XXpressApply

Legal · XA-LEGAL-SEC

Information Security Statement

Entity
XpressApply Ltd, Republic of Cyprus
Reg. No.
HE 000000
Effective
1 June 2026
Status
Version 1.0 · Draft for review

This Information Security Statement describes the technical and organisational measures that XpressApply Ltd ("XpressApply") applies to protect personal data and the integrity of the XpressApply service (the "Service").

These measures are maintained in accordance with Article 32 GDPR and Law 125(I)/2018 of the Republic of Cyprus, and are reviewed periodically and updated to reflect changes in risk, technology and applicable law.

1.Purpose and scope

  1. 1.1This Statement applies to the systems, applications and infrastructure operated by us to provide the Service, and to the personal data processed through them, including interview recordings, transcripts and scorecards.
  2. 1.2It describes our security posture at a summary level; it does not disclose information that could compromise the security of the Service.

2.Governance and responsibility

  1. 2.1We maintain an information-security programme with defined ownership and accountability, supported by internal policies governing acceptable use, access management and incident response.
  2. 2.2Security measures are reviewed periodically and following any significant change to the Service or the threat landscape.

3.Encryption

  1. 3.1Personal data is encrypted in transit using current versions of the Transport Layer Security (TLS) protocol.
  2. 3.2Personal data, including interview recordings, transcripts and scorecards, is encrypted at rest using industry-standard cryptographic algorithms.

4.Access control

  1. 4.1Access to personal data is granted on a least-privilege, need-to-know basis and is subject to single sign-on and multi-factor authentication.
  2. 4.2Access rights are reviewed periodically and revoked promptly when no longer required, and access to production systems is logged for review.

5.Infrastructure and network security

  1. 5.1The Service runs on reputable cloud providers operating certified data centres, with logically isolated environments and segregation between production and non-production systems.
  2. 5.2We apply network controls, regular patching and hardening of systems, and we keep production data within the European Economic Area by default.

6.Data minimisation and retention

  1. 6.1We collect only the personal data necessary for the relevant assessment and retain it on a defined retention schedule, after which it is deleted or anonymised.
  2. 6.2You may request export or deletion of your personal data as described in our Privacy Notice.

7.Logging and monitoring

  1. 7.1We log relevant security events and monitor our systems for anomalous or unauthorised activity, using alerting to support timely detection and response.

8.Incident response and breach notification

  1. 8.1We maintain a documented incident-response process designed to detect, contain, investigate and remediate security incidents.
  2. 8.2Where we act as a processor, we will notify the relevant controller without undue delay after becoming aware of a personal data breach affecting their data, with the information they need to meet their own obligations under Articles 33 and 34 GDPR.

9.Secure development

  1. 9.1We follow secure-development practices, including code review and dependency management, and we separate development, testing and production environments.

10.Personnel and confidentiality

  1. 10.1Personnel with access to personal data are bound by confidentiality obligations and receive guidance appropriate to their role.

11.Sub-processor and vendor management

  1. 11.1We engage sub-processors only under written contracts imposing data-protection and security obligations consistent with Article 28 GDPR, and we conduct due diligence on vendors that process personal data. The current list is published in our Sub-processor Notice.

12.Business continuity and resilience

  1. 12.1We maintain backups and resilience measures designed to support the availability and recoverability of the Service and of personal data.

13.Responsible disclosure

  1. 13.1We welcome responsible disclosure of security vulnerabilities. If you believe you have identified a vulnerability affecting the Service, please contact us at security@xpressapply.com so that we can investigate and remediate it. We ask that you allow us a reasonable period to respond before any public disclosure.

14.Contact

  1. 14.1Questions regarding this Statement may be addressed to security@xpressapply.com, or to our Data Protection Officer at dpo@xpressapply.com.

This document is a draft template prepared for the XpressApply prototype and is provided for information only. It does not constitute legal advice and should be reviewed and adapted by qualified legal counsel before any production use.

Related documents

Privacy NoticeCookie PolicyAI TransparencyCandidate TermsEmployer TermsDPASub-processorsTrust centre