Zappyhire's Commitment to GDPR Compliance

Understanding Our Role: Data Controllers vs. Data Processors

In the recruitment ecosystem, roles and responsibilities are clearly defined under GDPR:

• Data Controller: As our client, data controller determines what candidate data is collected, why it's needed, and how long it should be kept.

• Zappyhire's Role (Data Processor): Zappyhire processes candidate information solely based on the data controller's instructions and on behalf of the data controller. Zappyhire does not make hiring decisions or use your data for any purpose other than providing the platform for the data controller.

What Candidate Information Do We Handle?

When candidates interact with your organization through Zappyhire—whether they apply directly or you reach out to them—we store the following information, but not limited to:

• Contact details (email, phone, name and other information as configured by the data controller)

• Resume files and extracted information

• Interview Scores and Feedback

• Assessment Data

• Proctoring Data as configured by the data controller

• and more data as configured by the data controller

Legal Basis for Processing

GDPR Articles 5 and 6 require that data collection must be lawful, fair, and transparent. We ensure this by:

• Verifying that candidates have provided consent to be considered for positions

• Maintaining clear privacy policies that explain our data handling practices

• Processing data only for the specific recruitment purposes you've defined

To formalize our relationship and responsibilities, we provide a Data Processing Addendum (DPA) that the data controller has to review and sign. Contact privacy@zappyhire.com for more details.

Empowering Candidate Rights

GDPR grants candidates several fundamental rights regarding their personal information:

The Right to Access, Correct, and Delete

Candidates may request to view their data, update incorrect information, or ask for deletion. Here's how we handle this. The response to the requests raised by the candidate on privacy@zappyhire.com will be responded to in under 14 working days.

1. Request received: Candidates contacts the Data Controller or Zappyhire

2. Zappyhire forwards to Data Controller: If they contact Zappyhire, we route the request to the Data Controller

3. Data Controller decides: Based on legitimate business interests and legal requirements, Data Controller determines how to fulfill the request and it is communicated to the Data Subject

4. Data Processor executes: Zappyhire platform will help the data subject with an email to collect the details to manage access, modify, or delete candidate data as needed. Email communication from privacy@zappyhire.com will be used for all this purpose.

Flexible Data Management Tools

We've built Zappyhire to give you complete control:

• Manual actions: Review and respond to individual candidate requests

• Automated policies: Manage data deletion based on data controller's retention requirements

• Audit trails: Track every key actions taken on candidate data (required under Article 30)

Security & International Data Transfers

Encryption & Infrastructure

The candidate data is protected with:

• Industry-standard encryption throughout our system

• Hosting on Google Cloud (asia-south1)

• Compliance with Google Cloud Data Processing Agreement and Google Cloud Security and Privacy Policy

Cross-Border Data Transfers

If the data controller is an EU-based organization or processing EU candidates' data, GDPR Articles 46 and 49 govern international transfers. We address this through:

• Contractual safeguards: EU-specific data transfer agreements with standard contractual clauses

• Legal basis: Transfers necessary for performing contracts between you and candidates

Data Retention Philosophy

GDPR prohibits indefinite data storage. With Zappyhire:

• The retention period is as agreed in the data controller's contract with Zappyhire

• Data is stored during the active contract period (as agreed by the data controller) plus a grace period

• You can customize retention policies to match your legal obligations and business needs in the data controller's contract with Zappyhire

Transparency Through Audit Logs

Article 30 requires maintaining records of all data processing activities. Zappyhire automatically logs:

• Who accessed candidate data and when

• What changes were made

• When data was shared or deleted

You can request for these logs by emailing us at privacy@zappyhire.com.

Our Data Breach Response Protocol

Your trust is paramount. If a security incident occurs:

Our 72-Hour Commitment

Article 33 mandates reporting breaches to supervisory authorities within 72 hours. We ensure:

1. Rapid detection: Continuous monitoring systems identify potential breaches quickly

2. Immediate notification: We notify data controller within 72 hours of discovery

3. Detailed communication: Our notification includes all information required by Article 33

4. Adequate response time: Data controller will have sufficient time to report to relevant authorities

Public Communication

• General incidents: Announced via our blog and social media

• Specific incidents: Affected individuals/organizations notified directly by email

Key Takeaways

• ✓ Infrastructure: Hosted on Google Cloud (asia-south1) with compliant data processing agreements

• ✓ Candidate requests: Managed through you (the Data Controller) with our platform tools supporting compliance

• ✓ Retention periods: Customized per client contract, with secure, encrypted backups

• ✓ Data anonymization: Available as a product feature or by request

• ✓ Data Security: Zappyhire does not sell or use candidate data for advertising or profiling

• ✓ Privacy governance: Dedicated privacy champions embedded in every team

Questions or Requests?

We're here to help you navigate GDPR compliance confidently.

Email: privacy@zappyhire.com

For data deletion or anonymization requests: privacy@zappyhire.com