Secure & GDPR-Compliant Immigration Platform

Jobbatical is built as a privacy-first immigration software with GDPR compliance embedded by design — not retrofitted. The platform enforces data minimization through role-based permissions, encrypts all immigration data at rest and in transit, stores data in EU-based data centers, and maintains immutable audit logs for every action taken. A full Data Processing Agreement (DPA), vetted sub-processor list, and ISO 27001-aligned security practices ensure organizations can demonstrate compliance to regulators at any time.

(Reworked from "role-based permissions" → "RBAC" to target the higher-value keyword)

RBAC in Jobbatical assigns granular access permissions to each user role — HR admins, recruiters, finance teams, immigration specialists, and employees — ensuring that sensitive visa, permit, passport, and family data is only visible to those who genuinely need it. This enforces GDPR's data minimization and need-to-know principles by design, reducing insider risks and preventing accidental data exposure across teams. All permissions are fully configurable and auditable through the platform's immutable audit trail.

Yes — Jobbatical includes built-in two-factor authentication (2FA) for all platform users, supporting authenticator apps, SMS codes, and hardware security keys. 2FA can be configured as mandatory across the entire organization or optional per team to match your enterprise security policy. This significantly reduces the risk of unauthorized access even when credentials are compromised — a critical security layer for any team managing sensitive immigration cases across borders.

Yes. Jobbatical holds ISO 27001 certification — the internationally recognized standard for information security management systems (ISMS). This validates that Jobbatical's security controls across risk management, access control, incident response, and data handling are independently verified and regularly audited. For enterprise procurement and compliance teams evaluating immigration software vendors, ISO 27001 certification provides documented, auditable assurance beyond self-declaration.

All immigration data processed through Jobbatical is stored in EU-based data centers, keeping it within the European Economic Area (EEA) without requiring additional cross-border transfer safeguards. For any third-party sub-processors, Jobbatical maintains a vetted sub-processor list with appropriate GDPR-compliant mechanisms — including Standard Contractual Clauses (SCCs) where applicable. This gives HR and legal teams full visibility into how and where employee data moves, a core requirement for GDPR compliance.

Yes. Jobbatical provides a full Data Processing Agreement (DPA) aligned with GDPR Article 28, covering its role as data processor, client responsibilities as data controller, sub-processor management, data subject rights, security obligations, and breach notification procedures. The DPA is available to all clients as part of onboarding and can be accessed directly at jobbatical.com/data-processing-agreement. Compliance and legal teams can review it as part of vendor due diligence before deployment.

Jobbatical's platform supports all GDPR data subject rights — including access, rectification, restriction of processing, and erasure — through immutable audit logs that record every action taken on individual immigration records. This enables HR and compliance teams to respond accurately to DSARs within the legally required 30-day window, backed by verifiable evidence of every data interaction. The same audit infrastructure supports internal compliance reviews, regulatory inspections, and legal hold requirements.

Jobbatical encrypts all immigration data both at rest and in transit using industry-standard encryption protocols. Passports, visas, permits, biometric details, and personal documents are protected end-to-end, ensuring no unencrypted sensitive data is exposed during transmission or storage. Combined with EU-based data centers, ISO 27001-aligned practices, and annual penetration testing, this meets the technical security requirements under GDPR Article 32 — giving enterprise clients verifiable protection for their employees' most sensitive personal data.