Adaface's GDPR Commitment
We are committed to honoring our users’ rights to data privacy and protection. Even if our users might not be based in the EU, their candidates may be, so it is important that Adaface become GDPR compliant to ensure all our clients are covered. We have implemented technical and organizational measures to be fully compliant with GDPR.
Data processing and ownership
During the course of recruiting, our clients need to collect PII (Personally Identifiable Information) from candidates to build a profile and perform an automated evaluation using our assessment chatbot.
When a candidate begins an assessment session initiated by an Adaface client, we store the following information of the candidate on behalf of our client:
- Email address
- Optional at the client's discretion: Phone number, the last school attended, academic degree, major, programming experience, resume, and a link to social profiles (GitHub, LinkedIn, etc).
- Metadata collected for proctoring: IP Address, Webcam snapshots, Browser usage data and Session recording data. Some of these data points are optional and collected at client's discretion.
If the recruiter uses an Adaface account for inviting candidates to assessments, we store the following information:
- Email address
- Phone number (Optional)
Data Subject Rights
Under GDPR, individuals have the right to ask the organizations they apply to for the right to portability, rectify and be forgotten. Adaface collects candidates' data on behalf of our clients, any requests regarding accessing/ editing/ deleting of candidates' data will be forwarded to our clients. We give our clients the mechanisms to access their candidates’ data and also comply with requests from their candidates. This way, our customers are always in control of their candidate data.
Our client can determine if the candidate’s request is valid and can be fulfilled. We will take action based on the direction provided by our client on how to proceed with any such request.
As a processor, Adaface gives flexibility to our clients to determine their data policies, which offer rights to their candidates. This includes the ability to access / edit/ delete information regarding a candidate. We also give the ability to set a routine data deletion process at a cadence determined by the client.
Data within Adaface is secured using industry-standard encryption. Data can be transferred outside EU borders if our client and Adaface have entered into a contract that includes contractual clauses specified by EU. Adaface has a standard EU-specific data transfer and processing agreement to ensure compliance with GDPR.
GDPR also stipulates that personally identifiable data should not be stored indefinitely. Adaface's data retention policy provides flexibility to our client to define how long their candidates’ PII should be stored and when it should be deleted. Data is stored for the duration of the contracted period with our client, and a grace period thereafter.
Adaface maintains a detailed audit log of all the activities. As part of compliance, Adaface will add any additional activities that our clients need to be recorded. These logs are viewable in our dashboard or can be requested for export/ deletion by contacting us at [email protected]
Data Breach and Mitigation Process
We have sufficient data monitoring mechanisms in place to become aware of any data breach. In case a personal data breach occurs, we will send breach notifications in accordance with our internal incident response policy (within 72 hours of us discovering the breach). This will give sufficient time for our clients to convey the breach to the respective authorities. Additionally, we will notify users through our blogs and social media for general incidents. We will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.
Our security infrastructure standards
Protecting our customers’ information and their users’ and candidates' privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.
Adaface has invested heavily in building a robust security team, one that can handle a variety of issues – everything from threat detection to building new tools. In accordance with GDPR requirements relating to security incident notifications, Adaface will continue to meet its obligations and offer contractual assurances.
If you’d like to learn more about Adaface’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, and includes a white paper on how Adaface ensures user data security in particular, including our technical and organisational measures(TOMs), as well as our encryption standards.
At Adaface, we are committed to the security and privacy of your data. So we’re glad to comply, and help you to comply with the GDPR. If you have any questions about your rights under the GDPR as a user, or how Adaface can help you with compliance as a customer, we hope that you’ll get in touch with us at [email protected] Please also visit our Trust Guide to learn more about our privacy, security and compliance programmes.
Industry-accepted best practices and frameworks
Our security approach focuses on security governance, risk management and compliance. This includes encryption at rest and in transit, network security and server hardening, administrative access control, system monitoring, logging and alerting, and more.
We evaluated several of their competitors and found Adaface to be the most compelling. Great default library of questions that are designed to test for fit rather than memorization of algorithms.