eBoss works tirelessly to ensure your business data is collected. On this page you will find all the information about the work we do to guarantee the safety of your digital data.

eBoss Statement on GDPR

We work diligently to make sure our software and services are the most secure in the recruitment industry. Our dedication to privacy extends beyond our internal practices: it covers every third-party subprocessor and contractor that we might choose to carry out parts of our service.

We have written a supplementary statement to explain many aspects of our own compliance programme. We have also addressed some of the specific questions that we have received from clients and customers in regards to this. You can read the full statement here.

Cyber Essentials Certification

eBoss is a Cyber Essentials certified company. Cyber Essentials is the UK standard for core data management and cyber security best practices.

Our certificates are renewed annually. Our most recent Cyber Essentials assessment was conducted and certification award on 28.07.2022.

Privacy and Cookies Policy

We have refreshed our Privacy and Cookies Policies to bring them into line with GDPR standards. In particular, we have clarified payments processing, and re-stated the rights of customers and website users. Please familiarise yourself with the rights and obligations set out in our Privacy Policy when you have a spare moment.

Website Terms and Conditions

We have also updated our Website Terms and Conditions to ensure GDPR compliance. Please read these updated terms of use, and familiarise yourself with the new rights and obligations you have as a user under GDPR, as set out in our Terms and Conditions for Online Use.


As service providers, we are frequently asked to supply specific details about our service and our compliance work. Below you will find answers to some of the most frequently asked questions that our users have requested.

(Swipe for more >>>)

Is eBoss compliant? What measures are in place?

Q: I am completing a compliance report. What steps can I say eBoss has put in place to ensure compliance with GDPR?

A: We have ensured that each of the following steps will either be in place before May 25th, or is already a standard part of eBoss company policy:

1. All data subject data is stored on servers located within the EU only;

2. All data subject data is encrypted;

3. Data subject data is also pseudonymised;

4. Data subject data is backed up and easily recovered or restored to prevent permanent loss;

5. No data subject data is ever transferred to a location which is not protected by the GDPR or regulation that has been recognised as equivalent to the GDPR;

6. We have updated the terms of service and privacy policies for web users, customers, and clients;

7. we have informed web users, customers, and clients of their new rights and obligations under the GDPR;

8. We have established new service agreements for data controllers which limit the services provided by eBoss and our subprocessors to those that remain within GDPR best practices at all times;

9. we have selected subprocessors only if they are able to demonstrate GDPR compliance prior to May 25th;

10. we have undertaken orientation and staff training on best practices under the GDPR;

11. we have undertaken preliminary risk assessments on the processing of data subjects’ personal data;

12. we have mapped a thorough and ongoing risk assessment process which will continue to update our understanding of the GDPR and create a knowledge base of risks and threats to personal data that we process.


eBoss as a Data Processor

Q: We use eBoss as a data processor for our recruitment agency. But now we need to assure compliance across all of our service providers. Does eBoss have any GDPR certification for its services?

A: At the time of writing, there is no official accreditation or certificate to prove GDPR compliance. Compliance can be demonstrated with self-assessment and reporting. Additionally, you may wish to read the eBoss Statement on GDPR.

All eBoss products are compliant to the highest standards under the GDPR. We introduced elements of Privacy By Design to our development workflows some time ago,so every eBoss product is GDPR compliant.


What is a Controller–Processor Agreement?

Q: What is a Data Controller – Processor Agreement? How can I obtain one? Will it affect my eBoss service?

A: A Data Controller – Processor Agreement is a legal document which sets out the legal rights, duties, and obligations of the data controller and a service provider acting as a processor.

As part of our GDPR readiness programme, eBoss has put together a standard controller – processor agreement, which is ready for our customers.

In some cases, we may be issuing these agreements to customers with specific processing needs. Otherwise, you can request a controller-processor agreement for your business to help speed up compliance. Contact our GDPR representatives to obtain a personalised copy of the agreement.

The eBoss controller – processor agreement is supplementary to your ongoing terms of service. The products and support that you receive from eBoss will not be in any way impacted by the agreement.


What security measures has eBoss taken?

Q: What specific security steps has eBoss taken to protect its software and hardware, and my data?

A: All eBoss processes have been developed with Privacy By Design. They meet the highest standards of data security as set out by the GDPR, and our team is trained to ensure best practice when handling your data.

To ensure this level of privacy remains in place, it is therefore understandable that we do not share specific technical information about our software systems.


Where are the eBoss servers located?

Q: The GDPR controls the transmission of personal data to unregulated destinations. Can you tell me whether eBoss servers are located in a location which complies with the law?

A: Yes. The eBoss servers are all situated within the European Union.

Additionally, we will not be able to alter the location of our servers without your prior written consent, as per our processing agreement.


Does eBoss have a Data Protection Officer?

Q: Who do I speak to when I want to discuss data security matters with eBoss? I understand that the details of the Data Protection Officer should be made public – why can I not find information about the eBoss DPO?

A: eBoss acts as the data controller to a very limited set of personal data – none of which falls into the category of “special types of sensitive personal data. Following specific legal guidance, we have assessed that it would not be necessary to hire a DPO for the oversight of these processes. However, our team is fully updated with GDPR issues, and we do have dedicated Data Protection Representatives in our support team. You can contact our support staff through the usual channels. Alternatively, you can may ask questions relating to GDPR directly to our data protection representatives.


Do I have the Right To Access My Data?

Q: GDPR allows me to obtain a copy of my data as part of my Right To Access. Can I retrieve a copy of all my company data stored with eBoss? And, if so – how?

A: As an eBoss customer, you are of course welcome to receive a copy of all of the company data that you have secured using our software. This is part of our basic service to our customers, however. It is unrelated to the GDPR.

Due to the valuable, and often sensitive, nature of the data you have stored on eBoss servers, some additional security steps may be required before we release your data to you.

Data will usually be sent in .csv format.


    Our GDPR Hub has even more information about data protection and the GDPR for recruiters.