Security

Gem provides recruiting communication management services that allow recruiters to more efficiently source and engage with potential candidates. These services include email management, response tracking, and statistics to inform the efficacy of your recruiting efforts.

There are two components to the Gem services:

  • Our web interface, Gem.com, where you can manage all of your outreach campaigns and reports

  • A Chrome extension which is the primary tool for enabling your sourcing efforts

To access the Gem services, you will need to create a Gem account.

Your Gem account login credentials will be tied to your email account, so you’ll need to grant Gem permission to create that relationship through a technical standard called OAuth. The security of your data is our highest priority, so Gem will only interact with your other accounts via secure APIs. For clients using Gmail, we use the official Google APIs over SSL with user authentication done exclusively via Google SSO; for clients using Outlook, we use the Nylas API. In addition to this process being easier for users to manage by not having to remember another set of login credentials, we also believe this is more secure, since Gem never sees or stores user passwords.

During the account creation process, your email provider will ask you to verify that the permissions we request are appropriate. The permissions we ask for, and the reasons we need them, are as follows:

Gem needs Read, Compose, Send, and Permanently Delete access to your inbox:

  • Gem needs Send access because it sends emails as you from your Gmail inbox. This means your messages will look exactly like they were sent from your Gmail inbox and will show up in your Sent Mail folder.

  • Gem needs Read access to your inbox so it can stop automated followups in your sequences in the instance when a candidate replies to your email outreach.

  • Gem needs Delete access to track opens using our tracking pixel. Delete access is necessary to ensure that opens aren't counted when you as the sender open the email.

Once your Gem account has been created, we store a minimal amount of your information going forward. We only store to/from email addresses and timestamps for emails in your inbox to power our feature that ensures your team doesn't reach out to the same person twice.

For users authenticating with a Google account; Gem Software's use of information received from Google APIs will adhere to Google API Services User Data Policy, including the Limited Use requirements.

We DO NOT store the contents of any emails in your inbox except for emails you send in Gem through sequences, and a candidate's first reply to a Gem sequence.

For some of our most security-conscious customers, such as customers in the medical industry who may have Public Health Information (PHI) in their email, we support requesting more limited email access permissions. Limited access grants Gem access to email headers (like the to/from email addresses and timestamp), but not the contents of the emails in your inbox.

In addition to only interacting with your other accounts through secure APIs, we also protect your data throughout our system. All data at rest is encrypted using AES-256, via Amazon RDS's implementation, and all data in transit is encrypted using browser-based TLS. We also make use of a wide range of administrative and technical safeguards to ensure the Gem services operate in a safe environment.

The Gem services have been designed and developed with industry-leading cloud PaaS and LaaS providers. We use Heroku for our application servers and AWS for our databases, along with a few other AWS services without significant customer data or permissions. These providers maintain industry-standard security certifications, including ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, SOC 3 and PCI DSS Level 1. Through the use of these scalable platform providers, we are able to leverage a number of features to allow us to minimize any potential impact to the availability of Gem and your data in the event of any potential natural disasters or system failures.

Gem has implemented a comprehensive set of internal security policies and programs to ensure that we are able to continually develop our services in the most secure way possible, allowing you to use Gem in a variety of environments subject to additional regulatory oversight such as HIPAA or OFCCP compliance.

As part of our commitment to providing a safe and secure service for the management of your private candidate data, we have developed Gem to operate within the requirements of the General Data Protection Regulation (GDPR) . GDPR is a European privacy law that went into effect on May 25th, 2018. It is based upon the European understanding that privacy is a fundamental human right. Established by the EU Parliament, the GDPR regulates how individuals and organizations can obtain, use, store, and remove personal data. It gives EU citizens and residents control over their personal data, and simplifies the regulatory environment for international business that takes place in the EU.

Here is an overview of how Gem has prepared to meet the new regulation requirements:

  • We offer a data processing addendum (DPA) for our customers who collect data from people in the EU. Our DPA offers contractual terms that meet GDPR requirements and that reflect our data privacy and security commitments to our customers.

  • We reviewed and identified all the areas of Gem where we collect and process customer data. We validated our legal basis for collecting and processing personal data, and we ensured that we apply the appropriate security and privacy safeguards across our infrastructure and software ecosystem. Our Privacy Policy identifies what we do with the data we collect and how we manage consent.

  • We are committed to helping our customers meet the data subject rights requirements of GDPR. Gem processes or stores all personal data with fully vetted vendors with whom we have a DPA in place. We store personal data until your account is deleted, after which we dispose of all data in accordance with our Terms of Service and Privacy Policy.

  • One of the GDPR requirements is a managed data protection impact assessment (DPIA) process. A DPIA process is a way to help us identify and minimize the data protection risks of a project. The Gem engineering team has always undergone security and privacy due diligence when choosing tools and making implementation decisions, so this requirement is easy for us. Any time we introduce a change to the way we handle personal data, we discuss the potential impact on Gem customers and explore possible privacy and security risks to personal data. If any risk is identified, no matter how small, our product and engineering teams collaborate on a solution to mitigate the data privacy and security risk to anyone who interacts with the Gem platform. We will continue to execute this risk assessment process as we expand Gem’s offerings.

To help us continue to maintain the most secure platform possible, we have partnered with NCC Group, a global information assurance specialist, to perform objective, third-party audits of Gem on an annual basis. We are performing regular vulnerability scans at both the network and application level to ensure our compliance with both WASC (Web Application Security Consortium) and OWASP (Open Web Application Security Project) standards.