Effective Date: 03/11/2020
Craigmuir Chambers, Road Town,
Tortola, British Virgin Islands
DPO Contact Information
Name: Yanal Kashou
Elevatus is your one-stop solution provider to a customizable automated decision-making process . Using our cutting-edge technology, we help businesses worldwide accelerate their growth and achieve greater success.
For the world to trust our technology, we are committed to transparency about the data we collect about you, how it is used, with whom it is shared and under what context and legal basis.
Elevatus is committed to comply with all regional privacy laws and regulations such as GDPR.
As per [GDPR, Chapter 4, Article 37-39], a designated Data Protection Officer (DPO) is employed and given complete autonomy over tasks such as, but not limited to:
- informing Elevatus and its employees of their obligations pursuant to the GDPR;
- to monitor and evaluate compliance with the data protection provisions regarding the protection of personal data. This includes training of staff of their respective responsibilities towards processing operations;
- continuously assess and identify impact and gaps to maintain audit continuity; and
- handle and help you exercise your rights as data subjects of Elevatus.
Automation processes are defined by the Company (Controller). Share video content and engage in various pre-designed processes such as hiring. Others, namely people invited to interviews who are not registered are considered (”Visitors”, “you”).
Product and Platform
Changes to the Policy
Defining Automated Decision-making
We provide the capability to easily define automated decision-making pipelines. It is crucial to note that we do not create these pipelines nor determine the motives or grounds for their use in any particular way.
If you are a registered entity (“Company”) then you may use our Platform to define a multitude of pipelines, questionnaires, templates and the associated logic for (“Applicants”) to undergo for various purposes of your own determination. For example, these pipelines may be hiring pipelines with different stages where automation occurs by defining how movement between stages in the pipeline occurs. You may perhaps create the automation logic for a stage in the pipeline for document submission where you may request Applicants to submit a specific document. Upon successful completion by the Applicant, they are automatically moved to the next stage.
If you are an Applicant, then by registering to a Company’s portal your data will be processed according to the Company’s definitions and purpose. Nevertheless, we assert that any Company cannot use artificial intelligence technologies during decision-making stages as they are meant to be used responsibly and human involvement and participation is required when autonomous decisions are made.
Roles and Obligations
The particulars about what data we collect is further elucidated in the following section, titled ‘Data We Collect`.
When Elevatus is a Data Controller
We are a Controller when it comes to processing your data for our own purpose of improving our technologies and business by analyzing your data and/or training artificially intelligent algorithms.
As an Applicant
As an Applicant, these data may involve pseudonymized postings and applications, videos you record and content such as extracted speech and text. These data are utilized for the only purpose of improving our learning algorithms to yield a better, less biased experience of our platform.
As a Company or Applicant
Your data may be used to feed our ontology and our algorithms in order to allow us to serve powerful recommendations to you in the form of suggestions and recommendations, making the system smarter as a whole and the process more efficient.
When Elevatus is a Data Processor
We are a Processor when it comes to storing, managing and serving your data on your behalf as part of our Contractual obligations to you, consent given by you, or as part of legitimate interests.
As an Applicant
We process your information for the Company (the Controller) that you register to. The data we collect and process are your personal information pertaining to the purpose entailed and defined by the Company. The Company entrusts us to process your data.
As a Company
We are your data processor and we process your information and the Applicant’s information on your behalf.
Data we Collect
Upon signing up as a “User”, you are required to enter your identification information such as your first name, last name, company name, email address, and an encrypted password (which is unknown to us). You are then directed accordingly to the purpose of your registration. If you are a registered entity (“Company”), then you are directed towards the Company profile builder, upon which you may be required to disclose more information about your Company.
If you are a person (“Applicant”), upon signing up, you are required to enter your first name, last name, email address, and an encrypted password. You may share your phone number if you choose – in some regions you may be required to. Afterwards, you are directed to the Applicant profile builder, upon which you may provide data not limited to your educational background, work experience, achievements and a video CV where you may present yourself. These will be visible in your profile to those who have a link to your profile, namely the Company on whose career portal you have signed up.
As an Applicant, during video-based assessments and interviews, we collect and store data consisting of your videos and your details when you register for the assessment such as your email address and name. These data are important to identify you to the Company that invited you to the assessment.
As a Company, we save all data pertaining to managing and evaluating applicants to your video assessments.
As an Applicant, you may be processed through a tracking system with custom made pipelines and automation rules defined by the Company. We track your progress through the system and keep your data safe and secure. Data that may be stored could, for example, be private or confidential documents that need to be submitted to the Company as per their requirements.
As a Company, we save all data pertaining to the tracking of applicants through your own customized templates, questionnaires and pipelines.
As a Company, we store all data you use to edit and customize the branding of your portal. Data included could be photos of team members, videos that may showcase the culture and image of your company, social media links.
Interviews and Video Meetings
As an Applicant or a Company, any video recorded or uploaded to the platform will be saved and stored securely on our servers.
Data we Collect for A.I.
You (the Company or the Applicant) create your Elevatus profile (a complete profile helps you get the most from our Products).
Our products require certain information to perform predictions and to learn and improve, and for that we encourage sharing more information as long as it is restricted to our Legitimate Interests. However, for the training, improvement or enhancement of our products, all information, commonly referred to as “Personally-Identifiable Information”, ”PII” or ”PII-data” such as your first and last name, your email, and phone number are excluded automatically from any automated or artificial learning, improvement or enhancement. We attempt to use all other data such as, your skills or previous job titles and achievements as anonymized data for machine learning purposes and technological enhancement.
EVA-BRAND (Company Branding)
EVA-BRAND is the Company’s way to showcase its culture and team atmosphere to an Applicant. It is how it may attract Applicants by instilling a sense of belonging to their brand. Companies experience significant increases in inbound sourcing of Applicants, time saved and apparent credibility through a professional, highly-customizable company portal.
EVA-SSESS (Video Assessment)
EVA-SSESS is a product that reduces the burden of one-on-one interviews. A Company may define questionnaires to be answered by Applicants in short videos under specific constraints. Insights are drawn from the answers and the Applicant is given a choice upon completion to either answer a psychometric test or to skip. A personality report is generated and shared with the Company. This report is intended to guide and not discriminate against the Applicant and does fall into any automated decision making process, but instead, is divorced from it.
EVA-REC (Recommendations Engine)
EVA-REC is a bundle of products and services that are carefully designed to solve the hiring cycle (or a similarly defined process). It consists of the sub products: EVA-TRACK and EVA-MATCH combined into one comprehensive solution.
EVA-TRACK (Applicant Tracking System)
EVA-TRACK is how the Company transforms its processes into a smooth, seamless and user friendly experience. Applicants and the Company alike are alleviated from the mundane, robotic tasks through highly-efficient pipelines, and a customizable and personalized tracking board. The Company may define stages effortlessly and move Applicants between stages with ease, Applicants are also notified of their progress.
EVA-MATCH (Intelligent Matching)
EVA-MATCH exists to shortlist the ideal applicants immediately while making sure neither the Company, nor the Applicant are inadvertently penalized. Our semantic recommendations engine is designed to bridge the matching gap. Two-way recommendations leverage hierarchies of language, implicit topic models and a comprehensive expert system to find the optimal match. The optimal vacancy for an Applicant and the optimal Applicant for a vacancy. The Company can supply a batch of resumes and it will automatically match them with their own vacancies and offerings.
EVA-NALYZE is the superset of analytics engines empowering each individual product to aid in the decision-making process by providing useful insights mined and extracted from real data.
EVA-MEET is a comprehensive cognitive solution for your online and offline meetings.
As per [GDPR, Chapter 3, Article 21], recipients of email-based marketing campaigns must have given explicit consent to receiving the emails. Elevatus uses mailing list providers to generate leads as part of its sales process and ensures that any marketing campaign excludes EU citizens to ensure compliance with GDPR. This exclusion filter is part of the offering of the mailing list provider that Elevatus contracts.
Legal Basis – Processing your Personal Data
As per [GDPR, Chapter 2, Article 5-7], we have determined our legal bases for processing your data to fall under either a contractual obligation, consent, or a legitimate interest.
We will process your personal data to fulfil our duties towards our subscription agreement. Most of your personal data are processed under this legal basis. These include but are not limited to the processing of profiles, vacancies, assessments, questionnaires, and curriculum vitae.
Where you have given consent regarding the usage of your personal data, Elevatus will use your personal data as consented to. You are free to revoke this consent for the future without giving any justification.
These data include cookies that allow us to obtain insights on user behavior on the system in order to learn and optimize accordingly. There are specific cookies that are mandatory for the platform to function properly.
Your consent to cookies can be given and withdrawn using the Cookie Drawer, clearly visible when you access our platform. The drawer is present throughout the platform and you are free to accept or revoke your consent at any point.
We process personal data regarding network audits and security logging. These data are collected and processed to monitor aspects related to unauthorized attempts to access your data, thereby protecting your personal data and by association our system.
The ingested logs are retained for a period of three months. These logs include network requests, system access logs and monitoring of unusual behavior and disallowed actions.
We will process your personal data to comply with legal obligations, such as answering authority requests in the course of investigation proceedings. We must comply and retain data that is processed or kept for the purpose of legal obligation.
Sharing your Personal Data
We share your data only with necessary third-party service providers such as but not limited to the provider of our video recording APIs, translation and speech-to-text APIs.
We do not share your personal information including but not limited to name, address, contact information, credit card information, with third-party providers, except for billing purposes and only what is required by the payment gateway provider.
Your data may be shared with Government Authorities, Law Enforcement Officials and Courts pursuant to conformity with Regulation (EU) 2016/679 (GDPR) when personal data is required to be disclosed by Law Enforcement Authorities.
International Data Transfer Safeguards
Elevatus will protect your data, regardless of whether it is inside or outside the European Economic Area (EEA). In case we need to share your personal data with any entity outside of the EEA, we will require your consent and their signature on approved standard contractual clauses to ensure that your personal data are adequately protected.
Data Retention Policy
We store all data in Amazon S3/Google Cloud Storage until request for deletion of the account. Videos, resumes, documents and other objects are deleted automatically. A single cold backup remains for up to one year (varies with regional laws), for the purpose of account reactivation, unless an explicit request is made to delete the data beforehand. An agreement can be made to retain the cold backup for a shorter or longer duration prior to the creation of the account.
We store all the data until the request for deletion of the account. After which all data are purged from the database and all replicas, and denormalized forms and views are also deleted automatically. A single cold backup remains for up to one year (varies with regional laws), for the purpose of account reactivation, unless an explicit request is made to delete the data beforehand. An agreement can be made to retain the cold backup for a shorter or longer duration prior to the creation of the account.
We will retain your applications for the duration of the recruiting process and to the extent permitted by applicable law after the end of the hiring process. Most applications will be deleted one year after rejection. Please note that some local laws may require or allow us to retain your data for longer periods.
We will keep your personal data if you take legal action against any Elevatus entity. The personal data will be deleted at the end of the legal proceeding.
We have appropriate technical and organizational measures in place and signed contractual agreements with our service providers to protect your personal data, including, but not limited to loss, alteration or unauthorized access. Please note that any transmission of your personal data through the internet is at your own risk. Once we have received your data, we do our best to protect it.
Personal Data Breaches
We developed a comprehensive logging system that allows us to identify risks to personal data, and our data pipelines are carefully engineered to ensure that data is processed according to our specifications. We have taken measures to protect you against unauthorized access, loss, theft, alteration, unauthorized disclosure, transmission, storage or processing. Our DPO is responsible for managing breaches, communicating with executives and the security team at hand.
Given a breach is detected via our network and system logging and monitoring or by direct communication of a concerned party, the DPO is informed at once and investigation into the incident begins with an aim to identify and resolve the issue immediately. Once the cause and scope of the breach are determined, the affected persons are informed via email with the risks involved and if any action is required on their part.
At Elevatus, you own your data and have the choice to modify or delete your data completely at any moment except when subject to legal obligations. We would like to give you an overview of your rights to your personal data:
Right of access
You have the right to obtain access to your personal data and to get a copy of the personal data undergoing processing.
Right to rectification
You have the right to rectify inaccurate personal data or to append information. You can do so by logging in to your profile and making the necessary modifications. Your applications to job posts can be edited unless rejected.
Right to erasure
You have the right to request erasure of your profile for any reason. We assure you that all your information will be purged. You can do so by logging in to your profile, navigating to your account settings and requesting deletion from there.
Right to erasure of cold backups
We keep a cold backup of your data stored for up to one year (varies with regional data protection regulations and laws). After which will be automatically deleted. You can explicitly request deletion of your backups by logging in to your profile, by sending us an email with your request to firstname.lastname@example.org. Upon which you will be connected to one of our team members to help you.
Right to data portability
You have the right to receive your personal data in a structured, commonly-used and machine-readable format as confirmed in [GDPR, Chapter 3, Article 20]
Right to restriction of processing
You can prevent Elevatus from processing your personal data unless your request does not align with the specification in [GDPR, Chapter 3, Article 18].
Right to object
You have the right to object to the processing if you doubt our legitimate interests in processing your personal data as specified in [GDPR, Chapter 4, Article 21].
As per [GDPR, Chapter 4, Article 22], Elevatus does not perform any solely automated decision-making process. While much of our technology aids in decision-making, any profiling-based technology, such as psychometric assessments, no ranking of any kind is performed. Our services are anti-discriminatory, and suggestive.
Right to lodge a complaint
You have the right to lodge a complaint with your local Data Protection Authority as per [GDPR, Chapter 8, Article 77] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e6101-1-1
We may need to confirm your identity, before we can deal with your enquiry. Please note that some of the rights are also subject to restrictions. Where your request has been rejected, we will provide you with relevant reasons.