Over the past several years, a number of laws and regulations have been passed around the world to strengthen the rights that individuals have over their personal data. In the EU, the General Data Protection Regulation (GDPR) became law in May 2018, replacing the 1995 EU Data Protection Directive (European Directive 95/46/EC). The GDPR broadens the rights of EU citizens to control their data and creates a uniform data protection law across Europe. Similarly, in the United States, California enacted the California Consumer Protection Act (CCPA) in January 2020 enhancing privacy rights and consumer protection for residents of California.
Bullhorn is compliant with applicable GDPR and CCPA regulations as a data processor and evaluates the data protection law landscape in the countries, states and provinces in which it operates. Bullhorn is committed to our customers and the protection of our customers’ data.
In addition, within our services offerings, Bullhorn endeavors to provide certain features and functionality to assist our customers to meet their GDPR, CCPA and other data protection obligations as data controllers/businesses.
Where Do We Stand?
We are committed to address EU, US and other data protection requirements applicable to us as a data processor. These efforts include:
Data processing: Our ability to fulfill our data protection commitments as a data processor to our customers, the data controllers/businesses, is a fundamental part of our compliance with applicable data protection laws where data controllers/businesses are using a third-party like us to process personal data. Bullhorn has worked extensively with local counsel in the countries in which we operate to provide that our agreements and/or policies contain appropriate provisions (i) to address the processing and storage of personal data by Bullhorn, (ii) set out our privacy commitments to our customers, and (iii) define the rights and obligations of the data controllers/businesses (our customers) and data processor (Bullhorn).
Third-party audits and certifications: Bullhorn has the distinction of being one of the first applicant tracking systems (ATS) to be SOC 1 certified, and one of the first non-Financial industry based software-as-a-service (SaaS) companies to utilize the SSAE 16/18 framework to provide security review. Bullhorn is also SOC 2, Type 2 certified, which affirms the controls in place related to security, availability, confidentiality and privacy of the designated services offerings. Bullhorn undertakes an independent third party annual SOC 1, Type 2 and SOC 2, Type 2 audits that review applicable internal controls and processes. The audits cover internal governance, production operations, change management, data backups, and software development processes. They evaluate that we have the appropriate controls and processes in place and that they are actively functioning appropriately in accordance with related standards.
The SOC program offers independent verification that our security practices offer a recognized standard of security measures. Furthermore, the program is designed to cover key elements of data processing and integrity, while maintaining auditing practices within our business and operational processes. As all customers are concerned with their data and its security, Bullhorn has integrated its SOC controls into its operating procedures. These procedures span the organization, teams and functions that provide service or support to our clients on our platform. The key components of our SOC controls environment include:
International data transfers: Bullhorn, Inc. complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal information transferred from the European Union, United Kingdom and Switzerland to the United States, respectively. Bullhorn, Inc. has certified to the Department of Commerce that it adheres to the Privacy Shield Principles. Bullhorn, Inc. is committed to handling all personal data it receives from data exporters in any European Union (EU), United Kingdom (UK), Switzerland or European Economic Areas (EEA) member state, under the Privacy Shield Framework, in accordance with applicable Privacy Shield Principles. To learn more about the Privacy Shield Framework and the Privacy Shield Principles, and to view our certification, please visit the U.S. Department of Commerce’s Privacy Shield website at https://www.privacyshield.gov.
Data portability: The GDPR and CCPA include certain requirements on data controllers/businesses for the portability of personal data. The data our customers store in Bullhorn is theirs. We provide for portability and are continually working to enhance the robustness of our data export capabilities.
Subject Access, Rectification, Erasure and Other Requests: The GDPR and CCPA include certain requirements on data controllers/businesses to provides various rights to individuals related to their personal data, including to be informed, access, rectify, erase, and restrict processing. Bullhorn provides its customers with control of their data. Customers have the ability to access, rectify, erase and restrict processing within the Bullhorn services offerings.
At Bullhorn, we strive to deliver an incredible customer experience, earning the trust of hundreds of thousands of users globally. We will continue to make additional required operational changes resulting from any new laws and regulations and will keep our customers, partners and regulatory authorities informed throughout the process. We have an internal cross-functional team who continue to monitor GDPR, CCPA and other data privacy laws and regulations, proposed and enacted, that may be applicable to Bullhorn and the Bullhorn services offerings.
This document is provided as of June 2020, for informational purposes only and not to be relied on for any reason. It is subject to change or removal without notice.