangement more quickly. To see iCIMS’ Privacy Shield filing, please click here. 

Ultimately, this is a decision to be made by the customer (as the Data Controller). However, iCIMS can assist customers by answering their data privacy and security questions. 

Complying with the SCCs

Back to top

No, iCIMS does not have reason to believe it will not be able to comply with the obligations set forth in the Standard Contractual Clauses (SCCs). With respect to the issue presented in Schrems II regarding government access to personal data, given the nature of the processing that iCIMS conducts on behalf of its customers, it is unlikely that iCIMS would be subject to a subpoena, warrant, order, or other request by any governmental authority to access or disclose information that may include customers’ personal data.   

To date, iCIMS has never received such a request. Further, in the unlikely event that iCIMS does receive such a request, iCIMS maintains an internal Third Party Access Request Procedure that outlines its response process. This includes, but is not limited to:  

  • assessing the nature, scope, and validity of the request;  
  • attempting to redirect the requesting authority to submit the request to the respective customer;  
  • seeking to challenge or oppose the request;  
  • forwarding the request to the respective customer or notifying the customer, if pertinent, and permitted by applicable law or court order;  
  • and if the request cannot be challenged, opposed, or redirected to the respective customer, working with the requesting authority to ensure that the request is narrowly tailored and is in writing (e.g., administrative subpoena from the respective requesting authority or a court of competent jurisdiction). 

To date, iCIMS has never been subject to a subpoena, warrant, order, or other request by any governmental authority to access or disclose information that may include customers’ personal data. However, in the unlikely event that iCIMS should receive such a request, we maintain an internal Third Party Access Request Procedure which outlines our response process. This process includes providing transparency reports, if pertinent, and permitted by applicable law.  

For more information see: https://www.icims.com/legal/transparency-report/ 

Yes, iCIMS maintains best-in-class information security and privacy programs that have been certified to meet the standards of ISO 27001 and ISO 27701, respectively. Specifically, iCIMS uses strong cryptography and security protocols to encrypt data in transit, such as TLS 1.2 or IPSEC.  

Yes, iCIMS maintains best-in-class information security and privacy programs that have been certified to meet the standards of ISO 27001 and ISO 27701, respectively. Specifically, iCIMS encrypts all personal data at rest using at least AES 256-bit encryption.  

iCIMS services do not contain any feature or defect that allows for surreptitious unauthorized access to customer data, except for access points for law enforcement as required by law. More specifically: 

  • iCIMS has not purposefully created back doors or similar programming that could be used to access the system and/or personal data 
  • iCIMS has not purposefully created or changed its business processes in a manner that facilitates access to personal data or systems, and 
  • national law or government policy does not require iCIMS to create or maintain back doors or to facilitate access to personal data or systems or for the importer to be in possession or to hand over the encryption key. 

Security Compliance

Back to top

iCIMS has a long commitment to information security. We have been ISO 27001 certified since 2014 and recently achieved its extension certificate, ISO 27701. The global privacy information and security certification supports compliance with the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA and CPRA), and other privacy legislation – demonstrating iCIMS’ commitment to upholding the highest standard of data security and protection with the most rigorous processes and systems in place. Additionally, we also align to the NIST 800-171 and NIST 800-53 standards.  

We are constantly working to improve our security, privacy, and data protection and compliance posture. With this in mind, we have completed the SOC 2, Type II Audit, which demonstrates iCIMS’ control effectiveness and represents an overview of iCIMS systems and the suitability of the design and operating effectiveness of security and availability controls over a period of time.  

The iCIMS Talent Cloud uses the AWS Key Management System (KMS) and does not support customer-controlled encryption keys. KMS automatically manages the keys for iCIMS, rotates them regularly, and stores them in a hardware security module compliant with FIPS 140-2. As a result, iCIMS does not have access to the actual encryption keys and iCIMS cannot provide encryption keys to its customers or to a government or law enforcement agency. Thus, iCIMS entrusts a third party within the country where their data is hosted, Amazon Web Services (the exact AWS entity depends on the data hosting location), with the encryption keys in order to comply with legal requirements for cross-border transfers.  

No, iCIMS has not had a personal data breach. In the unlikely event iCIMS has a breach, an overview of our incident response process is in the Subscriber Data Security Addendum found here.  

iCIMS conducts at least one full backup daily and prior to any update to the Subscription. iCIMS maintains daily backups onsite and moves one of the daily backups to an off-site storage facility. Please see our Backup and Disaster Recovery Plan here. 

All backups are encrypted with AES-256-bit encryption.  

Backups are stored encrypted on secured backup media that for up to 12 months before being securely destroyed. iCIMS can support shorter backup retention periods if requested. 

iCIMS logs are retained for one year.  

iCIMS customers can request access to their Talent Cloud logs through iCIMS customer support.  At this time iCIMS does not support automated log exports or integration into customer log management tools. 

All iCIMS systems configured send logs to the iCIMS centralized log management platform. Here, access is restricted to authorized personnel utilizing multi-factor authentication. All logs are stored in an immutable format for the duration of the one-year retention period. 

iCIMS conducts weekly vulnerability scans against external facing systems as well as internal systems. All vulnerabilities with a rating of High or Critical are remediated within no more than 30 days.  Where zero-day vulnerabilities are identified, iCIMS will remediate within no more than 14 days. Please review our security measures in our Subscriber Data Security Addendum found here. 

No more than once per calendar year, Talent Cloud customers can request permission to conduct a penetration test via their customer service representative or by directly contacting iCIMS Information Security team.  Upon receiving approval, testing can commence during a mutually agreed upon timeframe.    

At least once annually, iCIMS engages with an independent third party to perform web application, infrastructure and mobile application penetration testing. Customers can request high level summaries of these test via their customer service representative or directly from iCIMS Information Security. 

Security is an integral part of the iCIMS SDLC beginning with annual OWASP Top 10 training for all developers. All code is peer reviewed and undergoes both SAST and DAST testing before being promoted to production.  

iCIMS commits to applying all applicable security patches to systems at least once every 30 days. 

iCIMS has a formal documented incident response process that can be found here. 

iCIMS processes customer data on behalf of its customers in accordance with our Subscription Agreement and upon instruction. Our iCIMS Subscription Agreement addresses the confidentiality of data including our obligations and exceptions. Please see our Subscription Agreement here.  

Yes, our data governance measures are addressed in our in our Subscriber Data Security Addendum and Data Processing Addendum found here. 

Yes, iCIMS maintains internal data classification policies and procedures, which are subject to rigorous internal and external audits as part of our SOC 2 Type 2 and ISO certifications. 

Authentication

Back to top

The iCIMS Talent Cloud supports SAML 2.0, OAUTH 2.0, HMAC and Basic Auth. 

iCIMS Talent Cloud integrates with customer IDPs via SAML 2.0 integrations.  Via SAML integrations, customers can enable their native password management and multi-factor authentication for all-access to the Talent Cloud.