Information & Security

An overview of Jobbatical's strong commitment to security and data management.

Last update: June 23, 2023
Ephicient logoOE logo2020INC logo

Release Date: 23.04.2026


A word from our CISO

Jobbatical is a leading provider of relocation services, helping companies hire top talents from anywhere in the world.

Our paperless process is powered by our own software application. We proudly serve over 600 companies as their primary relocation partner.At Jobbatical, safeguarding sensitive information and customer data is integral to our business. We rely heavily on our Relocation Case Management Software, prioritizing the confidentiality, integrity, and availability of our applications. Our primary objective is to protect our customers' data and Information and Communications Technology (ICT) assets.We are committed to continuous security improvements and adhere to Information Security Management Systems across all levels of our organization. This includes all employees, core business processes, and the ICT systems supporting our Jobbatical application.To ensure the highest standards of information security, we comply with the ISO27001 standard. This standard guides us in establishing, implementing, controlling, assessing, maintaining, and improving our documented Information Security Management System (ISMS). By choosing appropriate security measures, we aim to safeguard information and provide confidence to our stakeholders.

In this page we have curated a collection of documents that cover various aspects of our program, policies, architecture, tests, and more. These resources are designed to provide comprehensive information. If you have any additional inquiries, please don't hesitate to contact us.

Marje Salumets
CISO

Data protection

Respecting personal data protection rights is our priority which is why we have created documentation and implemented internal processes to meet the GDPR requirements.

What is our data processing role?

Our company is a Controller

Although we offer our services through our own technically advanced cloud-based platform, we are not a typical SaaS service provider in relation to our relocation service.

Based on our assessment, we have concluded that we are a separate controller of personal data of talents and their family members when providing relocation services because we determine the means and purposes of data processing. Such data processing is described in our privacy notice. For specific data types, please see “talent data” and “talent family member data” (this includes the talent’s or his or her family member’s first name, last name, date of birth, personal ID code, nationality, passport data, photo, etc) in our privacy notice.

Our role as a controller primarily arises because of following:

  • Even though the business client initially orders and pays for the service, a direct relationship between us and the talent is still established during the provision of the service. Additionally, a power of attorney may be requested from the talent (or his or her family member) directly,
  • There are no specific instructions from the business client on what data to collect from the talent (and his/her family member) and how exactly the relocation services should be provided,
  • In general, most of the personal data is collected directly from the talent (i.e., business clients are not generally involved in the collection and submission of personal data to us),
  • The business client is usually kept informed of the process and receives the notification once the relocation is completed, but the business client has no significant influence on us and the provision of services in general. On the other hand, we have a significant independence in providing the service – we determine exactly how (by using what means) we process personal data in order to achieve the intended purposes.

Our Company is a Processor

When it comes to the processing of personal data of our platform users designated by our business clients, we consider ourselves as a data processor.  Such processing is regulated by the data processing agreement (DPA) appended to our terms of service. The DPA concerns only the processing of the names, emails, phone numbers and job titles of our business clients’ employees who are using our platform (e.g., HR manager who has access to the platform and who initiates the talent relocation), but not the talents (i.e., current or future employees who need to be relocated) and their family members.

In a nutshell, a typical process looks like this:

Jobbatical Data protection policy process

While this is a description of our typical process, depending on the client and the processes agreed with the client, relevant legal documentation may need to be customized accordingly. Please feel free to talk to our growth team so that we can find a solution that suits your business in the best possible way.

We are also currently in the process of implementation of ISO/IEC 27701 (Privacy Information Management System) so that we can demonstrate in even a better way a high level of protection of personal data.

Should you have any questions regarding the data processing, please feel free to contact our DPO: [email protected].

What about the (sub)processors?

All our (sub)processors are thoroughly assessed, certified and use EU storage location. The list of processors used by Jobbatical is available to clients and selected prospects subject to NDA.

Cookie Settings

By clicking “Accept All”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.

Preferences
Accept allAccept necessary
This site uses cookies

Jobbatical uses cookies on its website to offer you the most relevant content and make visiting the site easier and more convenient.

Accept all cookiesAllow selected only
Show info
Required
(1)
Statistical
(1)
Marketing
(1)
About Cookies

Necessary cookies help provide you with a great website experience by enabling core functionality such as page navigation and access to secure areas of the site. The site cannot function properly without these cookies.

Name
Provider
Target
Validity
Type
bm_sz
Used in context with the web site's BotManager. The BotManager detects, categorizes and compiles reports on potential bots trying to access the web site.
1 day
HTTP
ak_bmsc
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of the website.
1 day
HTTP
rc::a
This cookie is used to distinguish between humans and bots. This is beneficial for the website, in order to make valid reports on the use of the website.
Persistent
HTML
_ga
Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
2 years
HTTP
rc::c
This cookie is used to distinguish between humans and bots.
Session
HTML
_abck
Used to detect and defend against replay-cookie-attacks – The cookie is necessary for the security and integrity of the website.
1 year
HTTP
_gid
Registers a unique ID that is used to generate statistical data on how the visitor uses the website.
1 day
HTTP
_lfa
Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes.
2 years
HTTP
collect
Used to send data to Google Analytics about the visitor's device and behaviour. Tracks the visitor across devices and marketing channels.
Session
Pixel
_gat
Used by Google Analytics to throttle request rate.
1 day
HTTP
_lfa
Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes.
Persistent
HTML
_lfa_expiry
Contains the expiry-date for the cookie with corresponding name.
Persistent
HTML
_mcid
This cookie registers data on the visitor. The information is used to optimize advertisement relevance.
1 year
HTTP
_lfa_test_cookie_stored
Used in context with Account-Based-Marketing (ABM). The cookie registers data such as IP-addresses, time spent on the website and page requests for the visit. This is used for retargeting of multiple users rooting from the same IP-addresses. ABM usually facilitates B2B marketing purposes
Session
HTTP
ads/ga-audiences
Used to detect whether the user intends to leave the page via cursor movements. This allows the website to trigger certain pop-ups to keep the user on the web site or convert them to customer.
Session
Pixel
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.