Committed to responsible information security and privacy

Alva’s comprehensive information security and privacy management system is independently verified by a certification body according to international standards, reflecting our commitment to data integrity and user trust. Our ISO 27001 certification underscores our dedication to top-tier data protection regulations and security compliance.
Scroll down

Privacy by design

Service built to ensure your candidates' privacy.

Best in class encryption

By having rigorous processes, including using third party encryption key management, we have the ability to control who has access to our data.

Annual penetration testing

Alva’s platform is security vetted by experts once per year.
ISO27001 Certification

Privacy & security documentation

ISO 27001 certified

ISO 27001 certified

Validation of our commitment to information security and privacy, fostering a culture of ongoing security enhancements.



At Alva, we have evaluated all processing activities to ensure the correct data relationship.

Security & Privacy Practices

Security & Privacy Practices

Alva has a dedicated security team in place working to handle any issues that may arise within the software.

Data retention

Data retention

Alva truly cherishes the rights of the candidate and strives to create the best candidate experience.

Candidate sign up flow

Candidate sign up flow

This is the experience your candidates can expect when using Alva's assessments in your hiring process.



A data processor is a third-party data processor engaged by Alva who has or potentially will have access to.


Information security

How do you protect sensitive data from unauthorized access or breaches?

We employ industry-standard encryption algorithms to protect sensitive data both during transit and storage. Personal data are encrypted with a key stored by a third-party broker Thales. Access control policies are in place to ensure that only authorised personnel can access sensitive information. We also have strict authentication mechanisms, such as multi-factor authentication, to prevent unauthorised access. Regular security updates and patches are applied to all our systems to mitigate known vulnerabilities.

What encryption methods do you use to secure user data?

We utilize strong encryption protocols, such as AES-256 (Advanced Encryption Standard), to protect user data at rest. For information in transit we use TLS 1.2 or higher to securely encrypt over networks and the internet. Additionally, we apply Key Access Justifications (KAJ) to allow us to view the reason for each request. With Thales we automatically approve or deny these requests, based on the justification.

How long do you retain user data, and what is your data retention policy?

We retain user data only for as long as necessary to fulfill the purposes for which it was collected or as required by law. Our data retention policy outlines specific timelines for different types of data. Once the retention period expires, we securely delete or anonymize the data to ensure its ongoing protection. Default data retention is set for customers to 24 months, but this something that the customer can adjust themselves.

Can you provide examples of how you handle user data anonymization or pseudonymization?

We employ data anonymization or pseudonymization techniques to protect user privacy. For example, when conducting data analytics, we aggregate and anonymize data to remove personal data so that individuals cannot be identified. 

What measures do you have in place to prevent data leaks or unauthorized access by employees or insiders?

We have tight access controls in place to limit data access to authorised personnel only. Our employees undergo background checks before employment and are bound by confidentiality agreements. We enforce the principle of least privilege, granting employees access only to the data necessary to perform their roles. All data is also encrypted to prevent data exposure. Regular monitoring and audit logs help us detect and prevent any unauthorised access attempts or data leaks.

What are your authentication and access control mechanisms?

We employ Google SSO and multi-factor authentication as primary access control mechanism to ensure that only authorised individuals can access your information. Our access control policy includes strong password requirements, multi-factor authentication, role-based access controls, deprovisioning guidelines and regular access control reviews. These measures help prevent unauthorised access and protect your data from being compromised.


User privacy & consent

What steps do you take to ensure the privacy of my personal information?

We follow stringent privacy policies and practices to safeguard your personal information. We limit access to your data to authorized personnel only, and any third-party subprocessors we work with are carefully vetted for their privacy practices. We continiously work to adhere to applicable privacy regulations and regularly review and update our privacy practices to ensure compliance. Furthermore, we provide transparent information on how we collect, use, and store your personal data.

Are there any third-party subprocessors involved in handling user data, and how do you ensure their security and privacy practices?

We engage trusted third-party service providers to assist us in handling user data. Before partnering with any third party, we conduct a thorough evaluation of their security and privacy practices. We enter into data protection agreements (DPA) that outline the obligations of the service provider regarding the security and privacy of user data. Regular assessments are performed to ensure their compliance with our standards.

Can I delete my personal data from your system, and how can I do that?

Yes, you have the right to delete or right to access your personal data from our system. Our customer and candidate support team is readily available to assist you in the data deletion process through our chat or by emailing

Do you comply with relevant privacy regulations, such as GDPR or CCPA?

Yes, we take privacy regulations seriously and strive to comply with all applicable laws and regulations, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). We have implemented measures to ensure that your rights as a user are respected, including providing clear information on data collection, obtaining appropriate consent, and offering mechanisms to exercise your data subject rights.

How do you handle user consent and provide transparency regarding data collection and usage?

Transparency and user consent are essential to us. We clearly communicate how and why we collect and use your data through our privacy policy and terms of service. We obtain your consent for specific data processing activities, allowing you to make informed decisions. You have the right to manage your consent preferences and can modify or withdraw your consent at any time.

Do you share or sell user data to third parties?

No, we do not share or sell user data to third parties for marketing or other purposes. We prioritise the privacy of the candidates in our platform and maintain strict confidentiality with respect to their information. However, there may be instances where we need to share data with trusted third-party subprocessors to deliver our services effectively. In such cases, we ensure that appropriate data protection agreements (DPA) are in place to maintain the privacy and security of your information. Furthermore, we have an established Transfer Impact Assessment (TIA) where we have assessed all transfers.

Security features & certifications

What measures do you have in place to ensure the security of my personal information?

We have implemented a comprehensive information management system based on ISO 27001 that includes robust encryption protocols, zero trust, and tight access control. Additionally, we regularly conduct security audits and security assessments (pentests) to identify and address any vulnerabilities in our systems and deviations in our security practices. Our dedicated security team work proactive and responds to potential threats to safeguard your personal information.

Do you conduct regular security audits or assessments?

Yes, we conduct security audits and assessments to identify and address any potential vulnerabilities or deviations in our systems. We engage independent third-party security experts to perform comprehensive internal audits, penetration testing, and vulnerability assessments. Also, the information security management system is also subject for external audit once per year. This proactive approach enables us to stay ahead of emerging threats and maintain a robust security posture throughout the whole organisation.

What is your policy on data breaches, and how do you handle them?

In the unfortunate event of a data breach, we have a detailed incident response plan in place. Our priority is to mitigate the impact of the breach, protect affected users, and prevent further unauthorized access. We promptly investigate any suspected breaches, notify affected users as required by applicable laws, and take appropriate remedial actions. We also work closely with law enforcement authorities and cooperate fully in their investigations.

What security features do you have in place to protect against malware or phishing attacks?

We employ various security features to safeguard against malware and phishing attacks. Our systems are equipped with Endpoint Detection and Response (Malwarebytes EDR) that scan for potential threats in real-time. We also conduct annual security awareness training for our employees to help them identify and prevent phishing attempts. Additionally, we enforce users to enable multi-factor authentication and provide guidance on maintaining strong passwords.

Are there any specific security certifications or standards that you adhere to?

Yes, we adhere to industry best practices from ISO 27001. 

How do you handle user authentication and password security in the platform?

Our platform enforce strong password policies to ensure password security (thanks to Dropbox) to safeguard our users accounts. Passwords and credentials are stored using a PBKDF2 function. 

This includes requiring users to create passwords that meet certain complexity requirements, such as a combination of uppercase and lowercase letters, numbers, and special characters. We also encourage the use of single-sign on from Google or Microsoft Azure AD, which adds an extra layer of security and the possibility to require a second form of verification, such as a unique code sent to your mobile device.

How do you handle requests for access, correction, or deletion of personal information?

We provide a user-friendly process where you can contact our customer and candidate support team in order to exercise your rights regarding your personal information. Upon receiving a request for access, correction, or deletion, we verify the identity of the requester to ensure the security of your data. We respond to such requests promptly and take appropriate actions to fulfill your rights, in accordance with applicable laws and regulations.

4.9/5.0 G2 logo

Your success is our top priority

Our Customer Success team is filled with experienced recruiters and licensed psychologists ready to go the extra mile to help your organisation succeed.

"We're a big organization... Rolling out new solutions between departments with different needs isn’t usually an easy thing."

Hear Sam Joukhadar (Global Head of Talent Acquisition at SEB) talk about how they were able to quickly roll out Alva across all their offices, and what impact it has had on their recruitment process.


For more information related to Legal & Security

Contact our  Legal or Security departments.

Read more about our policies:

🔒 Privacy policy

🍪 Cookie policy

✍️ Terms and conditions

Learn more about how Alva can improve your hiring process