This security profile reflects what we can communicate publicly today. SOC 2 Type II, ISO 27001, the final hosting stack, and the current DPA template are being finalised with our external data protection officer. Until then, we provide the details on request.
Talentwunder at a glance.
Data sources: public profiles only.
Profiles on Talentwunder come exclusively from publicly accessible sources such as search engines, social networks and business portals. No leaked data sets, no private APIs, no purchased lists. Affected persons can object to their data being shown on Talentwunder at any time.
- 1
Only publicly accessible profiles, no access to private areas or content.
- 2
The source list is documented transparently, currently 30 networks (full list in the FAQ).
- 3
Objection rights of the data subject are implemented and honoured for the future.
Processing bases.
We process personal data exclusively on a GDPR basis. The ones relevant to our product:
Performance of contract · Art. 6(1)(b)
Use of the Talentwunder platform, account management, search, pool and pipeline functions.
Legitimate interest · Art. 6(1)(f)
Providing sourcing features on publicly accessible profile data, product personalisation, security and abuse prevention.
Consent · Art. 6(1)(a)
Contact requests, newsletter, and optional marketing or analytics tags.
Legal obligation · Art. 6(1)(c)
Statutory retention periods (tax, commercial), official or court orders.
Data-subject rights.
Any person whose data is processed on Talentwunder has the following rights. Requests are handled by our external data protection officer.
- ✓
Access to the data we hold about you (Art. 15)
- ✓
Rectification of inaccurate data (Art. 16)
- ✓
Erasure (Art. 17)
- ✓
Restriction of processing (Art. 18)
- ✓
Objection to processing (Art. 21), including marketing opt-out
- ✓
Data portability (Art. 20)
- ✓
Withdrawal of consent with effect for the future
- ✓
Complaint to the competent supervisory authority
Sub-processors and data sharing.
Service providers receive only the data they need to deliver their specific service and are engaged contractually as processors. The full list and the current DPA template are provided to business customers before contract signature.
- Applicant tracking: Karriera.
- Hosting and infrastructure: current list available on request and in the DPA template.
- Web analytics and CRM: currently being finalised with our DPO.
International data transfers.
We process personal data primarily within the EEA. Where transfer to third countries (e.g. the United States) is necessary, it relies on a valid adequacy decision or the EU Standard Contractual Clauses. A copy of the safeguards is available on request from our data protection officer.
Technical and organisational measures.
- 01
Staff commitment
All employees are bound by confidentiality and trained on data protection on a regular basis.
- 02
Access management
Role- and right-based access within the platform, audit logs for administrative actions.
- 03
Server logs
We record server log files only for troubleshooting and security analysis and delete them after 31 days, except in documented evidentiary cases.
- 04
Encryption in transit
TLS for all connections between browser, platform and sub-services.
- 05
Encryption at rest
Current status available on request. Final statement will be published here with the next compliance iteration.
Currently in preparation.
What we do not yet publish publicly, business customers receive on request:
SOC 2 Type II
Current status on request. Public statement with the next compliance iteration.
ISO 27001
Current status on request. Public statement with the next compliance iteration.
EU hosting confirmation
Current hosting stack and region setup on request and in the DPA template.
DPA template
Current template on request. Signed by default before contract signature.
This page is maintained together with our external data protection officer and updated after every compliance iteration.
Further documents.
The full legal texts live in the Legal section.