We are committed to honoring our users’ rights to data privacy and protection. Even if our users might not be based in the EU, their candidates may be, so it is important that Adaface become GDPR compliant to ensure all our clients are covered. Being GDPR-ready has been one of the highest priority this year (2019), and we have implemented technical and organizational measures to be fully compliant with GDPR.
If you are looking for specific questions under GDPR, read our GDPR FAQs document here.
Data processing and ownership
During the course of recruiting, our clients need to collect PII (Personally Identifiable Information) from candidates to build a profile and perform an automated evaluation using our assessment chatbot. Because we process candidates on behalf of our customers, according to GDPR, we are considered a Data Processor and our customers are regarded as Data Controllers.
When a candidate begins an assessment session initiated by an Adaface client, we store the following information of the candidate on behalf of our client:
- Email address
- First and last name
- Phone number
- Optional at the client's discretion: The last school attended, academic degree, major, programming experience, resume, and a link to social profiles (GitHub, LinkedIn, etc).
If the user uses an Adaface client account for inviting candidates to assessments, we store the following information:
- Email address
- Phone number
Data Subject Rights
Under GDPR, individuals have the right to ask the organizations they apply to for the right to portability, rectify and be forgotten. Adaface collects candidates' data on behalf of our clients, any requests regarding accessing/ editing/ deleting of candidates' data will be forwarded to our clients. We give our clients the mechanisms to access their candidates’ data and also comply with requests from their candidates. This way, our customers are always in control of their candidate data.
While GDPR requires that a data subject can revoke their consent at any time, pursuant to the above stipulations in Article 6, it also allows this request to be declined if the processing of this information is required for legitimate interests pursued by the data controller. In other words, our client (the data controller) can determine if the candidate’s (data subject’s) request is valid and can be fulfilled. We will take action based on the direction provided by our client on how to proceed with any such request.
As a processor, Adaface gives flexibility to our clients to determine their data policies, which offer rights to their candidates. This includes the ability to access / edit/ delete information regarding a candidate. We also give the ability to set a routine data deletion process at a cadence determined by the client.
Data within Adaface is secured using industry-standard encryption. Under Article 46 of the regulation, data can be transferred outside EU borders if the processor has appropriate security measures in place and if our client (the data controller) and Adaface (data processor) have entered into a contract that includes contractual clauses specified by EU. Adaface has a standard EU-specific data transfer and processing agreement to ensure compliance with GDPR. Article 49 provides an additional basis for such a transfer. Transfer of data is allowed where “necessary for the performance of a contract between the data subject and the data controller”.
GDPR also stipulates that personally identifiable data should not be stored indefinitely. Adaface's data retention policy provides flexibility to our client (the data controller) to define how long their candidates’ PII should be stored and when it should be deleted. Data is stored for the duration of the contracted period with our client, and a grace period thereafter.
According to Article 30 of GDPR, our clients need to maintain a record of all activities pertaining to the personal information of a data subject. Adaface maintains a detailed audit log of all the activities. As part of compliance, Adaface will add any additional activities that our clients need to be recorded. These logs are viewable in our dashboard or can be requested for export/ deletion by contacting us at firstname.lastname@example.org.
Data Breach and Mitigation Process
Article 33 states that for any potential data breach, the supervisory authority (our client) must be notified within 72 hours of occurrence. We have sufficient data monitoring mechanisms in place to become aware of any such breach. In case a personal data breach occurs, we will send breach notifications in accordance with our internal incident response policy (within 72 hours of us discovering the breach). The communication will be sent as per the guideline mentioned in Article 33. This will give sufficient time for our clients to convey the breach to the respective authorities. Additionally, we will notify users through our blogs and social media for general incidents. We will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.
- Adaface tech deployment uses AWS (US East Ohio) and Google Firebase (US central). This is permitted under GDPR thanks to the AWS Data Processing Agreement and Firebase Privacy and Security Policy
- Any data requests from candidates will be routed through our clients who need to process the data requests. Adaface provides functionality to comply with any such requests.
- The duration of data storage would be customized on a client-to-client basis as per the contract. We will store the data for the stipulated time in the contract and a grace period thereafter.
- Data backups are kept safe, and strongly encrypted. We have provisions to anonymize data.
- We provide product features to anonymize/ delete data. We also delete data by request to email@example.com.
- We have appointed internal privacy champions for all our teams
For any queries, please contact us at firstname.lastname@example.org