Working with Data Protection and Privacy Settings

The data protection and privacy features include the ability to report on the personal data available within SAP SuccessFactors Recruiting, and any changes that have been made to subject data. Customers can also set the timeframe to systematically purge inactive Talent Community Members, and more. If desired, a Content Security Policy can be enabled to prevent cross-site scripting attacks.

It is the customer’s responsibility to adopt the features that they deem appropriate. More information can be found on the SAP Help Portal: http://help.sap.com/cloud4hr

Use the settings from Tools→Data Privacy & Security Settings→Data Protection to control user data for Career Site Builder. (This page is used for both CSB and non-CSB sites.)

The setting Allow Manual Public User Creation allows customers to control how users can be added to Career Site Builder if there are concerns over data privacy and workflows for obtaining consent. Selecting OFF prevents the ability to manually add Talent Community Members through the TC Member API. In this case, Talent Community Members can only be added through the public site workflows.

Career Site Builder provides customers the ability to enable a Content Security Policy: an HTTP header that automatically disallows external domains and only allows the browser to render resources from the customer's domain. HTTP headers with a Content Security Policy are used on your career site pages (such as jobs.company.com), but not in the Candidate Profile and other pages generated within SAP SuccessFactors Recruiting.

The purpose of the Content Security Policy is prevent cross-site scripting attacks by automatically disallowing all external domains.

We only recommend enabling the Content Security Policy for customers who have specific security needs, such as finance companies. If enabled, you can specify domains to include an allowlist, which lets them be referenced in any custom scripts that are used on your career site. Add domains to the Allowed Domains list to avoid blocking any third-party JavaScript your career site uses. A default allowlist exists for all standard features that are part of Career Site Builder, so nothing will be broken in a standard CSB site. The default allowlist includes trusted domains that are most commonly used in public career sites built by Career Site Builder. Use the links provided on the page to view sites included on the default allowlist. Test thoroughly in the stage instance to ensure that any integrations don’t break.

The Data Retention Management (DRM) configuration allows you to set the timeframe to systematically purge inactive Talent Community Members. The DRM setting only purges users who are not connected to an account in SAP SuccessFactors Recruiting. Users may be connected through the front-end workflows for Single Sign On and Candidate Account Simplification. Connected users will be purged when they are purged from SAP SuccessFactors Recruiting via the Data Retention Management settings and updates to the Recruiter Synch file.

Use the sliders to set the activity threshold in days for the anonymization of the candidate and client admin data. The sliders go up to many years. Click on one and use the arrow keys on your keyboard to select the duration.

When the threshold is set, user data is anonymized if there hasn't been any user activity in the specified number of days.

Generate Information Reports and Change Reports for both Talent Community Members and Client Administrators from Tools→Data Privacy & Security Settings→Data Subject Reports. This page is used for both CSB and non-CSB sites.