Synack Candidate Privacy Notice

Effective Date: January 26, 2023

Introduction and Scope

This Candidate Privacy Notice (“Privacy Notice”) applies to Candidates and Successful Candidates for Employee and Contractor positions and sets out the basis on which Synack processes any personal data that you provide to us, including information that you provide through the Synack Careers Portal (the “Portal”), and other data we receive from you or third parties (such as referees) in connection with your job application. The data controller (“we”, “us”, “our” or “Synack”) for the purposes of the EU General Data Protection Regulation, UK General Data Protection Regulation (together, the “GDPR”) or any relevant local data protection legislation is the entity where you applied for a position. If you applied for a position with Synack, Inc, the data controller is Synack, Inc., a company incorporated in the United States.

For purposes of this Privacy Notice, “personal data” generally refers to any information that relates to you as an individual, and/or is considered “personal identifiable information,” “personal information,” “personal data” or any similar term under applicable data privacy laws, including the GDPR and the California Consumer Privacy Act (“CCPA”).

Please read this Privacy Notice carefully to understand our privacy practices and how we will handle your personal data. By providing personal data to us, you acknowledge and agree to the practices described in this Privacy Notice. If your application is successful, we will provide you with a separate privacy notice setting out how we process your personal data after a successful application and during the course of your employment or your consulting or temporary contract with us, as applicable.

This Privacy Notice only deals with the personal data that we control. You may submit your information via other third parties, and they will process your personal data under their own independent privacy notices. We are not responsible for how such third parties process your personal data.

1.     The types of data we receive and use

We collect personal data about candidates from a variety of sources, including from you directly, automatically when you use the Portal, and from certain third parties. We will receive and use the following information about you:

  • Information you provide as part of your application.You will provide us information about you by using our Portal to apply for a role or by corresponding with us by phone, e-mail or otherwise. This includes information you provide when you register for and use the Portal, such as your name, title, contact information, work experience, educational qualifications, country of residence, ability to work in the country for which you are applying for employment, and any information you choose to submit on or upload to the Portal (such as information from a CV).
  • Information for compliance with Synack policies. If applicable, you may also provide us with information about any family members or friends who work at Synack to comply with our policies regarding conflicts of interest. It is your responsibility to inform the relevant family members and friends about the processing of their personal data for the described purposes and to confirm that they have been notified of this Privacy Notice.
  • Information we collect about your usage of the Portal. We automatically collect certain data from you when you use our Portal, including IP address or other unique device identifiers, information collected by cookies on your usage of the Portal, mobile carrier (if applicable), time zone setting, operating system and platform and information regarding your use of the Portal such as the time of finishing the application for the position, page view history, application record etc.
  • Information from third parties. We receive information from third parties in connection with your application, such as referees, recruiters and organizations that provide background checks (this may include right to work, criminal reference check, and working experience check, in each case, to the extent permitted by applicable law).

2.     Cookies

We use cookies to enhance your experience of using the Portal. Cookies are small files which, when placed on your device, enable us to provide certain features and functionality. The Portal will detect and use your IP address or domain name for internal traffic monitoring and capacity purposes or to otherwise administer the Portal.

3.     How we use your personal data

The table in Appendix 2 sets out how we use your information and the legal basis for processing we rely on to process your personal data.

At a high level, we use your information to:

  • identify and evaluate you for employment positions;
  • comply with our internal policies;
  • comply with applicable law;
  • determine and validate your qualifications for employment;
  • conduct background checks to the extent permitted under applicable law (including checking references, qualifications, and criminal history);
  • communicate with you (including providing you with job alerts where you elect to use this feature);
  • administer, develop and improve the Portal;
  • send you notifications about new positions that match your profile;
  • obtain quotations for employee group insurance and pension plans; and
  • evaluate corporate tax risks.

In some cases, the provision of your personal data is necessary to enter into the employment contract with you or to allow us to comply with the statutory requirements. In such cases, if you fail to provide certain information when requested, we may not be able to enter into or perform the contract with you. The mandatory or voluntary nature of provision of the personal data and the consequences of refusal to provide the personal data will be specified at the time of collection.

4.     How we disclose your information

We share your information with selected recipients for business purposes. These categories of recipients may include:

  • Portal providers which stores your information in the United States;
  • IT services providers located in the United States that provide us with recruitment support;
  • background check providers to verify the information that you provided as part of your application;
  • referees, including your previous employers and any professional contacts that have been provided to us, to identify you so they can provide a reference;
  • external advisors, professionals, service providers and consultants we use in relation to work visa and other employment or engagement related issues;
  • recruitment agencies where one was used, including certain information about your application;
  • service providers providing administrative support, including e-signature platform providers; and
  • third parties in relation to a change of corporate control or other investment in Synack, such as a restructuring, bankruptcy, merger, or sale of some or all of our assets.

We do not collect, use, or disclose personal data for purposes other than those specified in this Privacy Policy. We do not sell Candidate personal data or share it for targeted advertising purposes, and in the preceding 12 months, we have not sold or shared Candidate personal data for targeted advertising purposes.

5.     Where we store your information

We take precautions to ensure the safety and integrity of personal data that is transferred within our group. The personal data that we collect from you will be transferred outside of the European Economic Area or United Kingdom (as applicable) to, and stored at/processed in, the United States. Synack’s data transfers are made in accordance with the European Commission’s standard contractual clauses for controller-to-controller sharing and for controller-to-processor sharing as applicable, available here, which has also been approved by the Information Commissioner’s Office in the United Kingdom. Please contact [email protected]  should you wish to examine or have any questions about our personal data transfers.

EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield

Although Synack complies with the EU-U.S. Privacy Shield Framework and the Swiss-U.S. Privacy Shield Framework as set forth by the U.S. Department of Commerce regarding the collection, use, and retention of personal data transferred from the European Union and Switzerland to the United States, Synack is not currently relying on these frameworks for the transfer of personal data. To learn more about the Privacy Shield program, and to view our certification, please visit www.privacyshield.gov.

Synack is subject to the investigatory and enforcement authority of the U.S. Federal Trade Commission.

Synack is responsible for the processing of personal data it receives and subsequently transfers to a third party acting as an agent on its behalf.

Synack commits to cooperate with EU data protection authorities (DPAs) and comply with the advice given by such authorities with regard to human resources data transferred from the EU in the context of the employment relationship.

In certain cases, Synack may be required to disclose personal data in response to lawful requests from public authorities, including to meet national security or law enforcement requirements. In such cases, Synack will use all reasonable efforts to disclose the minimum personal data as required by law.

Privacy Dispute Resolution

In compliance with the Privacy Shield Principles, Synack commits to resolve complaints about your privacy and our collection or use of your personal data. European Union or Swiss citizens with inquiries or complaints regarding our Privacy Notice should first contact Synack via email at [email protected], or by mail at: Synack, Inc., Attn: Legal Department, 303 Twin Dolphin Drive, Floor 6, Redwood City, California 94065, United States of America.

Synack has further committed to refer unresolved privacy complaints under the Privacy Shield Principles to an independent dispute resolution mechanism, the BBB EU PRIVACY SHIELD, operated by BBB National Programs. If you do not receive timely acknowledgment of your complaint, or if your complaint is not satisfactorily addressed, please visit https://bbbprograms.org/privacy-shield-complaints/ for more information and to file a complaint. This service is provided free of charge to you.

Please note that if your complaint is not resolved through these channels, under limited circumstances, a binding arbitration option could be available before a Privacy Shield Panel.

6.     The security of your personal data

Unfortunately, the transmission of information via the internet is not completely secure. Although we will do our best to protect your personal data, we cannot guarantee the security of your personal data transmitted through the Portal and any transmission is at your own risk. Once we have received your personal data, we will take appropriate technical and organizational measures to safeguard your personal data against loss, theft and unauthorized use, access or modification.

7.     Data retention

We will retain your information as follows:

Information Retention Period
Successful Candidates If you are a Successful Candidate and accept a job with Synack, your personal data will be included in your Human Resources file and retained by the Synack Human Resources Department for the term of your relationship with Synack and for any post-termination period as permitted or required by applicable law.
Unsuccessful Candidates If unsuccessful, we will keep your personal data in accordance with applicable law. After the expiration of the relevant retention period, all categories of personal data will be deleted manually.

Your information will be retained for longer if required by law or a court order and/or as needed to defend or pursue legal claims.

8.     Deleting your information

You may request deletion of your personal data at any time. Unless otherwise required by law, or where Synack may have a legitimate interest that justifies continued retention, Synack will delete your personal data after receiving such request in accordance with applicable law. To delete your data, please email us at [email protected].

9.     Your rights

Depending on where you are based, you may have rights under relevant data privacy laws, including the GDPR and the CCPA, or other applicable laws and regulations. These rights may include:

  • Access/Know: You may have the right to request access or copies of your personal data we process and details of how we use it, and who we share it with;
  • Correction: You may have the right to rectify incorrect personal data;
  • Erasure: You may have the right to request the deletion of your personal data;
  • Restriction: You may have the right to restrict the processing of your personal data other than for storage purposes, in certain circumstances;
  • Portability: You may have the right to request a commonly structured, machine-readable copy of your personal data and that such information is transferred to another data controller in certain circumstances and with certain exceptions;
  • Objection: You may have the right to you have the right to object to our processing of your personal data;
  • Complain: You may have the right to lodge complaints with applicable authorities (such as the competent data protection supervisory authority in the EEA country in which you live or work or where you think we have infringed data protection laws, or with the UK Information Commissioner’s Office, as applicable to you) though we would encourage you to contact us in the first instance to relay any concerns;
  • Limit Use and Disclosure of Sensitive Personal Information: You may have the right to limit our use and/or disclosure of sensitive personal information (as defined in Appendix 1) to only what is necessary for purposes related to managing our relationship with you (however, we already limit our use and disclosure in this way); and/or
  • Right to No Retaliation: You may have the right to not be retaliated against for exercising your rights.

Please note that a number of these rights only apply in certain circumstances and to certain jurisdictions, and all of these rights may be limited by law. For example, where fulfilling your request would adversely affect other individuals or our trade secrets or intellectual property, where there are overriding public interests or where we are required by law to retain your personal data.

You may exercise any of these rights by contacting us using any of the methods set out in Section 11 of this Privacy Notice. We may need to collect information from you to verify your identity, such as a government issued ID or date of birth, before providing a substantive response to the request. Depending on where you are based, you may have the ability to designate, in writing or through a power of attorney document, an authorized agent to make requests on your behalf to exercise your rights. Before accepting such a request from an agent, we will require that the agent provide proof you have authorized them to act on your behalf, and we may need you to verify your identity directly with us.

10. Changes to this Privacy Notice

This Privacy Notice may be updated from time to time by us at our discretion to account for changes in the law or changes in our collection and/or processing of personal data. We will post any future changes to this Privacy Notice on this page. Please check back frequently to see any updates or changes to this Privacy Notice.

11.       Contact

Questions, comments and requests regarding this Privacy Notice are welcomed and should be addressed to:

Email: [email protected]

Phone: +1 (855) 796-2251

Address: Synack, Inc., Attn: Legal Department, 303 Twin Dolphin Drive, 6th Floor, Redwood City, CA 94065

 

Appendix 1

 

Processing of California Residents’ Data

 

This section only applies to you if you are a Candidate who is a California resident. For the purpose of this section, “sensitive personal information” means personal data that reveals an individual’s sensitive information (for example, government identifiers, account access credentials, precise geolocation, or racial or ethnic origin, etc.).

In the preceding 12 months, we collected and disclosed for a business purpose the following categories of personal data and sensitive personal information (denoted by *) about Candidates who are California residents:

Categories of Personal Data Examples Categories of Recipients Retention Period
Identifiers Name, e-mail address, IP address Service Providers For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

Personal information categories listed in the California Customer Records statute* Name, address, telephone number Service Providers For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

Protected classification characteristics under California or federal law* Race, color, national origin or ancestry, gender, physical or mental disability, veteran status,  citizenship, residency, and employment eligibility status when permitted by applicable law Service Providers; Equal Employment Opportunity Commission (EEOC) For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

Internet or other similar network activity Information regarding your interaction with Synack’s systems Service Providers Your

Internet Session

Geolocation data IP address Service Providers Your

Internet

Session

Audio, electronic, visual, thermal, olfactory, or similar information Voluntary voice recordings by Candidates suggesting how to pronounce their names Service Providers For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

Professional or employment-related information Title of profession, employer, professional background Service Providers For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

Non-public education information collected by certain federally funded institutions Education records Service Providers For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

Other categories of Sensitive Personal Information* Ethnic origin, Personal Information concerning a Candidate’s health, physical, or mental disability Service Providers For successful Candidates:  the term of your relationship with Synack and for any post termination period as permitted or required by applicable law.

 

For unsuccessful Candidates: a reasonable period and kept as long as Synack has an ongoing legitimate business need to carry out the purposes described in this Notice or as otherwise required by applicable law.

  

Appendix 2

 

Purposes for Processing Candidate Data

 

Purpose of Use Categories of Personal Data processed for each purpose Legal Basis for Processing
To identify and evaluate candidates for employment positions. Identity information such as title, full name, gender, citizenship, date of birth and proof of eligibility to work.

Contact details such as home and work address, phone numbers, email addresses.

Employment and education history, such as project experience, degree, awards etc.

Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.
Ensuring compliance with Synack’s policies on conflicts of interest. Information on your family members such as first and last name, name of Synack group entity and position held. Necessary for Synack’s legitimate interests (to ensure compliance with Synack’s internal policies).
Ensuring compliance with export control laws. Identity information such as citizenship, nationality, residency,  status of permanent residency Necessary for compliance with Synack’s legal obligation.
To determine and validate your qualifications for employment. Data with respect to education, professional training and previous career performance including qualifications, references or curriculum vitae information. Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.
To conduct background checks including, to the extent permitted under applicable law, checking references, qualifications and criminal records checks. Identity information such as name, gender and date of birth.

Contact details such as home and work addresses, phone numbers and email addresses.

Employment and education history, such as project experience, degree, awards etc.

References from previous employers and schools or professional contacts.

 

Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.
To communicate with you (including providing you with job alerts where you elect to use this feature). Identity information such as name and date of birth.

Contact details such as home and work addresses, phone numbers and email addresses.

Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.

Necessary for Synack’s legitimate interests (to ensure that we share relevant job alerts with you)

 

Send you notifications about new positions that match your profile. Identity information such as name, gender and date of birth.

Contact details such as home and work addresses, phone numbers and email addresses.

Employment and education history, such as project experience, degree, awards etc.

Necessary for our legitimate interests (to ensure the success of our recruitment practices).
Obtain quotations for employee group insurance and pension programmes.

 

Identity information such as gender and date of birth.

Information in relation to the employee’s benefits entitlement such as current salary information.

Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.

(In the UK: Necessary for Synack’s performance of a contract and for Synack’s legal obligations as an employer).

To evaluate corporate tax risks. Country of residence and nationality. Necessary for our legitimate interests (to adequately assess our operating costs).
To calculate your net income after tax during the offer process. Tax residency and number of dependents. Necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering into a contract.
To administer, develop and improve the Portal. Phone number, e-mail, name, title, gender, date of birth, contact information, work experience, educational qualifications, citizenship and country of residence, ability to work in the country for which you are applying for employment, tax residency, current salary information, number of dependents, name and contact details of any referees and any information you choose to submit on or upload to the Portal (such as information from a CV). Necessary for our legitimate interests (to ensure the success of our recruitment practices).