Frequently asked questions

The iCIMS Talent Cloud supports SAML 2.0, OAUTH 2.0, HMAC and Basic Auth. 

iCIMS Talent Cloud integrates with customer IDPs via SAML 2.0 integrations.  Via SAML integrations, customers can enable their native password management and multi-factor authentication for all-access to the Talent Cloud.   

iCIMS allows customers to implement role-based access control to manage access to data hosted in the Talent Cloud. Only iCIMS staff with Need-To-Know permissions will be able to access customer data. All access is strictly for support reasons and must be accompanied by an approved ticket or service request. iCIMS logs and monitors all access to productions systems that host or process customer data. 

iCIMS logs are retained for one year. 

All iCIMS systems configured send logs to the iCIMS centralized log management platform. Here, access is restricted to authorized personnel utilizing multi-factor authentication. All logs are stored in an immutable format for the duration of the one-year retention period.  

iCIMS conducts at least one full backup daily and prior to any update to the Subscription. iCIMS maintains daily backups onsite and moves one of the daily backups to an off-site storage facility. 

Backups are stored encrypted on secured backup media that for up to 12 months before being securely destroyed. iCIMS can support shorter backup retention periods if requested.  

All backups are encrypted with AES-256-bit encryption.

All customer data transmitted over public networks is encrypted with a minimum of TLS 1.2.

All customer data is encrypted at rest with a minimum of AES-256-bit encryption.  

iCIMS manages all encryption keys, rotates them regularly, and stores them in hardware security module compliant with FIPS 140-2. 

iCIMS customers can request access to their Talent Cloud logs through iCIMS customer support.  At this time iCIMS does not support automated log exports or integration into customer log management tools.  

iCIMS has a long commitment to information security. We have been ISO 27001 certified since 2014 and recently achieved its extension certificate, ISO 27701. The global privacy information and security certification supports compliance with the EU’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other privacy legislation – demonstrating iCIMS’ commitment to upholding the highest standard of data security and protection with the most rigorous processes and systems in place. Additionally, we also align to the NSIT 800-171 and NIST 800-53 standards. 

We are constantly working to improve our security, privacy, and data protection and compliance posture. With this in mind, we have completed the SOC 2, Type II Audit, which demonstrates iCIMS’ control effectiveness and represents an overview of iCIMS systems and the suitability of the design and operating effectiveness of security and availability controls over a period of time. 

The iCIMS Talent Cloud platform continually meets rigorous privacy and compliance standards and regulations to ensure that your data remains secure, including providing our customers the tools comply with CCPA and GDPR.   

No more than once per calendar year, Talent Cloud customers can request permission to conduct a penetration test via their customer service representative or by directly contacting iCIMS Information Security team.  Upon receiving approval, testing can commence during a mutually agreed upon timeframe.   

At least once annually, iCIMS engages with an independent third party to perform web application, infrastructure and mobile application penetration testing. Customers can request high level summaries of these test via their customer service representative or directly from iCIMS Information Security. 

Security is an integral part of the iCIMS SDLC beginning with annual OWASP Top 10 training for all developers. All code is peer reviewed and undergoes both SAST and DAST testing before being promoted to production. 

iCIMS conducts weekly vulnerability scans against external facing systems as well as internal systems. All vulnerabilities with a rating of High or Critical are remediated within no more than 30 days.  Where zero-day vulnerabilities are identified, iCIMS will remediate within no more than 14 days.   

iCIMS commits to applying all applicable security patches to systems at least once every 30 days.  

iCIMS has a formal documented incident response process that can be found here 

In the event of a Data Breach of involving customer data, iCIMS will notify customers no later than 24 hours after identification of the Data Breach.  iCIMS will contact the customer via phone, email or means dictated by the customer.     

iCIMS provides tools and documentation to support your GDPR compliance. This includes support for Data Subject Rights, configuration options to meet data minimization requirements, and managing consent, where applicable. Details can be found here.

iCIMS only processes customer personal data per its customers’ service agreements, and we do not sell job applicant data to third parties nor use customer data for advertising purposes. iCIMS provides customers with tools and documentation to support your compliance with the CCPA. Details can be found here.

iCIMS is committed to maintain a best-in-class privacy program. To do so, the iCIMS’ General Counsel’s Office has team members that are dedicated to privacy. Privacy questions can be directed to privacy@icims.com.

A DPA can stand for data processing addendum or agreement, or a data protection addendum or agreement. For its customers, iCIMS maintains standard terms to meet emerging and evolving data protection and privacy laws in a standard DPA that is available as part of the contract execution process.

iCIMS maintains a host of internal and external privacy notices, policies and procedures. Some policies are available at www.icims.com/gc. In addition, the iCIMS Privacy Notice is available at https://www.icims.com/legal/privacy-notice-website/, while the iCIMS Services Privacy Notice, which relates to iCIMS products and services, is available at https://www.icims.com/legal/privacy-notice-services/. These policies are reviewed at least annually.

We strictly limit our use of all personal data in accordance with our Subscription Agreement, and we only process personal data that you authorize us to access in order to provide services. This includes ensuring:

  • We only process your candidate data to provide services.
  • We don’t share or use your candidate data for advertising purposes.
  • Your candidate data always belongs to you.
  • You can access, modify or delete your candidate data at any time

In line with the GDPR’s Article 35 requirements, iCIMS maintains data protection impact assessments (“DPIAs”) for all of its data controller and data processor obligations. iCIMS can also assist customers in addressing their DPIA requirements as needed.

As the data controller, iCIMS customers determine action on DSARs. If iCIMS, as the data processor, receives a DSAR outside of its products and the specific customer is named in the request, iCIMS will inform the data subject to contact the customer directly, and then iCIMS will inform the customer of the request. iCIMS can assist with a DSAR upon written instructions from the Subscriber.

For more information, regarding tools available to customers to manage DSARs, please visit here.

iCIMS requires all employees to go through appropriate levels of security and privacy training according to their roles during onboarding and on an annual basis thereafter. Training records are maintained through iCIMS’ learning management provider. Training on data security and privacy is updated annually.

For more information please see iCIMS Data Security & Privacy Statement and IT Security Policy at https://www.icims.com/gc.

Within its Talent Cloud Platform, iCIMS uses required and functional cookies to deliver its services to its customers. For more detailed information, please contact privacy@icims.com.

iCIMS maintains policies and procedures to ensure privacy, security, and contract reviews are conducted when procuring a new or modified use of a vendor, partner, or subprocessor, including Privacy Impact Assessments (PIA) and Data Protection Impact Assessments (DPIA) where applicable. Additionally, iCIMS maintains a subprocessor list that includes the service provider name, country of location, and description of processing, which is available to current subscribers.

iCIMS’ policies and procedures ensure appropriate, written legal agreements are executed with vendors, partners, or sub-processors, which could include a DPA, Standard Contractual Clauses, etc. iCIMS does not provide third-party risk reports, but customers can contact our privacy team for questions at privacy@icims.com.

iCIMS ensures necessary agreements are in place with applicable vendors, partners, and service providers to support cross-border transfers when applicable, which could include a DPA, Standard Contractual Clauses, and/or Binding Corporate Rules. Additionally, although iCIMS does not rely on Privacy Shield for cross-border data transfers, iCIMS maintains its EU-US and Swiss-US Privacy Shield self-certifications and continues to adhere to the Privacy Shield principles.

iCIMS is self-certified to the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield, and it will maintain its self-certification for the immediate future. Prior to July 16, 2020, iCIMS primarily relied on the Privacy Shield to transfer subscriber personal data from the EU and Switzerland to the U.S., but due to the Schrems II Ruling and FDPIC assessment this cross-border transfer mechanism is no longer valid.

However, iCIMS’ standard data processing addendum (“DPA”) includes language that automatically applies the SCCs to personal data transfers from the EU and Switzerland to the U.S. should the EU-U.S. Privacy Shield or Swiss-U.S. Privacy Shield be invalidated. Therefore, iCIMS believes that is still able to legally transfer personal data from the EU and Switzerland to the U.S. by executing the SCCs.  Additionally, iCIMS ensures all subprocessor agreements include the EU Standard Contractual Clauses.

The EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield is still enforceable under US law and iCIMS continues to adhere to the Privacy Shield principles. Moreover, there is a chance an alternative arrangement may be quickly reached between the EU, Switzerland, and U.S. If one is reached, maintaining self-certification will allow iCIMS to transition to any new arrangement more quickly. To see iCIMS’ Privacy Shield filing, please click here.

Ultimately, this is a decision to be made by the customer (i.e., the Data Controller). However, iCIMS can assist customers by answering their data privacy and security questions.

No, iCIMS does not have reason to believe it will not be able to comply with the obligations set forth in the EU Standard Contractual Clauses (SCCs). Given the nature of the processing that iCIMS conducts on behalf of its customers, it is unlikely that iCIMS would be subject to a subpoena, warrant, order, or other request by any governmental authority to access or disclose information that may include customers’ personal data, and has not previously received such a request.

Further, in the unlikely event that iCIMS should receive such a request, we maintain an internal Third Party Access Request Procedure which outlines our response process. This includes, but is not limited to: assessing the nature, scope, and validity of the request; seeking to oppose the request; and forwarding or notifying the customer, if pertinent, and permitted by applicable law or court order.

All U.S.- based companies are potentially subject to the following laws: United States: 50 U.S.C. § 1881a (FISA 702); Executive Order 12.333; Presidential Policy Directive 28 (PPD-28).

No, iCIMS is not subject to specific disclosure obligations. iCIMS does not fall under one of the following definitions in 50 U.S.C. § 1881(b)(4), that could render iCIMS or its other entit(ies) directly subject to 50 U.S.C. § 1881a (= FISA 702):

  • iCIMS is not considered a telecommunications carrier, as that term is defined in section 153 of title 47 U.S.C.
  • iCIMS is not considered a provider of electronic communication service, as that term is defined in section 2510 of title 18 U.S.C.
  • iCIMS is not considered a provider of a remote computing service, as that term is defined in section 2711 of title 18 U.S.C.

iCIMS has not previously been subject to a subpoena, warrant, order, or other request by any governmental authority to access or disclose information that may include customers’ personal data. However, in the unlikely event that iCIMS should receive such a request, we maintain an internal Third Party Access Request Procedure which outlines our response process, which includes providing transparency reports, if pertinent, and permitted by applicable law or court order.

On a quarterly basis, iCIMS conducts privacy audits to identify potential privacy risks and to ensure proper tracking and resolution of legal, regulatory and compliance issues. Additionally, iCIMS conducts these privacy audits to determine the applicability of relevant legislation and/or regulations and to assess and implement the necessary actions to address the identified privacy requirements.