Checkr Trust and Security
Trust begins with transparency. Below you will find current information on Checkr reliability, security, compliance and privacy.
Reliability
Checkr operates and maintains high availability services and infrastructure. The current operational status of the Client Dashboard, API, Webhooks, Apply Page, and Candidate Portal, can be found on our status site.
Security
How we work behind the scenes to protect and secure your information.
Security Policies
Our security policies, controls, and standards cover a wide range of areas to include information security, incident response, access control, physical security, network security, vulnerability management, software/systems development life cycle, secure development, change management, vendor management, disaster recovery and business continuity.
Access Control
Checkr uses role-based access control (RBAC) and an identity management system to identify, authenticate, and validate access to systems or resources. Multi-factor authentication is required to access core systems and for remote access to the Checkr environment. Internal policies and technical access controls prohibit arbitrary staff access to a candidate’s personal identifiable information (PII) or other private screening or records information without a valid business need.
Encryption
Data is transferred securely using Transport Layer Security (TLS) with 128-bit or higher Advanced Encryption Standard (AES) encryption. Data is also stored securely at rest with AES-256-bit encryption. Encryption keys are stored separately from the encrypted data and it’s all hosted in our off-site secure cloud infrastructure.
Vulnerability Management
Checkr performs regular application and infrastructure security vulnerability and penetration testing, by internal security staff and third-party security researchers/specialists, including a bug bounty program, to proactively identify vulnerabilities and complete remediation in a timely manner. To responsibly disclose or report a security vulnerability to Checkr, contact security@checkr.com.
Change Control
Checkr maintains systems development life cycle (SDLC) policies and procedures to guide in the documentation and implementation of application and infrastructure changes, in addition to maintaining industry standard best practices. Change control includes change requests, initiation process, documentation requirements, development practices, quality assurance, testing requirements and required approval procedures. Version control maintains a history of code changes to track changes and to support rollback capabilities, if needed.
Subservice Providers
Checkr production systems are housed at third-party subservice organization data centers and managed service providers. Third party providers are responsible for physical, environmental and operational security controls, and Checkr is responsible for network, application and logical security controls of our infrastructure.
Compliance
Checkr has its systems, people, processes and controls certified and assessed through regular independent third-party audits.
International Organization for Standardization
(ISO) 27001 is a global information security standard for information security management. Checkr follows the ISO 27001 standard to continuously identify, select, maintain and improve information security controls to preserve the confidentiality, integrity and availability of our systems and information.
American Institute of Certified Public Accountants (AICPA)
Service Organization Controls (SOC) reports are designed to help build trust and confidence in the services performed and controls of a service organization. A SOC2 Type II report provides detailed information about the suitability of the design of controls and an independent auditor’s assurance opinion on the operating effectiveness of the controls. Checkr’s SOC2 Type II examination report is available upon request by contacting our Sales Team.
Privacy
Privacy Policy
Our products and services go through a rigorous software development lifecycle that includes privacy and security by design principles as well as industry standard best practices. Every new product and service is reviewed against our internal requirements prior to release. Our Privacy Policy describes how we handle your information when you use our website, products, and/or services.
Privacy Shield
Checkr is Privacy Shield certified. This means that Checkr has met the requirements of the Privacy Shield program administered by the United States Department of Commerce and is able to export data from the European Union to the United States of America. More information about the Privacy Shield program can be found here. Checkr’s Privacy Shield certification can be found here.
CCPA
Checkr is compliant with the California Consumer Privacy Act (CCPA) while maintaining full compliance with the long-standing, established Fair Credit Reporting Act (FCRA). While CCPA applies to California citizens, Checkr will apply those rights to all United States consumers regardless of their state of residence or citizenship.
Take control of your data
If you are a consumer based in the United States:
Access Your Data
You can access the information Checkr holds on you, including your background Check.
Delete Your Data
You have the right to delete your data. After deleting your data, you will no longer have access to our Candidate Portal.
Personal Information
We do not sell your personal information, we only use it to run your background check.
GDPR
Checkr is committed to ensuring our People Trust Platform is compliant with all EU data protection laws, including the General Data Protection Regulation (GDPR).
If you are a consumer based outside of the United States or International: Requests to Access, Transfer, and Delete your personal data can be submitted to privacy@checkr.com.
If you are an organization or Checkr customer, we have more information about Checkr and the GDPR in a help center article, which includes a copy of our signed Data Processing Addendum. Please submit any countersigned copies or questions to privacy@checkr.com.