Policies and procedures, access control, incident response, compliance, and data storage and privacy
In order to maintain the industry's lowest pricing by a significant margin, we keep our team lean. We have no salespeople or other unnecessary overhead. If you'd like us to complete any forms as part of your procurement process, we charge $1,000 and you can make a request here. However, if you'd like to save your organization the fee and time, you can use the answers below to complete any security checklist.
Business information
- Name of business: Coderbyte Enterprise Inc
- Description: Candidate assessment and interview platform
- Headquarters: 434 Washington St, Carlstadt, New Jersey 07072
- Company contact: Daniel Borowski, CEO and Founder
- Company email: Daniel [dot] Borowski [at] Coderbyte [dot] com
Policies and procedures
- Are there formal information security and privacy policies and standards in place? No, but we informally follow all industry best practices.
- Is there a formal change management process? No, but we informally follow all industry best practices.
- Are risk assessments conducted by third parties? Yes, roughly annually via third-parties that conduct red team / blue team pen testing. Unlike Fortune 500 organizations which are regularly breached without recourse, our entire livelihood is dependent on Coderbyte's security, uptime, and reputation. We guard the platform with our lives to an extent that 'cover-your-ass' corporate executives could never achieve.
Access control
- Is there an access control policy or standard? Our CEO and Founder is the only person in the organization with access to any database with customer information.
- What access control is available to customers for their own accounts? Coderbyte offers both password and password-less functionality for customers. We believe in a decentralized approach to security that minimizes surface area for attacks. Unlike Single Sign-On providers like Okta, which can be catastrophically breached, our password-less technology piggybacks on your existing email systems and eliminates Coderbyte as a potential point-of-attack. We also offer the ability to provision limited-access and read-only access to users.
Incident response
- Is there an incident response program? If our systems are down, all visitors will be redirected to a support page with status information. If our systems are down for a prolonged period, you will automatically receive a pro-rated reimbursement of your last payment.
Compliance
- Is a SOC1 or SOC2 obtained annually? No, and we have no formal certifications of any kind.
- Does the company store, process, or transmit Personally Identifiable Information (PII)? Yes, obviously, as there is no other way to conduct candidate assessments. However, your candidate data is only available within your own account and is never shared, even generalized or in aggregate, to third-parties. Further, you can anonymize the candidate associated with shareable reports.
- Does the company process data for subjects who reside in the European Union? If you invite a candidate or user from the European Union, then yes.
- Does the company have a formal GDPR compliance process? Candidate waive all rights to their data as part of the assessment process. If we receive a GDPR request, we will let the candidate know that deleting their data would violate our agreement with organizations that require that data in order to make data-driven hiring decisions.
- Does the company have a Data Processing Agreement (DPA)? We have and can sign a standardized version for your organization. We will not sign any agreements with any custom sections or clauses.
Data storage and privacy
- Where is data stored? All data is encrypted and stored in the United States of America on AWS (specifically EC2 and S3).
- How long is data stored? Assessment recordings are stored for 30 days. All other data is stored permanently so long as your subscription is active, and for 90 days after a subscription is canceled.
- What data can be deleted? Any candidate information can be permanently deleted by an admin.