What’s the purpose of this document?
This document tells you how we will process your personal information when you apply for any roles or work with the Offensive Security group of companies (“roles”).
Who are we?
These members of the Offensive Security group of companies are "data controllers".
Role Location
|
Data Controller
|
USA
|
Offensive Security Services, LLC located in the USA
|
Philippines
|
Offensive Security Certifications, Inc. located in the Philippines
|
Rest of World
|
OffSec Services Limited located in Gibraltar
|
In this privacy notice OffSec will refer to these legal entities as “OffSec”, “we” or “us” and for convenience, you can contact any of them by emailing privacy@offensive-security.com.
As data controller OffSec decides how we hold and use personal information about you. You are being sent a copy of this privacy notice because you are applying for a role with us (whether as an employee, worker or contractor). It makes you aware of how and why your personal data will be used. It provides you with certain information that must be provided under the General Data Protection Regulation ((EU) 2016/679) (GDPR).
Data protection principles
OffSec will comply with data protection law and principles, so your data will be:
- used lawfully, fairly and in a transparent way.
- collected only for valid purposes we have clearly explained to you and not used in any way that is incompatible with those purposes.
- relevant to the purposes we have told you about and limited only to those purposes.
- accurate and kept up to date.
- kept only as long as necessary for the purposes we have told you about.
- kept securely.
The information we hold about you
In connection with your application for a role, OffSec will collect, store, and use these categories of personal information about you:
- the information you have provided to us in your CV and any covering letter or email.
- the information you have provided on your application, including name, title, address, telephone number, personal email address, date of birth, gender, employment history, qualifications.
- other information you enter into our recruitment platform operated by Greenhouse Software, Inc (“Greenhouse”).
- any information you provide to us during an interview.
We may also collect, store and use these types of sensitive personal information:
- information about your race or ethnicity.
- information about your health, including any medical condition, health and sickness records.
- information about criminal convictions and offences.
How is your personal information collected?
We collect personal information about candidates from the following sources:
- you, the candidate.
- recruitment agencies.
- background check providers.
- credit reference agencies.
- your named referees.
- our third-party contacts whose opinion of you we may ask.
- data from publicly accessible sources such a LinkedIn and other public websites, social media sites and blogs.
How OffSec will use information about you
OffSec will use the personal information we collect about you to:
- assess your skills, qualifications, and suitability for a role.
- carry out background and reference checks.
- communicate with you about the recruitment process.
- keep records related to our hiring processes.
- help defend us against any claims.
- comply with legal or regulatory requirements.
Our legal basis for processing your information
It is in our legitimate interests to process your personal information to decide whether to appoint you to a role and to decide whether to contract with you. If you are appointed to a role, it is also in our legitimate business interests to use your personal information for staff administration purposes.
Having received your application, OffSec will then process that information to decide whether you meet the basic requirements to be shortlisted for the role. If you do, OffSec will decide whether your application is strong enough to invite you for an interview. If we call you for an interview, OffSec will use the information you provide to us at the interview to decide whether to offer you the role. If we offer you the role, OffSec will then take up references and carry out background checks before confirming your appointment.
If you fail to provide personal information
If you fail to provide information which is necessary for us to consider your application (such as evidence of qualifications or work history), OffSec cannot process your application successfully. For example, if we require a credit check or references for this role and you fail to provide us with relevant details, OffSec cannot take your application further. This also applies if you supply information and then ask for it to be erased.
How we use sensitive personal information
OffSec will use your sensitive personal information in these ways:
- OffSec will use information about your disability status to consider whether we need to provide adjustments during the recruitment process.
- OffSec will use information about your race or national or ethnic origin to ensure meaningful equal opportunity monitoring and reporting.
- OffSec will use information about any criminal convictions as set out below.
Information about criminal convictions
We envisage that OffSec may process information about any criminal convictions.
OffSec operates in an industry that requires high trust and integrity and so we may ask you to disclose your criminal records history.
OffSec will collect information about criminal convictions if we would like to offer you the role (conditional on checks and any other conditions, such as references, being satisfactory). We may carry out a criminal records and other background check to satisfy ourselves there is nothing in your history which makes you unsuitable for the role.
Automated decision-making
You will not be subject to decisions that will have a significant impact on you based solely on automated decision-making.
Data sharing
Why might you share my personal information with third parties?
OffSec will only share your personal information with these third parties to process your application: other members of our group of companies, third party service providers including Greenhouse, recruitment agencies, referees, background checking organisations and other service providers. All our third-party service providers and other entities in our group must take appropriate security measures to protect your personal information in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes. We only permit them to process your personal data for specified purposes and under our instructions.
Data security
We have put in place appropriate security measures to prevent your personal information from being accidentally lost, used or accessed in an unauthorised way, altered or disclosed. In addition, we limit access to your personal information to those employees, agents, contractors and other third parties with a business need-to-know it for the purpose of your application for a role. They will only process your personal information on our instructions, and they are subject to a duty of confidentiality.
We have put in place procedures to deal with any suspected data security breach and will notify you and any applicable regulator of a suspected breach where we are legally required to do so.
International data transfers
Your personal information will be stored in databases used by those at OffSec involved in considering your application for any role. OffSec uses manual files, spreadsheets, access databases and the like, to manage and store your personal information. OffSec also uses the cloud-based software platform provided by Greenhouse.
Your personal information will be kept by OffSec (either primarily or as a back-up system) in the USA or the Philippines. Your personal information will therefore be transferred to and accessible by OffSec and its group companies for the purposes outlined above in these countries. Your personal information may therefore be located in countries other than the country in which your personal information was originally collected. The laws in those countries may not provide the same level of data protection compared to the country in which you initially provided your information. Nevertheless, when we transfer your personal information to recipients in other countries, we will protect that information in compliance with law
Data retention
How long will you use my information for?
If you are unsuccessful with your application, OffSec will retain your personal information for 12 months after we have communicated our decision to you. We retain your personal information for that period in case another role arises that you may be suitable for and so we can show that we have not discriminated against candidates and that we have conducted the recruitment exercise in a fair and transparent way. After this period, OffSec will securely destroy your personal information unless we determine that its in our legitimate interest to keep it for longer. In general, this will be because we think you may be suitable for another role with us and would like to be able to contact you again. You can request us to erase your data at any time.
If you are successful with your application, we will keep your personal information for the purpose of staff administration for so long as it’s in our legitimate interest to do so.
Rights of access, correction, erasure, and restriction
Your rights in connection with personal information
Under certain circumstances, by law you have the right to:
- Request access to your personal information (commonly known as a "data subject access request"). This enables you to receive a copy of the personal information we hold about you and to check we are lawfully processing it.
- Request correction of the personal information we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.
- Request erasure of your personal information. This enables you to ask us to delete or remove personal information where there is no good reason for us continuing to process it. You may also ask us to delete or remove your personal information where you have exercised your right to object to processing (see below).
- Object to processing of your personal information as we are relying on our legitimate interest and there is something about your particular situation which makes you want to object to processing on this ground. You may also object where we are processing your personal information for direct marketing purposes.
- Request the restriction of processing of your personal information. This enables you to ask us to suspend the processing of personal information about you, for example if you want us to establish its accuracy or the reason for processing it.
- Request the transfer of your personal information to another party.
If you want to review, verify, correct or request erasure of your personal information, object to the processing of your personal data, or request we transfer a copy of your personal information to another party, please contact privacy@offensive-security.com.
Questions?
If you have questions about this privacy notice or wish to contact us about anything related to it, please contact privacy@offensive-security.com.