Managing Security
At Wamly, security is integrated into every layer of the hiring process to ensure that sensitive organisational and candidate data remains protected. Our security framework relies on a combination of industry-standard authentication protocols—including Single Sign-On (SSO) for enterprise environments and Multi-Factor Authentication (MFA)—alongside a strict Role-Based Access Control (RBAC) system. By centralizing security management under the 'My Organisation' tab, System Managers can maintain a complete audit trail via the Activity History module, ensuring that every administrative change is tracked and that data access is restricted solely to the departments and projects where it is required.
User Authentication and Access
Multi-Factor Authentication (MFA): If enforced by the organisation, users must set up MFA via a secondary email or SMS. Wamly recommends using SMS as most workers have easier access to phones than personal email.
Single Sign-On (SSO): Available for Enterprise-level organisations, this allows users to access Wamly via their company's identity provider (e.g. Azure AD or Google Workspace).
For detailed steps on setting up your Single Sign-On (SSO) please refer to this article.
Password Requirements: Passwords must be at least 8 characters and include a number, special character, and both uppercase and lowercase letters.
OTP Verification: 6-digit One-Time Pins (OTP) are used during signup, password resets, and manual login attempts to verify email access.
Data Security and Audit Logs
Security Tab: Only System Managers can access global security settings under the MY ORGANISATION tab.
Activity History: This is the only module currently providing a front-end audit log, allowing users to see every update made to security settings and by whom.
User Records: Users can never be deleted, only deactivated, because their profiles are required to maintain the platform's audit trail.
Candidate Consent: For background checks, candidate data and consent are collected upfront. Only System Managers can view or download the generated PDF consent documents for audit purposes.
Role-Based Restrictions
Permission Layers: Security is maintained by strictly limiting visibility based on roles (System Manager, Administrator, Rater).
Department Isolation: Administrators are restricted to data within their allocated departments, preventing unauthorized access to other areas of the organisation.
Sensitive Data Visibility: Rater settings can be configured to hide specific sensitive information, such as psychometric or background check results, on a per-project basis.