Platform Privacy & Security

Introduction

At DeeplyTalented Inc. (“DeeplyTalented” or “us” or “we”), we are committed to earning the trust of our customers by maintaining high standards of data privacy, security, and compliance. This page outlines how we protect the data processed through our AI recruiting platform.

Note: This page applies specifically to customers and users of the DeeplyTalented software platform. For our general website policies, please see our Privacy Policy and Terms & Conditions.

1. Data Privacy & Compliance

DeeplyTalented acts as a data processor on behalf of our customers, who are the data controllers. We process only the limited personal data required to deliver our services and do so in accordance with applicable data protection laws, including:

  • GDPR (EU/UK)

  • CCPA/CPRA (California)

  • PIPEDA (Canada)

We do not sell or share any personal data.

2. Types of Data Processed

DeeplyTalented is used by recruiters and hiring teams to assess candidate resumes. We process:

  • Candidate resumes submitted to customer job postings

  • Public candidate profiles (e.g., LinkedIn, job boards)

  • Recruiter-defined criteria and scorecards

DeeplyTalented does not access sensitive HR systems or require internal company data. We integrate with your existing applicant tracking system (ATS) via secure APIs and operate strictly on recruiter-configured inputs.

DeeplyTalented only processes candidate resumes that were voluntarily submitted via public or third-party platforms, such as job boards (e.g., Indeed, LinkedIn) or your ATS. These are not sensitive internal HR records - they are resumes already shared by the candidate with the intention of public visibility or distribution.

While resumes may contain basic PII (e.g., name, email, phone, work history), they do not typically include sensitive categories like health data, government IDs, or financial records.

In practice, this means:

  • We are handling public-facing or externally shared content that was submitted by the data subject for the purpose of broad evaluation.

  • No personal data is collected by DeeplyTalented independently or scraped from private sources.

Despite this lower sensitivity, we apply appropriate safeguards and treat all resume content as Confidential, subject to encryption, access controls, and our internal Data Classification Policy.

3. Use of AI

Our platform uses AI to assist with resume screening and candidate summarization based on recruiter-defined criteria (e.g., minimum experience, required education).

We do not use customer or candidate data to train our AI models. All AI model training is done on synthetic or non-customer data. The AI provides summarization and matching insights but does not make final decisions. All hiring decisions remain with human users.

For full details, please refer to our policies on Responsible AI at DeeplyTalented.

4. Subprocessors

To deliver our services, we use a limited number of trusted subprocessors. All subprocessors are contractually bound to meet strict data protection and confidentiality obligations:

  • Amazon Web Services (AWS) – Cloud hosting (SOC 2 Type II certified)

  • OpenAI, L.L.C. – AI-based summarization (via enterprise API)

  • Google LLC (Gemini) – Language model support

  • Perplexity AI, Inc. – AI-assisted search and enrichment

A full list is available in our Software and Data Processing Agreement (available upon request).

5. Security Practices

We employ technical and organizational measures aligned with industry best practices, including:

  • TLS encryption for all in-transit data

  • Firewall-protected cloud infrastructure

  • Key-based SSH access control

  • Role-based access permissions

  • Continuous vulnerability scanning as part of CI/CD

  • Cloud hosting on SOC 2 Type II-certified infrastructure

All customer data is encrypted in transit and subject to strict access controls. Our engineering team follows secure coding practices and regularly reviews potential vulnerabilities.

6. Data Minimization & Retention

DeeplyTalented adheres to the principle of data minimization. We collect and process only the information necessary to deliver the services configured by the customer, and no more.

Data retention is tied to the lifecycle of the customer relationship and their configuration preferences. Upon termination or written request, all received data is securely deleted using commercially reasonable measures. Data deletion processes are documented and auditable upon request in the context of security reviews or vendor risk assessments.

7. Legal Documentation

Enterprise customers are covered under our Software and Data Processing Agreement, which includes:

  • Standard Contractual Clauses (for international transfers)

  • AI usage limitations

  • Security and confidentiality provisions

  • Subprocessor disclosures

  • Right to audit

This agreement is available upon request and governs all platform use.

8. Contact

For privacy, security, or compliance-related inquiries, please contact:

[email protected]