1. Introduction

RepScout (“we,” “us”) provides an AI-driven recruitment platform as a data processor on behalf of our clients (the “data controllers”). We are committed to processing personal data lawfully, fairly and transparently, implementing appropriate security measures, and enabling our clients to meet their obligations under applicable data-protection laws (e.g. GDPR, UK Data Protection Act 2018). Our obligations and practices are governed by a Master Services Agreement (MSA), a Data Processing Addendum (DPA), and this Privacy Policy.

2. Definitions

• Personal Data: Any information relating to an identified or identifiable natural person (e.g. name, email, CV, voice recording).
• Data Controller: The client who determines the purposes and means of processing personal data.
• Data Processor: RepScout, which processes personal data on behalf of data controllers.
• Data Subject: The individual whose personal data is processed (e.g. job candidate).
• MSA: Master Services Agreement that governs the legal terms between RepScout and its clients.
• DPA: Data Processing Addendum incorporated into the MSA outlining RepScout’s processor obligations.

3. Roles & Responsibilities

Data Protection Officer: Tim Pritchard

• Oversees policy compliance and risk assessments.
• Single point of contact for data subjects and supervisory authorities.
• Implements technical safeguards (encryption, access controls).
• Conducts periodic security audits and penetration tests.
• Drafts and updates policies.
• Manages subprocessors and maintains the DPA.

4. Lawful Basis & Purpose Limitation

• We process data only on documented instructions from our clients as set out in the MSA and DPA.

• Typical legal bases invoked by controllers include:

  • Contract performance (e.g. evaluating candidate suitability).
  • Consent (where controllers obtain candidate consent).

• We do not use candidate data for any secondary purposes (e.g. marketing) unless expressly instructed.

5. Data Categories & Processing Activities

6. Technical & Organizational Safeguards

1. Access Control

   • Role-based access: least privilege principle.
   • Company SSO supported with multi-factor authentication for all administrator accounts.

2. Network Security

   • VPC segmentation, private subnets for databases.
   • Web Application Firewall (WAF) and IDS/IPS in front of application tier.

3. Vulnerability Management

   • Quarterly third-party penetration tests.
   • Monthly automated vulnerability scans and patching.

4. Incident Response

   • Formal Incident Response Plan with defined roles, escalation paths and post-mortem reviews.
   • Data-breach notification to controllers within 72 hours of discovery.

7. Subprocessor Management

• We maintain a current list of subprocessors (e.g. hosting providers, transcription engines, analytics tools).

• Each subprocessor is contractually bound by a DPA to:

  • Process only on our documented instructions.
  • Apply equivalent security measures.
  • Notify us immediately of any security incident.

Current analytics-related subprocessors include:

• Google Analytics
• Amplitude Analytics
• Sentry

8. International Data Transfers

• Transfers outside the EEA/UK only under:

  • Adequacy decisions; or
  • Standard Contractual Clauses (SCCs); or
  • Binding Corporate Rules (BCRs) where applicable.

• Clients may configure region-specific data residency (e.g. EU-only processing) as per their Order Form.

9. Data shared with AI models

RepScout interacts with OpenAI's API (see their privacy policy here). The only data shared with OpenAI is the input you feed directly into these AI nodes when running assessments or interacting with assistants. No other information is ever exposed to the AI providers aside from what you choose to submit. We ensure that no data sent to third-party AI providers is stored or used to train their models. We ensure that these third-party providers adhere to strict data protection and privacy standards comparable to ours.

10. Data Subject Rights & Controller Support

As a processor, we assist controllers with:

• Access Requests: Exporting all personal data relating to a data subject.
• Rectification & Erasure: Deleting or correcting data in our systems within 30 days of instruction.
• Restriction & Objection: Freezing processing while controllers investigate.
• Portability: Providing structured, machine-readable exports (e.g. JSON, CSV).

11. Data Retention & Deletion

• We implement an automated retention scheduler (per controller’s bespoke settings) that:

  1. Flags records upon expiry.
  2. Securely deletes or fully anonymizes data.
  3. Logs deletion events for audit purposes.

• Default retention periods (controller-configurable) mirror industry best practice (e.g. 12 months for active candidates, 6–7 years for payroll records).

12. Audits & Compliance

• Annual internal compliance audits against ISO 27001 and GDPR requirements.
• Controllers may conduct on-site or remote audits of our facilities and documentation, subject to mutual NDA.
• Service Level expectations (e.g. uptime, response times) are defined in the MSA and applicable SLA tiers.

13. Policy Review

This policy is reviewed annually or upon:

• Significant changes to our processing activities.
• Introduction of new technologies or subprocessors.
• Material changes to applicable data-protection laws.

Contact For questions, data-subject requests or to request our subprocessor list, please contact:

Data Protection Officer, RepScout AI Ltd. Email: tim@repscout.ai