It’s widely recognised that technology of all types can bring huge benefits to Higher Education institutions and the world of careers - but data and security concerns are equally pressing. From the storage of economic, administrative and personal data to use of personal devices on campus, – concerns about privacy and security are understandably widespread.
Unfortunately, some technology providers have increasingly leveraged these concerns to undermine their competition, spreading falsehoods that cloud an important and complex discussion.
But it doesn’t need to be that way.
Handshake recognises the importance of transparency and integrity. So we are setting the record straight on some of the questions and myths we have heard about how Handshake operates. There are 4 key themes that we have heard, and you might have heard about them too;
This is a resource to help clarify conversations, not finish them. So, if you have any questions or if there are other subjects where you want more clarity, please contact us directly. We will always answer every question honestly and directly.
Who owns the student data in Handshake?
The student. In line with GDPR, the individual student owns the rights to their personal data, just as they do with any technology used across a university. Handshake makes absolutely no claims to data ownership at all.
Students are always in complete control of what data they make publicly available. Handshake enables students to change their profile privacy options easily depending on who they want their data to be viewed by, fully informing students about what personal data is collected, how it is used and how it is protected. No student data uploaded to Handshake is ever viewable by an employer until the student has explicitly chosen to make their profile viewable to employers.
About 93% of students choose to make their profiles public in Handshake - that’s really the expectation that students have for networks today - and the other 7% want to have their profiles private. That’s totally fine and that smaller group can still use our platform fully to apply to roles, attend events, connect with their career centre, and more.
Does Handshake sell student data to employers?
No. Handshake does not sell personal data belonging to any Handshake user to third parties and never will.
Why is Handshake a Joint Controller with the University?
Joint Controller agreements tend to be used where controllers have a common objective and purpose, in our case supporting students to find a meaningful career.
The Joint Controller Model allows Handshake to do 2 key things;
Our Joint Controller agreement enables individual student choice and seamless connections between students, peers, alumni and employers within Handshake through messaging, virtual info chats, career fairs, events etc. More information on the Profile Privacy Options for students in Handshake is available in our Open Access Help Centre.
University partners also have the option* to export this usage data to differing locations and in a variety of formats including STFP and Amazon S3 via scheduled reporting.
* Assuming the university user has the right permission in Handshake, as you would expect there are varying permissions in Handshake.
How does the Handshake and University Joint Controller model work?
It is actually very simple and covers 2 scenarios;
Further definitions on Joint Controllers can be found on the Information Commissioner's Website.
What data does the University remain Controller of?
The Data Processing Agreement (DPA) that forms part of the contract between Handshake and a University partner includes two specific definitions of student data.
*more detailed definitions are included in our Data Processing Agreement
Do you charge employers to post job adverts?
No, we do not. Our business model reflects our mission to democratise opportunity for students and recent grads. Every student and employer can use Handshake for free. We never charge employers for basic employment matching services, including posting a job advert, sending a message or creating an event.
Critically, we never charge employers for posting roles at scale to however many universities in our network they want to reach; we believe doing so would prevent smaller businesses from accessing the talent they need, and block students from seeing the great opportunities that exist within smaller businesses. Core to our mission is a desire to level the playing field; you don’t do that by keeping SME’s from reaching a larger audience.
If you do not charge for job adverts, how does Handshake make money?
We charge Universities an affordable rate for the software and services we provide, and give employers the opportunity to pay for enhanced messaging functionality, branding, and analytics to accelerate and ease the hiring process. 98% of employers across the Handshake network utilise Handshake’s core free product.
For the employers that are paying for our premium outreach tools, they are adding an enhanced capacity to do proactive, targeted outreach at scale. This means they’re able to search broadly for students who want to be found, and send them a direct message in Handshake to notify them about an event, build a relationship, or invite them to apply for a role. Those same outreach tools are available at a more limited scale to all employers for free.
How is Handshake funded?
Handshake is fortunate to have some great investors. Handshake’s first investor was actually Garrett’s (Handshake’s Co-Founder and CEO) Dad, who re-mortgaged their family home to get the business started. Today we have a range of blue-chip investors who are deeply committed to Handshake’s mission, and more importantly, to our business for the long-term. For example, one of our most important investors is Base 10 Partners, which only supports businesses focused on creating better opportunities for underrepresented minorities.
This is fundamentally different from other vendors who are backed by private equity companies, which generally expect a return on their investment on a short (around 3 to 4 year) time horizon. This ownership and funding model incentivizes short term profit over long-term investments.
We’re proud that as we’ve grown to partner with more than 1,500 education partners across the globe, we have built a sustainable revenue model that will ensure our long-term stability and success.
Is Handshake GDPR compliant?
As the market leader in the United States, Handshake was GDPR compliant even before entering the UK market; we have supported UK and EU students studying in the US for years. Handshake is fully GDPR compliant, and we perform regular penetration tests on our own application to consistently improve our internal security features.
Where is data stored?
All data (subject to the qualifications explained below) processed by Handshake will be hosted in the United Kingdom and the European Economic Area (EEA). We use Amazon’s hosting services and their world-class security measures, which comply with the formidable bank-level security requirements of the Sarbanes-Oxley Act.
Limited Handshake employees in the United States of America are able to access this data in order to provide the service to users, partners and data subjects. In some cases Handshake and Handshake’s sub-processors may process data outside the United Kingdom and EEA, all of which are publicly available here and linked from our Privacy Policy.
How do you approach data encryption, storage and transmission?
It will come as no surprise to learn that Handshake uses top-of-the-line security infrastructure at the software and network levels, to ensure that student data is always encrypted at rest, responsibly stored, and transmitted securely. This includes the use of TLS/SSL protocols, 256-bit AES data encryption, API call-level authentication, and modern DDoS mitigation controls.
What about regulators and reviews?
Handshake participates in extensive security audits and external code reviews, working with top security firms from the financial services and healthcare industries. Our production infrastructure complies with the following standards, among others: ISO 27001, SOC 1, SOC 2, SSAE 16, ISAE 4302, PCI Level 1, FISMA, and Sarbanes-Oxley.
What do you do to tackle fraudulent employers and keep your network safe?
Student safety is of course paramount and it is crucial that universities only present legitimate employers and opportunities to their students.
We partner with Sift and Google’s webrisk API to validate new employers and monitor for activity and fraud in real time on behalf of our university partners. Sift is an industry leader in digital trust & safety. Through Sift, we gain access to a suite of fraud prevention tools that detect and learn from patterns unique to the Handshake ecosystem, including;
WIth Google Webrisk API we can also monitor Employer website URLs to determine if it is malicious or a threat.
These partnerships and the Handshake network allow the onus of validating employers to be removed from individual university staff members, as well as allow for more comprehensive real time monitoring for fraud from the point of account creation, and throughout their entire tenure utilising Handshake.
In addition, Handshake also makes it easy for our university partners and students to flag any Employer or individual user that elicits concern, alerting our dedicated Trust and Safety for investigation. More information on Flagging Employers is available in our Open Access Help Centre.
How can students keep safe on and off-campus?
Handshake supports modern single sign-on (SSO) options, to ensure your students can enjoy safe, simple access to the platform from any secure identity or device. Our authentication process supports the following SSO protocols, among others: SAML, SAML 2.0, Shibboleth, LDAP, CAS, and TFA.
What’s more, simple, clear settings give students full control over which aspects of their profile are visible to your approved employers. They can also opt in and out at any time.
Should we just take your word for it?
In short - no. As well as partnering with leading privacy experts and security firms to lead the industry in responsible data stewardship, Handshake has been reviewed by independent expert JISC as part of its Step Up programme. ‘Step up’ was developed by Jisc in consultation with the HE sector to scrutinise start-ups against key sector requirements and provide institutions with a certain level of assurances when engaging with new enterprises. Full report Handshake Step Up available here and excerpt on Data and Information Security below.
The Step Up program reviews technology companies to help education institutions identify the most secure solutions - and, from our talented and experienced team to our long term financial stability, the JISC report heralded Handshake as a robust and trusted tech provider.
Lastly, we encourage you to speak to any of our partners across the UK and hear their perspective. We’re confident they will validate our track record of protecting their data, enabling their students to make valuable connections, and co-creating a network that serves their needs.
