GDPR compliance

Data processing and ownership

During the course of recruiting, our clients need to collect PII (Personally Identifiable Information) from candidates to build a profile and perform an automated evaluation using our assessment chatbot.

When a candidate begins an assessment session initiated by an Testlify client, we store the following information of the candidate on behalf of our client:

  • Email address
  • Name
  • Optional at the client’s discretion: Phone number, the last school attended, academic degree, major, programming experience, resume, and a link to social profiles (GitHub, LinkedIn, etc).
  • Metadata collected for proctoring: IP Address, Webcam snapshots, Browser usage data and Session recording data. Some of these data points are optional and collected at client’s discretion.
  • If the recruiter uses an Testlify account for inviting candidates to assessments, we store the following information:
    • Name
    • Email address
    • Phone number (Optional)

As Testlify operates under the scope of GDPR, we are committed to fair and transparent data processing. Candidates are informed of our Terms of Use and Privacy Policy at the time of sign-up, and their continued use of the platform constitutes consent. Our updated privacy policy outlines how candidate data is collected, processed, and protected in compliance with applicable laws. All information is handled securely, with robust safeguards to ensure data protection throughout the assessment process.

Data subject rights

Under GDPR, individuals have the right to ask the organizations they apply to for the right to portability, rectify and be forgotten. Testlify collects candidates’ data on behalf of our clients, any requests regarding accessing/ editing/ deleting of candidates’ data will be forwarded to our clients. We give our clients the mechanisms to access their candidates’ data and also comply with requests from their candidates. This way, our customers are always in control of their candidate data.

Our client can determine if the candidate’s request is valid and can be fulfilled. We will take action based on the direction provided by our client on how to proceed with any such request.

As a processor, Testlify gives flexibility to our clients to determine their data policies, which offer rights to their candidates. This includes the ability to access / edit/ delete information regarding a candidate. We also give the ability to set a routine data deletion process at a cadence determined by the client.

Data management

Data within Testlify is secured using industry-standard encryption. Data can be transferred outside EU borders if our client and Testlify have entered into a contract that includes contractual clauses specified by EU. Testlify has a standard EU-specific data transfer and processing agreement to ensure compliance with GDPR.

GDPR also stipulates that personally identifiable data should not be stored indefinitely. Testlify’s data retention policy provides flexibility to our client to define how long their candidates’ PII should be stored and when it should be deleted. Data is stored for the duration of the contracted period with our client, and a grace period thereafter.

Testlify maintains a detailed audit log of all the activities. As part of compliance, Testlify will add any additional activities that our clients need to be recorded. These logs are viewable in our dashboard or can be requested for export/ deletion by contacting us at [email protected].

Data breach and mitigation process

We have sufficient data monitoring mechanisms in place to become aware of any data breach. In case a personal data breach occurs, we will send breach notifications in accordance with our internal incident response policy (within 72 hours of us discovering the breach). This will give sufficient time for our clients to convey the breach to the respective authorities. Additionally, we will notify users through our blogs and social media for general incidents. We will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.

Infrastructure

Protecting our customers’ information and their users’ and candidates’ privacy is extremely important to us. As a cloud-based company entrusted with some of our customers’ most valuable data, we’ve set high standards for security.

Testlify has invested heavily in building a robust security team, one that can handle a variety of issues – everything from threat detection to building new tools. In accordance with GDPR requirements relating to security incident notifications, Testlify will continue to meet its obligations and offer contractual assurances.

If you’d like to learn more about Testlify’s security policies and procedures, please see our security page. It provides detailed information on how we approach security, and includes a white paper on how Testlify ensures user data security in particular, including our technical and organisational measures(TOMs), as well as our encryption standards.

Data removal request

Frequently asked questions (FAQs)

When a candidate begins an assessment session initiated by an Testlify client, we store the following information of the candidate on behalf of our client:

  • Email address
  • Name
  • Optional at the client’s discretion: Phone number, The last school attended, academic degree, major, programming experience, resume, and a link to social profiles (GitHub, LinkedIn, etc).
  • Metadata collected for proctoring: IP Address, Webcam snapshots, Browser usage data and Session recording data. Some of these data points are optional and collected at client’s discretion.

If the recruiter uses an Testlify account for inviting candidates to assessments, we store the following information:

  • Name
  • Email address
  • Phone number (Optional)

Any Testlify client that administers the assessment owns the data of all candidates that took the assessment. The responsibility of updating and deleting all candidate data when requested by a candidate lies with the client. Testlify provides our clients with necessary support (customer support/ product features) to carry out any such requests however the company wants to.

To comply with GDPR, companies using Testlify will need to state how long they will be keeping candidate data in their systems. By default, we retain candidate data until they deactivate their account, after which we promptly delete it. According to GDPR, data should only be kept for a ‘reasonable amount of time.’ Our best practice advice is to review your recruitment processes to determine an appropriate retention period. Many companies are opting for a 12 or 24-month time frame after reviewing their recruiting practices.

With Testlify, automating this data retention process is easy.

You can contact us at [email protected] to set your data retention time frame in months.

We will automatically delete candidate data that exceeds the retention period while preserving anonymous information for reporting.

PS: While we’ve consulted legal professionals on GDPR compliance, Testlify is not a legal firm; the information provided is only general advice. Companies should seek independent legal counsel for their specific data protection and security requirements.

  • Clients that administer the assessment.
  • Candidate through requests to Client.
  • Testlify internal team only when a support request is raised by the Client and data access is necessary to support such request.

Yes, we are GDPR compliant and we host our data on AWS Ireland region in Europe.

All users of a client account with roles – Candidates Admin, Tests Admin, Super Admin have access to candidate reports.

For enterprise users with specific contracts, they can delete the candidate entry using ‘delete’ action in candidates’ view. Furthermore, you can email us at [email protected] with the list of candidates’ data to be deleted. You can also contact your Testlify Customer Success Manager for such requests.

Testlify maintains logs of all actions that are state-changing as well as unpermissioned actions for troubleshooting and security. Super Admins of a client account can view the audit logs from their dashboard. Any further processing requests of audit logs should be routed through [email protected] or your Testlify Customer Success Manager.

No.

For editing a candidate’s data, please contact us at [email protected] with details about the request.

To comply with GDPR, companies using Testlify will need to state how long they will be keeping candidate data in their systems. By default, we retain candidate data until they deactivate their account, after which we promptly delete it. According to GDPR, data should only be kept for a ‘reasonable amount of time.’ Our best practice advice is to review your recruitment processes to determine an appropriate retention period. Many companies are opting for a 12 or 24-month time frame after reviewing their recruiting practices.

With Testlify, automating this data retention process is easy.

You can contact us at [email protected] to set your data retention time frame in months.

We will automatically delete candidate data that exceeds the retention period while preserving anonymous information for reporting.

PS: While we’ve consulted legal professionals on GDPR compliance, Testlify is not a legal firm; the information provided is only general advice. Companies should seek independent legal counsel for their specific data protection and security requirements.