Privacy Notice for Drata Employment Candidates
Effective Date: October 16, 2023
1. Introduction
This Privacy Notice (“Notice”) describes the categories of personal information that Drata Inc., and its subsidiaries and affiliates, (“Company”, “we”, “us” and “our”) collect about individuals who apply or are recruited for a job with us or one of our affiliates (“candidates”), and how we use and disclose that information.
This Notice applies to personal information collected about you in your capacity as a job candidate. See our Privacy Notice for information about our practices when you use our website or otherwise interact with us offline or online in the same manner that a website visitor or someone who is not a job candidate may interact with us.
For purposes of this Notice, “personal information”, “personal data” and “sensitive personal information” have the applicable meanings given in the (i) California Consumer Privacy Act of 2018 (as amended from time to time, the “CCPA”); (ii) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (iii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iv) the EU e-Privacy Directive (Directive 2002/58/EC); and (v) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of the above; in each case as may be amended or superseded from time to time. (i) - (v) shall be collectively referred to as, “applicable data privacy laws”.
This Notice does not create or form part of any contract for employment or otherwise.
If you have questions about this Notice, please contact [email protected].
2. Information we collect about candidates
Categories of personal information
We may collect and process the following categories of personal information during the application and recruitment process:
Contact information, such as home address, telephone number, and email address;
Information from job application materials or recruiters, such as your job application, resume or CV, cover letter, writing samples, references, work history, education transcripts, whether you are subject to prior employer obligations, and information that referrers provide about you;
Professional qualifications, such as licenses, permits, memberships, and certifications;
Information from the application process, such as any phone-screens, interviews, evaluations and outcomes of recruiting exercises;
Immigration status and other information that would allow us to verify your employment eligibility;
Biographical information, such as name, gender/gender identity, pronouns, date of birth, professional history, references, language proficiencies, education details, and information you make publicly available through job search or career networking sites;
Job preferences, such as desired position and compensation, location preferences and willingness to relocate;
Employment history, such as your prior employers, how long you worked with each of your prior employers, and your prior positions;
Background check information, such as information necessary to complete background, and/or other checks when permitted by law, and information received during these checks;
Information needed to understand and assess accommodation requests regarding potential disabilities or other health conditions; and
Other information you provide to us.
Providing personal information to us is voluntary. However, if you do not provide sufficient information, we may be unable to consider your application or, if you are hired, your subsequent promotion, transfer or relocation.
In certain cases we may ask you for additional information for purposes of complying with applicable laws. We may also inquire about criminal and/or credit records. We will do so only where permitted by applicable law.
Sensitive personal information and protected classification characteristics
With the possible exception of “contact information”, “job preferences”, and “employment history”, all of the categories above include, or contain information from which it may be possible to infer, sensitive personal information or characteristics of protected classifications under California or federal law if applicable. However, we do not use or disclose sensitive personal information in ways subject to individuals’ right to limit use or disclosure of sensitive personal information under applicable data privacy laws.
Sources of personal information
We collect personal information from you when you apply for a job and throughout the job application or recruitment process. We may also collect your personal information from other sources and combine it with the personal information you provide us. For example, we may collect your personal information from:
Job board websites you may use to apply for a job with us;
Prior employers that provide us with employment references;
Professional references that you authorize us to contact;
Pre-employment screening services, such as background check providers (where permitted by law);
Employment agencies and recruiters;
Your educational institutions;
Your public social media profile or other publicly-available sources;
Other Company personnel.
This section generally describes our practices currently and during the preceding 12 months.
3. How we use personal information about candidates
Purposes for which we use personal information
We may use the categories of personal information above for the following purposes:
Recruitment management. Managing recruitment generally, such as:
operating the careers website we maintain at https://drata.com/about/careers or any other site to which this Notice is posted (“Careers Site”);
recruiting, interviewing and evaluating job candidates;
conducting background checks and other pre-employment screening (where permitted by law);
analyzing and improving our application and recruitment processes;
accommodating disabilities or health conditions;
communicating with you regarding your candidacy, opportunities with the Company or about the Careers Site and any changes to applicable terms or policies; and
other business operations.
Compliance, safety and protection, such as:
complying with or monitoring compliance with legal and other requirements, such as tax, audit, recordkeeping, reporting, verifying identity and eligibility to work, and equal opportunities monitoring requirements, where applicable;
complying with internal policies and procedures;
complying with lawful requests and legal process, such as to respond to subpoenas or requests from government authorities;
protecting our, your or others’ rights, safety and property, including by complying with applicable public health guidelines and requirements, including, without limitation, guidance from the Centers for Disease Control or other public health authorities relating to the prevention and control of COVID-19 or other infectious diseases;
investigating and deterring against fraudulent, harmful, unauthorized, unethical or illegal activity, or conduct in violation of our policies or procedures;
controlling access to and monitoring our physical premises;
pursuing legal rights and remedies, including investigating, making and defending complaints or legal claims; administering and enforcing internal policies and procedures; and
providing information to government authorities, law enforcement, courts or private parties where we have a good-faith belief it is necessary for the foregoing purposes.
Analytics. Creating anonymous, aggregated or de-identified data that we use and disclose to analyze our application and recruitment activities, business and for other lawful business purposes. We do not attempt to reidentify deidentified information derived from personal information, except for the purpose of testing whether our deidentification processes comply with applicable law.
Disclosing personal information
We may disclose your personal information to the following parties to facilitate one or more of the purposes described above.:
Affiliates. Our corporate parent, subsidiaries, and other affiliates under the control of our corporate parent, for purposes consistent with this Notice or to operate shared infrastructure, systems and technology.
Company service providers. Companies that provide us with services that help us manage the recruiting process and operate our business, such as job boards, recruiters, interviewing and testing, pre-employment screening, interview travel booking and expense reimbursement (where applicable), relocation (where applicable), and recruitment analytics.
Government authorities, law enforcement and others. Government authorities, law enforcement, courts, and others for the purposes described in the Compliance, safety and protection section above.
Business transfers. Parties (and their advisors) to transactions and potential transactions pursuant to which we sell or transfer some or all of our business or assets, including your personal information, such as a corporate divestiture, merger, consolidation, acquisition, reorganization or sale of assets, or in the event of bankruptcy or dissolution.
Professional advisors. Lawyers, immigration advisors, and other outside professional advisors who require your information in the course of providing their services.
Other parties not listed above but that are identified at or before the point at which we collect your personal information.
This section generally describes our practices currently and during the preceding twelve (12) months. You should assume that each category of personal information we collect may be disclosed, and may have been disclosed during the preceding twelve (12) months, to each category of other parties listed above in this section.
Retention of Personal Information
We keep your personal information for no longer than necessary to fulfill the purposes for which it is processed. The length of time for which we retain personal information depends on the purposes for which we collected and use it and/or as required to comply with applicable laws as set out in our records retention policy and/or data handling standard. Generally, this means we retain your personal information to comply with any retention or statutory limitations. For example, if you are offered and accept a job at Drata, we retain certain information in your personnel file; if you are not offered or do not accept the job for which you have applied, we will delete your data in certain countries, unless you authorize us to retain your information for longer with respect to potential future job opportunities. Where there are technical limitations that prevent deletion or anonymization, we safeguard personal information and limit active use of it.
4. California privacy rights
Your California privacy rights
California residents have the rights listed below under the CCPA. However, these rights are not absolute, and in certain cases we may decline your request as permitted by law.
Information. You can request the following information about how we have collected and used your personal information during the past 12 months:
The categories of personal information that we have collected.
The categories of sources from which we collected personal information.
The business or commercial purpose for collecting or selling personal information.
The categories of third parties to whom we disclose personal information.
The categories of personal information that we sold or disclosed for a business purpose.
The categories of third parties to whom the personal information was sold or disclosed for a business purpose.
Access. You can request a copy of the personal information that we have collected about you.
Deletion. You can ask us to delete certain personal information that we have collected from you.
Correction. You can ask us to correct inaccurate personal data that we have collected about you.
Opt-out of sales or sharing of personal information. California residents can opt-out of any “sale” of their personal information or “sharing” of personal information for cross-contextual behavioral advertising as such terms are defined under the CCPA. We do not sell or share personal information of applicants in the manner restricted by the CCPA and have not done so. However, we encourage you to review our Privacy Notice for information about the sale or sharing of personal information that may occur when you interact with us offline or online in the same manner that a website visitor or other non-candidate may interact with us. We do not recruit, and have no actual knowledge of having sold or shared the personal information in the past 12 months of, candidates under age 16.
Nondiscrimination. You are entitled to exercise the rights described above free from discrimination as prohibited by the CCPA, including exercising such rights without retaliation.
How to exercise your California privacy rights
You may submit requests to exercise your rights to [email protected]. We cannot process your request if you do not provide us with sufficient detail to allow us to understand and respond to it. We may need to verify your identity to process your information/know, access, deletion, and correction requests, and we reserve the right to confirm your current California residency. We may require identity verification by requiring you to log into an online account for candidates if you have one, provide information that can help us verify your identity, provide government identification, and/or provide an affidavit under penalty of perjury.
Your authorized agent may make a request on your behalf upon our verification of the agent’s identity and our receipt of a copy of a valid power of attorney given to your authorized agent pursuant to California Probate Code Sections 4000-4465. If you have not provided your agent with such a power of attorney, you must provide your agent with written and signed permission to exercise your CCPA rights on your behalf, provide the information we request to verify your identity, and provide us with confirmation that you have given the authorized agent permission to submit the request.
5. Your Rights as a Data Subject Under GDPR
Right to access, correct and delete your personal data
The Company aims to ensure that all personal data are correct. You also have a responsibility to ensure request access and corrections to personal data held by the Company about you so that we can ensure that your data is up-to-date.
You have the right to request access to any of your personal data that the Company may hold, and to request correction of any inaccurate data relating to you. You furthermore have the right to request deletion of any irrelevant data we hold about you.
Data portability
You have the right to receive all such personal data which you have provided to the Company in a structured, commonly used and machine-readable format, and also to require us to transmit it to another controller where this is technically feasible.
Right to restriction of processing
You have the right to restrict our processing of your personal data where:
you contest the accuracy of the personal data until we have taken sufficient steps to correct or verify its accuracy;
where the processing is unlawful but you do not want us to erase the data;
where we no longer need the personal data for the purposes of the processing, but you require them for the establishment, exercise or defense of legal claims; or
where you have objected to processing justified on legitimate interest grounds (see below) pending verification as to whether the Company has compelling legitimate grounds to continue processing.
Where personal data is subjected to restriction in this way we will only process it with your consent or for the establishment, exercise or defense of legal claims.
Right to withdraw consent
Where we have relied on your consent to process particular information and you have provided us with your consent to process data, you have the right to withdraw such consent at any time. You can do this by submitting a request to us via email [email protected].
Right to object to processing justified on legitimate interest grounds
Where we are relying upon legitimate interest to process data, then you have the right to object to that processing. If you object, we must stop that processing unless we can either demonstrate compelling legitimate grounds for the processing that override your interests, rights and freedoms or where we need to process the data for the establishment, exercise or defense of legal claims. Where we rely upon legitimate interest as a basis for processing we believe that we can demonstrate such compelling legitimate grounds, but we will consider each case on an individual basis.
Right to opt out of the sale of personal data
We do not sell employee or applicant personal data, or share it for online advertising.
Right to opt out of the special category or sensitive personal data
We do not use or disclose special category data outside of employment purposes.
Right to non-discrimination
We may not discriminate against a data subject for exercising a privacy right.
Right to have an authorized agent submit a privacy request
You have the right to have your authorized agent make a data privacy request on your behalf.
Right to complain
You also have the right to lodge a complaint with a supervisory authority if you consider that the processing of your personal data infringes applicable law.
Right to appeal
If you are not satisfied with our response regarding your data privacy request, you have the right to appeal our decision.
If you are not satisfied with the result of the appeal, you have the right to contact your respective attorney general depending on the jurisdiction in which you reside.
For information regarding your rights, or to exercise any of your rights above, please contact [email protected].
6. Third parties
This Notice does not address, and we are not responsible for, the practices of any third parties, which have their own rules for how they collect and use your personal information. Our links to third party websites or services are not endorsements.
7. Changes to this Notice
We reserve the right to change this Notice at any time. The “Effective Date” heading at the top of this Notice indicates when it was last revised. Any changes will become effective when we post the revised notice on our Careers Site.
8. Your obligations
Apart from your obligation to provide complete and accurate information in the recruiting process, it is your responsibility to ensure that information you submit does not violate any third party’s rights.
You should keep your personal information on file with the Company up to date and inform us of any significant changes to it.
9. California statutory categories
For each category of personal information listed above in Section 2 (repeated in bold below), the CCPA (Cal. Civ. Code Section 1798.140(v)(1)) requires us to identify the following statutory categories to which it corresponds:
Contact information: Identifiers, Professional or employment-related information
Information from job application materials or recruiters: Identifiers, Professional or employment-related information, Education information
Professional qualifications: Identifiers, Professional or employment-related information
Information from the application process: Identifiers, Professional or employment-related information, Education information
Immigration status: Identifiers, Professional or employment-related information, Education information
Biographical information: Identifiers, Professional or employment-related information, Education information
Job preferences: Identifiers, Professional or employment-related information
Employment history: Identifiers, Professional or employment-related information
Background check information: Identifiers, Professional or employment-related information, Education information
Information needed to understand and assess accommodation requests regarding potential disabilities or other health condition: Identifiers, California customer records (Medical information), Professional or employment-related information
Medical information: Identifiers, California customer records (Medical information), Professional or employment-related information.