Security & GDPR

Data security at Lusk and General Data Protection Regulation (GDPR) compliancy

Security at Lusk

How does Lusk handle the security of your organization’s data?

Data Encryption

All connections to Lusk are secured by HTTPS which encrypts the data flow between client and server. Our API and application endpoints are TLS/SSL only.


All user passwords are securely hashed and salted; passwords are never stored in plain text so nobody can view them, not even our own employees. However it also means that if you forget your password we can’t retrieve it for you. The only solution is to reset it.

All data access is protected by a role and visibility -based access-control mechanism, which only lets users view data for which they have permission. It’s impossible for users to view data from organizations other than their own.


In addition to the backups of your data stored within Amazon’s hosting infrastructure, we also make hourly backups of our entire database that are kept in long-term storage.

Additionally, you can also create your own local backup of candidate data that you have in Lusk at any time you choose and as many times as you like by using the Export data feature*

*This feature is under development and will be coming soon.

Access to customer data

All persons with potential access to sensitive or personal data are bound by our internal personal data protection policy that outlines their responsibility in the area of data security. Our customer support team can only access your data if you add them as a member to your organization.

Loss, misuse or alteration of your data

Unfortunately no method of transmission over the Internet, or method of electronic storage, can be guaranteed to be 100% secure. As a result, while we strive to protect your organization data, Lusk cannot ensure or warrant the security of any information you transmit to us or from our online products or services, and you do so at your own risk. Once we receive your data, we make our best effort to ensure security on our systems.


As of the 25th of May 2018 the European Union’s General Data Protection Regulation is upon us and impacts any business processing personal data of EU residents, regardless of whether the processing takes place in the EU or not. With your candidates’ personal data being a key component of the data we process for you in Lusk, we have completed the necessary steps to ensure that we are compliant.

Data transfers

The GDPR has strict requirements for moving data outside of the EU. If Lusk engages sub-processors outside of the EU, it is our responsibility to ensure that we transfer data according to the GDPR. Below we provide an up-to-date list of sub-processors.


Amazon Web Services, Inc., Cloud Service Provider (EU region), Ireland & United States

Salesforce Heroku, Cloud-based Managed Application Provider (EU region), United States

mLab, Cloud-based Managed Database Provider (EU region), United States

OVH, Dedicated Servers Provider, France

WEDOS, Dedicated Servers Provider, Czech Republic

Glow, Content Delivery Network (CDN) Provider, Czech Republic

Intercom, Cloud-based Customer Support & Communication Services, United States

Mailgun Technologies, Inc., Cloud-based Email Notification Services, United States

Sentry, Error tracking and monitoring , United States

Keen IO, Cloud-based platform for tracking of end user usage data & candidate data, United States

CloudConvert, Cloud-based File Conversion Services, Germany

PipeDrive, Cloud-based Sales CRM, Estonia

Google Inc., Cloud-based Email Services & Data Analytics, United States