At CodeSubmit, we are committed to preserving our users’ rights to data privacy and data protection. As a company originally headquartered in the EU, we have prioritized GDPR compliance from the beginning. To that end, we have implemented both technical and organizational measures to ensure full compliance with the GDPR.
Data Processing and Ownership
Throughout the hiring process, our customers will collect Personally Identifiable Information (PII) from their candidates. This information is used to build candidate profiles and to administer technical interviews and assessments with our software. When a candidate is invited to an assessment on CodeSubmit, we store the following PII on behalf of our customer:
- Name (first and last)
- Email address
Data Subject Rights
Under the GDPR, individuals may exercise their rights to data portability, data rectification, and their right to be forgotten at any organization where they apply for employment. A simple way to think of this is as Candidate Data Rights under the GDPR.
We collect candidate data on behalf of our customers, and any requests regarding accessing, editing, or deletion of candidate data will be forwarded to our customers. We allow our customers to access their candidate data and comply with requests from their candidates in-app. This way, our customers are always in control of their candidate data.
The customer can determine if their candidate’s request is valid and can be fulfilled. We will take action based on the direction provided by our customer on how to proceed with any such request.
As a processor, CodeSubmit provides flexibility to our customers to determine their own data policies and how they may offer these rights to their candidates. This includes the ability to access, edit, and delete information regarding a candidate. We also provide the ability to set a routine data deletion process at a cadence determined by the customer.
Data within CodeSubmit is secured using industry-standard encryption. Data can be transferred outside EU borders if our customer and CodeSubmit have entered into a contract that includes contractual clauses specified by the EU. CodeSubmit uses a standard EU-specific data transfer and processing agreement to ensure compliance with the GDPR.
The GDPR also stipulates that personally identifiable data should not be stored indefinitely. CodeSubmit’s data retention policy provides flexibility to our customers to define how long their candidates’ PII should be stored and when it should be deleted. Data is stored for the duration of the contracted period with our customer, as well as a grace period thereafter.
Data Breach Prevention and Mitigation
We have sufficient data monitoring mechanisms in place to become aware of any data breach. In case a personal data breach occurs, we will send breach notifications per our internal incident response policy (within 72 hours of us discovering the breach). This will give sufficient time for our customers to convey the breach to the respective authorities.
Additionally, we will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.
At CodeSubmit, we are committed to the security and privacy of your data. We’re glad to comply and help you to comply with the GDPR. If you have any questions about your rights under the GDPR as a user, or how CodeSubmit can help you with compliance as a customer, please get in touch with firstname.lastname@example.org.
Frequently Asked GDPR Questions:
What data do we collect?
When a candidate begins an assessment on CodeSubmit, we store the following candidate information on behalf of our customer:
- Email address
If the hiring manager uses a CodeSubmit account for inviting candidates to assessments, then we store the following information:
- Email address
Where is candidate data stored?
CodeSubmit candidate data is stored in Frankfurt, Germany.
Who is responsible for candidate data?
CodeSubmit customers own the data of all candidates. The responsibility of updating and deleting all candidate data when requested by a candidate lies with the customer. CodeSubmit is happy to provide our customers with the necessary support to carry out such requests.
How long is candidate data stored?
It depends on the customer. For customers located within the EU, we provide a GDRP setting that, when enabled, ensures the deletion of candidate data 6 months following the hiring decision. In addition, we always support data deletion through requests sent to email@example.com for all of our users.
Who has access to candidate data?
The following people have access to candidate data on CodeSubmit:
- Hiring managers who administer the assessment.
- Reviewers who review the assessment.
- Candidates themselves upon request to the customer.
- The CodeSubmit internal team when a support request is raised by the customer and data access is necessary to support the request.
Does CodeSubmit maintain any subprocessor relationships?
CodeSubmit is a data processor and engages certain onward subprocessors that may process personal data submitted to CodeSubmit's services by the customer. These subprocessors are listed below with a description of the service and the location where data is hosted. This list may be updated from time to time:
- Amazon Web Services, Inc. for hosting infrastructure, databases, and file storage, as well as log files (Frankfurt, Germany)
- Google Inc., specifically, Google Analytics, for improvements to platform based on user behavior analytics (USA)
- Intercom, Inc. for customer support (USA)
- Stripe, Inc. for payment processing (USA)
- Userlist, Inc. for email automation (USA)
How can a customer request the deletion of candidate data?
Customers may "archive" candidates themselves at any time in-app, and this data will be marked for deletion. Furthermore, you can email us at firstname.lastname@example.org with a list of candidate data to be deleted.
Can deleted data be reinstated?
No, we cannot retrieve or reinstate deleted data.
If you accidentally clicked an "archive" button, please write us at email@example.com to see if it is possible to restore.