RepScout

Privacy Policy

Our privacy policy

1. Introduction

RepScout (“we,” “us”) provides an AI-driven recruitment platform as a data processor on behalf of our clients (the “data controllers”). We are committed to processing personal data lawfully, fairly and transparently, implementing appropriate security measures, and enabling our clients to meet their obligations under applicable data-protection laws (e.g. GDPR, UK Data Protection Act 2018).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person (e.g. name, email, CV, voice recording).
  • Data Controller: The client who determines the purposes and means of processing personal data.
  • Data Processor: RepScout, which processes personal data on behalf of data controllers.
  • Data Subject: The individual whose personal data is processed (e.g. job candidate).

3. Roles & Responsibilities

  • Director:
    • Oversees policy compliance and risk assessments.
    • Single point of contact for data subjects and supervisory authorities.
    • Implements technical safeguards (encryption, access controls).
    • Conducts periodic security audits and penetration tests.
    • Drafts and updates policies.
    • Manages subprocessors and maintains the Data Processing Addendum (DPA).

4. Lawful Basis & Purpose Limitation

  • We process data only on documented instructions from our clients.
  • Typical legal bases invoked by controllers include:
    • Contract performance (e.g. evaluating candidate suitability).
    • Consent (where controllers obtain candidate consent).
  • We do not use candidate data for any secondary purposes (e.g. marketing) unless expressly instructed.

5. Data Categories & Processing Activities

Data TypeSourceActivity
Candidate CV, profile detailsUploaded by client or candidateParsing, indexing, matching to job requirements
Audio/video interview filesCaptured by platformTranscription, sentiment analysis, scoring
Assessment scores & feedbackGenerated by AI modulesAggregation, reporting to controller
User account credentialsSubmitted by client adminsAuthentication, authorization, audit logging

6. Technical & Organizational Safeguards

  1. Access Control
    • Role-based access: least privilege principle.
    • Multi-factor authentication for all administrator accounts.
  2. Encryption
    • All data in transit protected via TLS 1.2+.
  3. Network Security
    • VPC segmentation, private subnets for databases.
    • Web Application Firewall (WAF) and IDS/IPS in front of application tier.
  4. Vulnerability Management
    • Quarterly third-party penetration tests.
    • Monthly automated vulnerability scans and patching.
  5. Incident Response
    • Formal Incident Response Plan with defined roles, escalation paths and post-mortem reviews.
    • Data-breach notification to controllers within 72 hours of discovery.

7. Subprocessor Management

  • We maintain a current list of subprocessors (e.g. hosting providers, transcription engines).
  • Each subprocessor is contractually bound by a DPA to:
    • Process only on our documented instructions.
    • Apply equivalent security measures.
    • Notify us immediately of any security incident.

8. International Data Transfers

  • Transfers outside the EEA/UK only under:
    • Adequacy decisions; or
    • Standard Contractual Clauses (SCCs); or
    • Binding Corporate Rules (BCRs) where applicable.

9. Data Subject Rights & Controller Support

As a processor, we assist controllers with:

  • Access Requests: Exporting all personal data relating to a data subject.
  • Rectification & Erasure: Deleting or correcting data in our systems within 30 days of instruction.
  • Restriction & Objection: Freezing processing while controllers investigate.
  • Portability: Providing structured, machine-readable exports (e.g. JSON, CSV).

10. Data Retention & Deletion

  • We implement an automated retention scheduler (per controller’s bespoke settings) that:
    1. Flags records upon expiry.
    2. Securely deletes or fully anonymizes data.
    3. Logs deletion events for audit purposes.
  • Default retention periods (controller-configurable) mirror industry best practice (e.g. 12 months for active candidates, 6–7 years for payroll records).

11. Audits & Compliance

  • Annual internal compliance audits against ISO 27001 and GDPR requirements.
  • Controllers may conduct on-site or remote audits of our facilities and documentation, subject to mutual NDA.

12. Policy Review

This policy is reviewed annually or upon:

  • Significant changes to our processing activities.
  • Introduction of new technologies or subprocessors.
  • Material changes to applicable data-protection laws.

Contact
For questions, data-subject requests or to request our subprocessor list, please contact:

Director, Musie Ltd.
Email: tim@repscout.ai