Checkr Trust and Security

Our security policies, controls, and standards cover a wide range of areas to include information security, incident response, access control, physical security, network security, vulnerability management, software/systems development life cycle, secure development, change management, vendor management, disaster recovery and business continuity.

Checkr uses role-based access control (RBAC) and an identity management system to identify, authenticate, and validate access to systems or resources. Multi-factor authentication is required to access core systems and for remote access to the Checkr environment. Internal policies and technical access controls limit staff access to a candidate’s personal identifiable information (PII) without a business need.

Data is transferred using Transport Layer Security (TLS) with 128-bit or higher Advanced Encryption Standard (AES) encryption. Data is also stored at rest with AES-256-bit encryption. Encryption keys are stored separately from the encrypted data and it’s all hosted in our off-site cloud infrastructure.

Checkr performs regular application and infrastructure security vulnerability and penetration testing, by internal security staff and third-party security researchers/specialists to proactively identify vulnerabilities and complete remediation.

Checkr maintains systems development life cycle (SDLC) policies and procedures to guide in the documentation and implementation of application and infrastructure changes. Change control includes change requests, initiation process, documentation requirements, development practices, quality assurance, testing requirements and required approval procedures. Version control maintains a history of code changes to track changes and to support rollback capabilities, if needed.

Checkr production systems are housed at third-party subservice organization data centers and managed service providers. Third party providers are responsible for physical, environmental and operational security controls, and Checkr is responsible for network, application and logical security controls of our infrastructure.

ISO 27001 is a global information security standard for information security management. Checkr follows the ISO 27001 standard to continuously identify, select, maintain, and improve information security controls to preserve the confidentiality, integrity, and availability of our systems and information. 

View ISO 27001 Certification

Service Organization Controls (SOC) reports are designed to help build trust and confidence in the services performed and controls of a service organization. A SOC 2 Type II report provides detailed information about the suitability of the design of controls and an independent auditor’s assurance opinion on the operating effectiveness of the controls. 

View SOC 2 Type II report

Our products and services go through a rigorous software development lifecycle. Every new product and service is reviewed against our internal requirements prior to release. Our Privacy Policy describes how we handle your information when you use our website, products, and/or services. 

View Privacy Policy

Checkr is Data Privacy Framework (DPF) certified. This means that we have met the requirements of the DPF program administered by the United States Department of Commerce and are therefore able to export data from the European Union to the United States. 

View Privacy Shield participation

Checkr processes your personal data in accordance with the federal Fair Credit Reporting Act (FCRA) and its applicable protections.

We also process data in compliance with the regulations of United States and international jurisdictions, including:

• United States: California Consumer Privacy Act (CCPA) 
• European Union: General Data Protection Regulation (GDPR)
• Canada: Personal Information Protection and Electronic Documents Act (PIPEDA)