Over the past several years, a number of laws and regulations have been passed around the world to strengthen the rights that individuals have over their personal data. In the EU, the General Data Protection Regulation (GDPR) became law in May 2018, replacing the 1995 EU Data Protection Directive (European Directive 95/46/EC). The GDPR broadens the rights of EU citizens to control their data and creates a uniform data protection law across Europe. Similarly, in the United States, California enacted the California Consumer Protection Act (CCPA) in January 2020 enhancing privacy rights and consumer protection for residents of California.
Bullhorn is compliant with applicable GDPR and CCPA regulations as a data processor and evaluates the data protection law landscape in the countries, states and provinces in which it operates. Bullhorn is committed to our customers and the protection of our customers’ data.
In addition, within our services offerings, Bullhorn endeavors to provide certain features and functionality to assist our customers to meet their GDPR, CCPA and other data protection obligations as data controllers/businesses.
We are committed to address EU, US and other data protection requirements applicable to us as a data processor. These efforts include:
Data processing: Our ability to fulfill our data protection commitments as a data processor to our customers, the data controllers/businesses, is a fundamental part of our compliance with applicable data protection laws where data controllers/businesses are using a third-party like us to process personal data. Bullhorn has worked closely with local counsel in the countries in which we operate to provide that our agreements and/or policies contain appropriate provisions (i) to address the processing and storage of personal data by Bullhorn, (ii) set out our privacy commitments to our customers, and (iii) define the rights and obligations of the data controllers/businesses (our customers) and data processor (Bullhorn).
Third-party audits and certifications: Bullhorn has the distinction of being one of the first applicant tracking systems (ATS) to be SOC 1 certified, and one of the first non-Financial industry based software-as-a-service (SaaS) companies to utilize the SSAE 16/18 framework to provide security review. Bullhorn is also SOC 2, Type 2 certified, which affirms the controls in place related to security, availability, confidentiality and privacy of the designated services offerings. Bullhorn uses an independent third party to perform annual SOC 1, Type 2 and SOC 2, Type 2 audits that review applicable internal controls and processes. The audits cover internal governance, production operations, change management, data backups, and software development processes. They evaluate that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.
The SOC program offers independent evaluation that our security practices offer a recognized standard of security measures. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. As all customers are concerned with their data and its security, Bullhorn has integrated its SOC controls into its operating procedures. These procedures span the organization, teams and functions that provide service or support to our clients on our platform. The key components of our SOC controls environment include:
International data transfers: Bullhorn, Inc. and its affiliates (collectively, “Bullhorn Group Companies”) have entered into Standard Contractual Clauses (“SCC”) among themselves as authorized by the European Commission under the GDPR for the transfer of personal data from Bullhorn Group Companies in the EEA, UK, and Switzerland to Bullhorn Group Companies outside these territories.
The SCC set forth the adequate safeguards for the protection of privacy and fundamental rights and freedoms of European individuals for such data transfers outside the EEA, UK and Switzerland. The SCC also safeguard personal data access of our data processors outside the EEA, UK and Switzerland. In addition, Bullhorn, Inc., Erecruit Holdings, LLC (“Erecruit”) and Bond International Software, Inc. (“Bond”) comply with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the EEA, UK and Switzerland to the United States, respectively. Bullhorn, Inc., Erecruit and Bond are committed to handling all personal data they receive from data exporters in the EEA, UK and Switzerland, in accordance with applicable Privacy Shield Principles. To learn more about the Privacy Shield Framework and the Privacy Shield Principles, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
Data portability: The GDPR and CCPA include certain requirements on data controllers/businesses for the portability of personal data. The data our customers store in Bullhorn is theirs. We provide for portability and work to enhance the robustness of our data export capabilities.
Subject Access, Rectification, Erasure and Other Requests: The GDPR and CCPA include certain requirements on data controllers/businesses to provides various rights to individuals related to their personal data, including to be informed, access, rectify, erase, and restrict processing. Bullhorn provides its customers with control of their data. Customers have the ability to access, rectify, erase and restrict processing within the Bullhorn services offerings.
At Bullhorn, we strive to deliver an incredible customer experience, earning the trust of hundreds of thousands of users globally. We will continue to make additional required operational changes resulting from any new laws and regulations and will keep our customers, partners and regulatory authorities informed throughout the process. We have an internal cross-functional team who continue to monitor GDPR, CCPA and other data privacy laws and regulations, proposed and enacted, that may be applicable to Bullhorn and the Bullhorn services offerings.
This document is provided as of October 2020, for informational purposes only and not to be relied on for any reason. It is subject to change or removal without notice.