Your Data Protection Rights

GDPR Compliance

At CodeSubmit, we are committed to preserving our users' rights to data privacy and data protection. As a company originally headquartered in the EU, we have prioritized GDPR compliance from the beginning. To that end, we have implemented both technical and organizational measures to ensure full compliance with the GDPR.

Last updated: January 1st, 2025

Data Processing Agreements Available

We provide comprehensive Data Processing Agreements (DPAs) to ensure your business maintains full GDPR compliance when using CodeSubmit for technical assessments.

Our DPAs include all necessary contractual clauses, EU-approved standard terms, and legal protection for your organization's data processing activities.

Custom DPA Available
We provide tailored Data Processing Agreements with EU-approved standard contractual clauses that meet your specific business requirements and ensure full GDPR compliance.
Legal Protection & Compliance
Our DPAs include all necessary contractual clauses to protect your organization, ensure proper data handling, and meet international data transfer requirements.
Request Your DPA
Ready to get started? Contact us at hello@codesubmit.io to request your customized Data Processing Agreement.

Data Processing and Ownership

Throughout the hiring process, our customers will collect Personally Identifiable Information (PII) from their candidates. This information is used to build candidate profiles and to administer technical interviews and assessments with our software. When a candidate is invited to an assessment on CodeSubmit, we store the following PII on behalf of our customer:

  • Name (first and last)
  • Email address

This data comes under the purview of the GDPR. CodeSubmit ensures that we obtain consent from candidates as they sign up (using their invited emails to access our coding assessment). Our privacy policy clearly states how we process information, and all candidate information we receive or collect is handled securely and with adequate data protection measures in place.

Data We Collect

Candidate Information
Name and email address only
Assessment Data
Code submissions and responses
Customer Data
Hiring manager information
Minimal data collection approach

Data Collection & Processing Details

What This Means for You

Understanding how your data is collected, processed, and protected is essential for making informed decisions about participating in technical assessments.

Minimal Data Collection
We only collect what's necessary: your name and email address. No sensitive personal information, browsing history, or device data is stored.
Consent-Based & Purpose-Limited
Your participation is voluntary and your data is used exclusively for technical assessment and hiring evaluation. It's never used for marketing or sold to third parties.
Customer Data Ownership
The hiring company owns your data, not CodeSubmit. We process it on their behalf according to strict contractual obligations and GDPR requirements.

Data Subject Rights

Under the GDPR, individuals may exercise their rights to data portability, data rectification, and their right to be forgotten at any organization where they apply for employment. A simple way to think of this is as Candidate Data Rights under the GDPR.

We collect candidate data on behalf of our customers, and any requests regarding accessing, editing, or deletion of candidate data will be forwarded to our customers. We allow our customers to access their candidate data and comply with requests from their candidates in-app. This way, our customers are always in control of their candidate data.

The customer can determine if their candidate's request is valid and can be fulfilled. We will take action based on the direction provided by our customer on how to proceed with any such request.

As a processor, CodeSubmit provides flexibility to our customers to determine their own data policies and how they may offer these rights to their candidates. This includes the ability to access, edit, and delete information regarding a candidate. We also provide the ability to set a routine data deletion process at a cadence determined by the customer.

How to Exercise Your Rights

1. Contact the Hiring Company
They own your data and handle all requests directly
2. Specify Your Request
Access, correction, deletion, or data portability
3. Receive Response
They evaluate and respond within 30 days
We support customers in fulfilling requests

GDPR Data Subject Rights Explained

Your Rights as a Candidate

As a data subject under GDPR, you have specific rights regarding your personal data. Here's how these rights apply to your CodeSubmit assessment experience.

Right to Access & Rectification
You can request to see what personal data is stored about you and request corrections to inaccurate or incomplete information. Contact the hiring company directly for these requests.
Right to Erasure
You can request deletion of your personal data under certain circumstances. The hiring company will evaluate and respond to erasure requests following GDPR guidelines.
Right to Portability
You can request to receive your personal data in a structured, commonly used format or have it transferred to another controller for your convenience.

Automated GDPR Compliance Settings

Data Management & Retention

Data within CodeSubmit is secured using industry-standard encryption. Data can be transferred outside EU borders if our customer and CodeSubmit have entered into a contract that includes contractual clauses specified by the EU. CodeSubmit uses a standard EU-specific data transfer and processing agreement to ensure compliance with the GDPR.

The GDPR also stipulates that personally identifiable data should not be stored indefinitely. Customers can configure automatic data deletion settings to ensure compliance - data can be automatically and completely wiped from our servers either 3 or 6 months after invite.

This automated deletion feature ensures your organization maintains ongoing GDPR compliance without manual intervention, giving you peace of mind that candidate data is handled responsibly.

GDPR Settings - CodeSubmit

How We Protect Your Information

Security & Data Protection

Learn about the technical and organizational measures we implement to ensure your data is protected throughout the assessment process.

Industry-Standard Encryption
All data is encrypted both in transit and at rest using advanced encryption standards. Your information is protected against unauthorized access at all times.
EU Data Location & Transfers
Your data is stored in Frankfurt, Germany, ensuring compliance with EU data protection laws. When transfers are necessary, we use EU-approved contractual clauses.
Smart Data Retention
We don't store data indefinitely. Customers can set their own retention periods, and we provide automated deletion options for EU customers to maintain compliance.
Data Breach Prevention and Mitigation

We have sufficient data monitoring mechanisms in place to become aware of any data breach. In case a personal data breach occurs, we will send breach notifications per our internal incident response policy (within 72 hours of us discovering the breach). This will give sufficient time for our customers to convey the breach to the respective authorities.

Additionally, we will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.

At CodeSubmit, we are committed to the security and privacy of your data. We're glad to comply and help you to comply with the GDPR. If you have any questions about your rights under the GDPR as a user, or how CodeSubmit can help you with compliance as a customer, please get in touch with hello@codesubmit.io.

Proactive Security Measures

Breach Response & Monitoring

Our comprehensive approach to data breach prevention and response ensures your personal information remains secure throughout the assessment process.

24/7 Monitoring & Detection
We maintain continuous monitoring systems to detect any unusual activity or potential security threats to your data immediately and respond proactively.
GDPR-Compliant Notifications
If a breach occurs, we follow strict GDPR guidelines to notify relevant authorities within 72 hours and communicate directly with affected individuals via email.
Comprehensive Response Plan
We have detailed incident response procedures in place to minimize impact, contain breaches quickly, and prevent future occurrences through systematic improvements.
Frequently Asked GDPR Questions

What data do we collect?

When a candidate begins an assessment on CodeSubmit, we store the following candidate information on behalf of our customer:

  • Name
  • Email address

If the hiring manager uses a CodeSubmit account for inviting candidates to assessments, then we store the following information:

  • Name
  • Email address

Where is candidate data stored?

CodeSubmit candidate data is stored in Frankfurt, Germany.

Who is responsible for candidate data?

CodeSubmit customers own the data of all candidates. The responsibility of updating and deleting all candidate data when requested by a candidate lies with the customer. CodeSubmit is happy to provide our customers with the necessary support to carry out such requests.

How long is candidate data stored?

It depends on the customer. For customers located within the EU, we provide a GDPR setting that, when enabled, ensures the deletion of candidate data 6 months following the hiring decision. In addition, we always support data deletion through requests sent to hello@codesubmit.io for all of our users.

Who has access to candidate data?

The following people have access to candidate data on CodeSubmit:

  • Hiring managers who administer the assessment
  • Reviewers who review the assessment
  • Candidates themselves upon request to the customer
  • The CodeSubmit internal team when a support request is raised by the customer and data access is necessary to support the request

Does CodeSubmit maintain any subprocessor relationships?

CodeSubmit is a data processor and engages certain onward subprocessors that may process personal data submitted to CodeSubmit's services by the customer. These subprocessors are listed below with a description of the service and the location where data is hosted. This list may be updated from time to time:

  • Amazon Web Services, Inc. for hosting infrastructure, databases, and file storage, as well as log files (Frankfurt, Germany)
  • Google Inc., specifically, Google Analytics, for improvements to platform based on user behavior analytics (USA)
  • Intercom, Inc. for customer support (USA)
  • Stripe, Inc. for payment processing (USA)
  • Userlist, Inc. for email automation (USA)

How can a customer request the deletion of candidate data?

Customers may "archive" candidates themselves at any time in-app, and this data will be marked for deletion. Furthermore, you can email us at hello@codesubmit.io with a list of candidate data to be deleted.

Can deleted data be reinstated?

No, we cannot retrieve or reinstate deleted data.

If you accidentally clicked an "archive" button, please write us at hello@codesubmit.io to see if it is possible to restore.

Practical Next Steps

Take Action

Ready to exercise your rights or need help with GDPR compliance? Here are the practical steps you can take today.

For Candidates
Contact the hiring company directly to request access, corrections, or deletion of your personal data. They are responsible for responding to your GDPR requests promptly.
For Customers
Use our in-app candidate management tools to handle data requests efficiently. Enable automatic data deletion settings and archive candidates to maintain compliance.
Need Support?
Have questions about GDPR compliance or need technical assistance? Our support team is ready to help with your specific situation and provide DPA agreements.