Global Applicant and Candidate Privacy Notice

Dear Applicants and Candidates,

At GitGuardian, we care about your privacy and are committed to protect your Personal Data in accordance with all applicable data protection laws and regulations.

This Global Applicant and Candidate Privacy Notice (the “Notice”) gives you information about how GitGuardian SAS and GitGuardian Inc. (collectively referred to as “GitGuardian”, “we”, “our”, “us”) collect Personal Data about job applicants and candidates (“you” or “your”) in relation to your application for a position offer with GitGuardian and how and why we use that Personal Data in the course of our recruitment process.

Please carefully read and fully understand this Notice before submitting your Personal Data to us.

The Notice explains:

Identity and contact details of the Data Controllers
Personal Data we collect
Use of your Personal Data
Legal bases we rely on to process your Personal Data
How we share your Personal Data
How we safeguard your Personal Data
How long we keep your Personal Data
How your Personal Data is transferred internationally
How you can exercise your data subject rights
Cookies
Update of the Notice
Contact us

Please note that this Notice covers recruitment and applications for all GitGuardian open positions.

If you are a California resident, our Notice will provide specific provisions applicable to you as follows:

A list of additional types of Personal Data that may be collected in Section 1 ‘Personal Data we collect’;
The purpose(s) for which the categories of info are collected and used is in Section 3 ‘Legal bases we rely on to process your Personal Data’
In Section 4 ‘How we share your Personal Data’, we explain how we share your Personal Data
Our retention period explanation is in Section 6 ‘How long we keep your Personal Data’
Your rights regarding your Personal Data are detailed in Section 8 ‘How you can exercise your data subject rights’

The provision of your Personal Data is necessary in order to process your job application. If you do not provide your Personal Data, we might not be able to process your application.

1. Identity and contact details of the Data Controllers

GitGuardan SAS is a company headquartered in France, at the registered address 54 rue de Seine 75006 Paris, France, with a US affiliate, GitGuardian Inc., based at 185 Alewife Brook Parkway Ste 210 Cambridge MA 02138.

When we say “GitGuardian” we’re referring to the GitGuardian entities that control and are responsible for your Personal Data.

2. Personal Data we collect

For the purpose of this Notice, “Personal Data” refers to the information that identifies, relates to, and describes or is reasonably capable of being associated with or being linked (directly or indirectly) to you.

In connection with your application, we may collect, use and store Personal Data, either:

directly from you when you submit your application on GitGuardian’s website or provide information to us in the course of a recruitment process, or
from third parties with your approval: we may obtain Personal Data about you from publicly and commercially available sources as permitted by law, as well as collect Personal Data about you through third-party social networking services where you may apply, such as LinkedIn, Welcome to Jungle, VentureFizz. Candidate and applicant Personal Data may also be obtained from recruitment agencies or headhunting firms or from other GitGuardian’s employees or workers who recommend people they know for employment with GitGuardian.

Type of Personal Data	Examples
Identification and contact information	Full name, email address, physical address, telephone number, date of birth, gender
Professional and employment information	Resume or CV, cover letter, work experience, professional references, work-permit status, social media profiles, other previous employment information
Educational background	School history, academic degrees, skills, qualifications and certifications
Citizenship information	Visa and right to work status, where applicable
Data collected during interview process	Your responses to screening process or test we submitted to you, job interview notes, assessment notes, travel-related records
Information received from third parties	Results of a professional reference check (it is your responsibility to obtain any necessary consent from your references prior to sharing their info with us), and the information we receive from someone who refers you for a position
Publicly available information	Information from your LinkedIn or Github’s profile

Regarding sensitive information, please note that we do not collect or process Personal Data that reveals your government identifiers, financial accounts, racial or ethnic origin, religious, political or philosophical beliefs, genetic data, biometric data, trade union membership, or information about your health/sex life/sexual orientation (“Sensitive Personal Data”).

Applicable only to applicants or candidates for our US office GitGuardian Inc.: Background check process

For applicants or candidates for our US office GitGuardian Inc., as per applicable US laws and California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”), GitGuardian may perform background checks during the application and recruitment process (the “Background checks”) subject to relevant legal requirements.

In summary, depending on how you interact with us and the role for which you are being considered, the following categories of Personal Data may be collected and disclosed in the preceding 12 months:

Identifiers, including name, email address, and telephone number;
Characteristics of protected classifications under state or federal law, including date of birth, age, gender;
Audio, electronic, visual, or similar information, including photographs;
Professional or employment-related information, including résumés, CVs, cover letters, work samples, references, background checks, info from interviews and screeners, and immigration or visa status

We do not infer characteristics using Sensitive Personal Data, and do not use Sensitive Personal Data beyond the limited business purposes permitted by local laws, including the California Consumer Privacy Act.

3. Use of your Personal Data

We only use your Personal Data as part of our application and recruitment process in order to:

Identify and contact potential candidates;
Evaluate your candidacy or application or eligibility for potential employment by assessing your competency and suitability with the company;
Verify the information submitted or collected;
Keep records relating to application and recruitment;
Manage our relationship and communicate with you;
Comply with any of our legal and regulatory requirements;
Decide the terms and conditions of any such employment offer;
Statistical purposes, such as your gender: we ask for your gender on the application page to help us understand the diversity of our applicant pool and to track our progress in attracting and hiring a diverse workforce. The information is optional and will not be disclosed to the hiring manager or the interview team and will not be considered in the hiring process;
Having evidence in case a legal claim is pursued by any candidate or applicant;
Maintaining a talent pool in order to contact potential candidates with regard to future job openings even if an actual application was unsuccessful;
Make improvements to our recruiting processes;

Applicable only to US applicants concerning potential Background checks:

Verify your Personal Data and assess your eligibility for our available opportunities.

4. Legal bases we rely on to process your Personal Data

We process your Personal Data based on:

Purposes	Legal bases
Identify and contact potential candidates; Evaluate your candidacy or application or eligibility for potential employment by assessing your competency and suitability with the company; Verify the information submitted or collected; Keep records relating to application and recruitment; Manage our relationship and communicate with you. Applicable only to US applicants: Background checks.	Legitimate Interest: we collect and process data you published via our job application website to contact you about suitable job vacancies or upcoming opportunities; Contract execution (pre-contractual measures): we process your data as required to prepare and enter into an employment contract with you. This processing is necessary to make decisions regarding the potential establishment of an employment relationship between you and GitGuardian, as well as to implement such a relationship where applicable.
Comply with any of our legal and regulatory requirements; Having evidence in case a legal claim is pursued by any candidate.	Legal obligation: in order to comply with statutory and/or regulatory requirements and obligations, such as equality and immigration legislation, your data may also be used in investigations or as needed in legal proceedings
Decide the terms and conditions of any employment offer	Contract execution (pre-contractual measures)
Statistical purposes	Your consent
Maintaining a talent pool in order to contact potential candidates with regard to future job openings even if an actual application was unsuccessful	Your consent
Make improvements to our recruiting processes	Legitimate interest

5. How we share your Personal Data

We do not sell your Personal Data to third parties.

We also do not share your Personal Data to third parties for cross-context behavioral advertising.

Internally, your Personal Data will be shared, on a need-to-know basis, with the Human Resources department, recruitment team members, and managers/other employees within GitGuardian who are involved in the recruitment and selection process.

With regard to external third parties, we endeavor to take appropriate steps to ensure that any third party who receives your Personal Data is bound to maintain its confidentiality. We do not share your Personal Data with third parties other than as described in this Section.

GitGuardian uses external third parties for the provision of services in connection with the application and recruitment processes. Your Personal Data may be disclosed to the following third- parties:

Service Providers: We may share your Personal Data with external service providers assisting us in our recruitment process, such as recruitment agencies, recruitment platform providers, IT developers and support providers, and providers of hosting services;

Employers and References: To conduct employment verifications and professional reference checks, we may disclose your Personal Data to your current and former employers, as well as the individuals you have provided as references.

Administrative or judicial entities: There may be instances where we are obligated by law to share your Personal Data with administrative agencies or public bodies, such as labor authorities, courts, or law enforcement agencies.

6. How we safeguard your Personal Data

GitGuardian has implemented and continues maintaining all appropriate technical and organizational measures to protect your Personal Data and ensure the confidentiality, integrity, availability and resilience of all our processing systems and services. We aim at continuously improving our physical, digital and procedural safeguards to prevent any unauthorized access, disclosure, use, modification, damage or loss of your Personal Data.

7. How long we keep your Personal Data

Unless otherwise required or permitted by applicable laws and regulations, we endeavor not to retain your Personal Data for longer than it takes to complete the application and/or recruitment process.

If you are offered and accept a position with us, your Personal Data will be stored in our human resource system and become part of your employment record. You will be informed in a separate privacy notice about the specifics on how we process Personal Data of our employees.

If you are considered for a position at GitGuardian and your candidacy is unsuccessful, you decline our offer, or you withdraw your application, we may retain your Personal Data, subject to your prior consent, only to consider you for potential future positions at GitGuardian, for a retention period of:

3 months after the end of the recruitment process, or
2 years if you consented to be part of our Talent Pool.

If you do not want us to retain your Personal data to consider you for potential future positions, you may request that we delete it as described in Section 9 of this Notice. Please note, however, that we may retain some Personal Data that we are required to retain by law or in order to defend ourselves in the event of a legal claim.

8. How your data is transferred internationally

All your Personal Data is stored primarily within the European Economic Area.

We may share your Personal Data with the recruitment departments of our affiliates or our human resource consultants, who will contact you regarding your application and recruitment process that may be based outside of the European Economic Area.

If your Personal Data is processed by us outside of the European Economic Area, we have taken suitable measures to ensure that that your Personal Data is transferred in accordance with applicable data protection law, including, for example, to countries that adequately safeguard personal data as approved by the European Commission, or under the European Commission-approved Standard Contractual Clauses.

Further information about the appropriate safeguards may be obtained by contacting us at legal@gitguardian.com.

9. How you can exercise your data subject rights

Through the application and/or recruitment process, you should ensure that all Personal Data you submit is accurate and complete. If you are unable to provide accurate and complete information for any reason or are unwilling to submit the Personal Data required for a specific position, we may not be able to deem you fit for a specific job and/or proceed further with your application.

In accordance with applicable laws and regulations, you have the following rights to your Personal Data:

Your rights	Description
Right of access (art. 15 GDPR)	You can request a confirmation as to whether or not your Personal Data is processed and you can, where applicable, receive a copy of your Personal Data.
Right of rectification (art. 16 GDPR)	You can have your inaccurate Personal Data corrected and incomplete Personal Data completed.
Right of erasure (art. 17 GDPR)	You can have your Personal Data erased under certain conditions.
Right to restrict processing (art. 18 GDPR)	You can require us to restrict processing your Personal Data under certain conditions.
Right of portability (art. 20 GDPR)	You can receive certain Personal Data that you provided in a machine-readable format under certain requirements.
Right to object (art. 21 GDPR)	You can object to the processing of your Personal Data for certain purposes such as direct marketing.
Withdraw consent (art. 7 GDPR)	You can withdraw consent to the processing of your Personal Data.
Right to lodge a complaint (art. 15 GDPR)	If you think that the way we process your Personal Data does not comply with applicable data protection laws, you can contact the relevant competent data protection authority. GitGuardian’s lead supervisory authority under GDPR is the French Data Protection Authority CNIL (https://www.cnil.fr/fr/plaintes).
Right to set post-mortem guidelines	You may define specific guidelines for the storage, erasure and communication of your Personal Data after your death. These specific guidelines will only concern the treatments implemented by us and will be limited to this perimeter alone.
Applicable to applicants of GitGuardian in the state of California, as per the California (“CCPA”): right to non-discrimination	You have the right not to receive discriminatory treatment because you have exercised any of your rights under the CCPA.

Before we accede to such a request, we may need to verify your identity. To ensure security and traceability, you may be asked to submit a written request. We always ensure we will promptly respond to such requests.

To make such a request, please write to legal@gitguardian.com.

If you are an applicant or candidate for our US office GitGuardian Inc., you can also make such a request by telephone at +1 (339) 356-1880.

We may decline to process or limit certain requests under certain circumstances, e.g. if they are manifestly unfounded or excessive, or if they adversely affect the rights and freedoms of others.

10. Cookies

If you apply through GitGuardian’s website, please note that your use of any of our services or website is also governed by our general Privacy Policy (https://www.gitguardian.com/legal/privacy-policy) and Cookie Policy (https://www.gitguardian.com/legal/cookie-policy).

11. Update of the Notice

GitGuardian reserves the right to update or change this Notice at any time. You are informed of the date of the last update at the top of this Notice. We will keep the Notice up to date with any changes.

12. Contact us

Should you have any questions or concerns about this Notice or your privacy, please contact us at legal@gitguardian.com.

Table of Contents