Security at Develop Diverse

Application Security

Does Develop Diverse conduct penetration testing of its network, infrastructure, and services?

Penetration testing is conducted to measure the security posture of Develop Diverse Services and Infrastructure. Develop Diverse has an external penetration test performed at least once per year.

The objective of those penetration tests is to identify design or functionality issues in Develop Diverse services that could expose Data or Customers to risks from malicious activities.

Data Sharing and Role-Based Access Control

A Develop Diverse account administrator manages and controls individual user rights by granting specific types of user roles. Details about user roles, collaboration mode and authorization in Develop Diverse are documented in our Support Hub.

Customer data, such as Job ads and templates, can only be accessed by other users within your Develop Diverse account if those items were specifically shared with them, or if the accounts collaboration mode allows it.

Is data encrypted at rest?

Data is encrypted at rest using AES 256.

Is data encrypted in transit?

Data is encrypted in transit using minimum TLS 1.2.

Where is data stored?

Develop Diverse does not store any data onsite. Microsoft Azure data centers are used to host the services provided to customers.

Incident Management

Where can I get updates on Develop Diverse incidents?

A listing of incidents that could have impacted Develop Diverse customers is located here: https://status.developdiverse.com/

Does Develop Diverse have external reporting procedures in place for cybersecurity or privacy incidents?

Incident report is handled as part of our incident management process, whereby incidents impacting customers are reported to respective customers.

For privacy-specific incidents, the process is governed by the DPA customers, and authorities are informed as required by the law.

Identity and Access Management

How do users and administrators gain access to the application?

Develop Diverse supports just-in-time user-provisioning and SSO onboarding against Microsoft Entra ID (OpenID Connect) and SAML2.

Organizational Security

Does Develop Diverse have a cybersecurity awareness training program in place?

Mandatory general security training is provided at onboarding to all employees and contractors. Mandatory training on a specific security topic is also provided annually.

Does Develop Diverse perform background checks and screening prior to employment?

All employees undergo a background check prior to employment.

Need-to-Know and Least Privilege

Develop Diverse operates by the principle of lest privilege, hence only a limited set of employees have access to our datacenter. There are strict security policies for employee access, all events are logged and monitored, and data are strictly regulated. Access to production requires a series of strong security authentication such as multi-factor authentication, a one-time password, and a personal certificate.

Physical Security

How do you manage data center security?

Develop Diverse’s service data is hosted in Microsoft Azure data centers. MS Azure adheres to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC 3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. Please refer to this link for more details.

The data center’s physical infrastructure is operated by Azure and we rely on their data center security controls.

Have you implemented physical security controls at your offices?

Develop Diverse maintains a physical and environmental policy for its office to ensure the security and integrity of Develop Diverse’s facilities and the assets located within.

Develop Diverse office have industry-standard physical security protection with secure access, burglary alarm, etc.

Further visitors to secure areas are required to sign in and out with arrival and departure times, are required to wear an identification badge, and are always escorted while in secure areas.

Artificial Intelligence

Does the Develop Diverse platform leverage any AI?

Develop Diverse utilizes AI in various aspects of the product, such as our inclusive writing capabilities.

Is customer PII data used to train your Artificial Intelligence?

Develop Diverse does not use customer data to train its internal LLMs/ML models.

Is the data shared with third parties, and if so, what safeguards are in place to protect it?

Only Develop Diverse and Microsoft Azure are involved in the processing, with no additional third parties included.

The security of Azure OpenAI is primarily managed by Microsoft, which implements a range of security measures to protect customer data. These include data encryption both in transit and at rest, strong access controls through Azure Active Directory.

Is the EU AI Act applicable to Develop Diverse?

Yes, the EU AI act is applicable to all providers and users of AI systems within the EU.

Develop Diverse’s AI features can be classified in the “Limited Risk” category established by the EU AI Act, meaning that they will be subject to minimal transparency obligations to end users. Develop Diverse will continue to monitor its compliance obligations under the EU AI Act and make adjustments when necessary.

AI models used at Develop Diverse

As Develop Diverse are using two categories of AI technology: Off-the-shelf, public generative AI models (e.g., GPT) and our own proprietary models known as “Develop Diverse AI.”

Public generative AI models

These kinds of AI models are integrated into Develop Diverse to perform tasks such as generating content based on our prompts. We may have a unique approach for how we apply these AI models, but this type is not based on any AI model proprietary to Develop Diverse.

Develop Diverse AI models

This category refers to our own proprietary approach to developing AI models through multiple learning techniques, including deep learning. Develop Diverse AI leverages our unique data, such as extensive bias research data, language structure and culture research data, to complete specific and more complex tasks, such as highlighting a bias phrase and suggesting alternatives. Each feature supported by Develop Diverse AI involves training a new model to perform a specific task.

Our intention going forward is to use both off-the-shelf models and Develop Diverse AI depending on the specific customer problem we are solving.

Privacy (Data Processing & Data subjects)

What types of personal data Does Develop Diverse process on behalf of customers?

User profile information, such as name, email address and job title. Can be read from customer ADs.

System information such as IP address and usage behavior as users navigate through the services.

Does Develop Diverse process sensitive data?

Develop Diverse is mainly used for Job adverticements and employer branding content, which is mostly public available content.

Whose personal data does Develop Diverse process?

Develop Diverse primarily processes customer employee data, who are users of the services.

Who have access to customer data? 

Develop Diverse restricts access to customer data and content to its employees who require it in connection with their roles and based on the principle of least privilege.

Which sub processors are Develop Diverse using?

Please refer to this page for more information

Vendor Management

Does Develop Diverse regularly assess the security of its subprocessors?

Yes, we performs an annual security assessment on its data sub processors to ensure appropriate security posture.

How does Develop Diverse assess the security posture of its subprocessors?

The annual security assessment of our sub-processors consists reviewing and validating the security artifacts of each subprocessor (audit reports, certifications, penetration test reports, etc.) If risks are observed during the assessment, they are evaluated and documented on the organization's risk register to ensure a risk treatment plan is applied to reduce the third party risk.