Privacy Policy
At HirePurpose.ai, we take privacy and security very seriously.
We embrace the Privacy-by-Design (PbD) framework. We build according to privacy-first design principles. We adhere to the secure Systems Development Lifecycle (SDLC). We follow the moral compass of the United Nations and Moral Foundations Theory. We safeguard user privacy in full accordance with the tenets of initiatives like GDPR and CCPA.
How will we use your data?
We collect your data so that we can help you understand yourself and gain insight into how you think, how you're designed, what you know, how you relate to others, and what roles you might best play in society. We will use your data in order to identify your cognitive style, moral preferences, goals, behaviors, leadership potential, personality, intelligence, and genetic tendencies.
For our users, the aim of our Machine Learning and Artificial Intelligence (ML/AI) research program is to match candidates to their dream jobs. Our approach goes beyond skills-matching to include a personalized view informed by concepts like cognitive style, moral preference, emotional aptitude, and culture fit.
Where will you be happiest?
At HirePurpose.ai, we believe our process and products can make realizing human potential less about luck and more about science.
In the end, we use your data to inform you, and--with your permission--our candidate-focused technical recruiting partners, who in turn may suggest you as a top prospect to suitable employers. We may also email you about personalized products and services that we think can help you grow, thrive, and live up to your full potential. For example, depending on your goals and assessment results, we may recommend specific introspection exercises, technical challenges, training programs, newsletter subscriptions, or learning modules.
When it comes to privacy, we pay special attention to three major areas of concern:
-
Discovery of applicant profiles by current or former employers. We know that for some applicants, the simple act of seeking to enhance their careers may result in termination by their current employers. Our match-making business logic is designed to prevent applicant exposure to their current and former employers.
-
By default, DNA testing results are optional to all users, and we only share the positive notes with employers. For example, people with genetic tendencies toward resilience and not freezing when under pressure may receive positive notes about these aspects. This in turn influences our algorithms and can boost the likelihood of matching with incident responder roles. Similarly, people with both cognitive preference for order and a genetic tendency toward conservatism will be boosted for roles with established, ordered companies rather than fast-paced startups. To clarify our ethical position regarding the consequences of job-based genetic screening, we refuse to allow our employers to create positions that explicitly require candidates to undergo DNA testing.
-
By default, intelligence test results are hidden from the candidate profiles that employers see unless you clearly opt in to demonstrate your consent.
We collect the following Personal Data from our websites, apps, browser extensions, and assessments:
-
Sensitive usage data, including personal goals assessment, intelligence test results, cognitive test results, moral test results, language proficiency, computer literacy, presentation capability, behavioral and technical interview recordings, and security awareness screening results.
-
Goals and employment information, including required salary, equity preferences, required benefits, desired leveling, remote preferences, willingness to relocate, available work hours, visa and work authorization, preferred tools and technologies, and your firmographic preferences regarding attributes like industry and employer approval rating.
-
Diversity information, including the optional entry of profile attributes like gender, race, and military status, which may lead to additional user opportunity and attention from employers that are seeking to expand their corporate diversity.
-
Background information, including education verification, work experience verification, and criminal background checks for some positions.
-
Identity verification, including passport, license, and defense clearance checks for some positions.
-
Contact information, including name, email address, address, and phone number.
-
Genetic information, including sequencing data file results and trait metadata.
-
Regular usage data, from the your browsers, devices, and networks used to connect to our websites, apps, and assessments.
How do we collect your Personal Data?
You personally and knowingly provide all of the non-public Personal Data we collect.
We collect and process your data when you:
-
Register an account
-
Connect your social media accounts
-
Upload your resume
-
Upload your genetic sequencing file
-
Upload recorded video
-
Upload photos
-
Attend a behavioral or technical video interview
-
Make a user profile
In some hiring processes, candidates are required to undergo identity verification or background checks conducted by third-parties, but these processes require your direct and clear consent to proceed. We do not receive or store your passport or identification numbers. By default, we do not store your genetic data, but you can opt-in to genetic data storage in order to be updated with new insights as we develop our bioinformatics trait-screening capabilities. We also generate results metadata when you take assessments, but this information is not personally identifiable. We use your IP address for internationalization and to know if you're connecting from a university or enterprise network, but we do not store your IP address in our databases.
We may also receive your data indirectly from the following public sources:
We operate a search engine designed to find and attract talented makers, breakers, hackers, security engineers, builders, security researchers, defenders, and thought leaders. In order to pre-qualify candidates, our search bots may have visited your website, your public Github, LinkedIn, Xing, AngelList, or Crunchbase profile, or your Wikipedia page. Our bots may have also visited your community profiles from capture-the-flag (CTF) competitions and coding challenges. In order to discover the best emerging talent, we may have found your published academic or open source research. In order to identify thought leaders, we may identified you as a conference speaker at security-related venues like DEF CON and Black Hat. We may have identified you as an author, blogger, or subject matter expert at a leading media publication. In some cases, we may have obtained your data from meetup groups, innovation centers, or events we are attending, hosting, sponsoring, or partnering.
How do we store your data?
We securely store your data using Amazon AWS cloud-native services. We keep your assessment results and metadata indefinitely, as these are required to tune our machine learning models and maintain the validity of our scientific research. However, we remove public and non-public personally identifiable information (PII) from user records after 2 years of inactivity.
About Privacy by Design - The HirePurpose.ai Secure Systems Development Lifecycle (SDLC)
HirePurpose.ai develops its systems with a privacy-first approach derived from Dr. Ann Cavoukian's Privacy-by-Design (PbD) framework.
-
Proactive not Reactive; Preventative not Remedial
At HirePurpose.ai, new systems are designed and threat modeled before coding begins. Privacy review and sign-off is an engineering gate prior to deployment to production. For example, we ensure our user data is not logged, sent unencrypted in transit, shared via cookies, or used to deliver advertising. The user data that we do save is stored in regional, cloud-native, Amazon AWS databases. Production user data never enters our development environments and is inaccessible to application developers. When we do need realistic user data, we make use of generators in order to make development possible. We cannot access your stored password. -
Privacy as the Default Setting
We understand that the default configuration wins. That's why we make sure that no action is required in order to "opt-in" to keeping private or staying safe. This guiding principle also surfaces in our privacy review checklist, which includes the question: "is any action required by the user in order to protect their privacy?" -- at HirePurpose.ai the answer must be "no privacy impact" in order to deploy new features and systems. For example, we do not store genetic sequencing data without explicit, opt-in consent. -
Privacy Embedded into Design
At HirePurpose.ai, privacy and security are "baked in" and not "bolted on" to our products. New features undergo privacy review before coding begins. The belief that privacy is absolutely essential has had major design impact as to which technologies we've adopted in our ecosystem. For example, every surface that our users can touch is built using browser-native technologies that automatically escape templated and rendered content. That means, by design and to the maximum degree possible, we've limited user exposure to security risks like cross-site scripting (XSS). This user-centered, browser-based approach is the single most resilient mitigation we could implement against code injection attacks on our users. -
Full Functionality — Positive-Sum, not Zero-Sum
The designers of HirePurpose.ai firmly believe that privacy and security can coexist. We commit that our users will never receive access to inferior applications or be exposed to soft business processes just because it "costs more" to do it right. We have zero tolerance for any deviation from this principal in both our systems development and business processes. We understand that we are more than just our product line. We believe that the security hygiene and privacy positions of our employees, contractors, and suppliers matter. We require adherence to our best practices for back-end systems, including use of classic controls like multi-factor authentication (MFA) for all employees and full disk encryption for all workstations and laptops. We don't do this for compliance--we do it because it's the only acceptable standard as required by our privacy-first approach. We will never sacrifice your privacy or security in order to bring features to market faster or make more money. -
End-to-End Security — Full Lifecycle Protection
To the greatest degree possible, we leverage our infrastructure partners in order to reduce the risk exposure of user data across the resource management lifecycle. Central to our designs is extensive use of hardened, security-reviewed Amazon AWS services and components. For example, HirePurpose.ai applications do not save user passwords. Instead, we fully rely on Amazon AWS services to maintain end-to-end protection of secrets, both at rest and in transit. This philosophy extends to how we handle short-lived secrets used for email verification, telephone verification, identity verification, and reset password functionality. User and API authentication is transacted with battle-hardened authenticators designed and implemented by Amazon. This approach not only minimizes user risk, but allows us to offer federated social login and SAML-based Single-Sign-On for universities and enterprises. -
Visibility and Transparency — Keep it Open
At HirePurpose.ai, our core values are 1) Integrity, 2) Transparency, and 3) Quality. And we believe these values truly shine when they are combined with the privacy-first perspective outlined here. -
Respect for User Privacy — Keep it User-Centric
We hope you like our security spirit and approach to how we handle your privacy. In the end, our business is all about People. That includes respect for your basic human right to privacy, which is acknowledged in the Universal Declaration of Human Rights. That's because privacy isn't just "required" or "mandated" or "opt-in" -- at HirePurpose.ai, we believe your privacy is universally guaranteed.
Design Tenets of the HirePurpose.ai SDLC
Whenever possible, we use hardened, security-reviewed resources when implementing our systems. But sometimes, we do in fact roll up our sleeves and build our own apps. This product development activity is governed by the HirePurpose.ai SDLC, which applies to all of our systems end-to-end, from start-to-sunset, from cradle-to-grave.
SDLC Rules:
-
100% Serverless: All HirePurpose.ai workloads must be executed in the cloud. The majority of our infrastructure is provided by Amazon AWS across multiple regions. We maintain zero servers, zero instances, and zero virtual machines. All of our back-end workloads are performed by serverless functions or in serverless container clusters.
-
Zero Footprint: Always seek to eliminate code, remove dependencies, minify features, sunset systems, and deliver the smallest possible products. Always build the smallest app, with the fewest requirements, smallest binary, and barest-bones container.
Beyond these two rules, our SDLC blends models from BSIMM, SAMM, the Microsoft SDL, and the NCSC Application Security Lifecycle. The SDLC areas we focus on are:
-
Education and Training: At HirePurpose.ai, we believe in learning and continuous improvement. Our employees undergo extensive security training and must maintain security certifications. We are extensively certified, and have held certifications including: CISSP, CISSP-ISSAP, CISSP-ISSMP, CRISC, CISM, CCSK, TOGAF Enterprise Architecture, AWS Cloud Architecture, AWS Machine Learning Specialist, PMP, Agile Program Management, and more.
-
Policy and Compliance: Our privacy and security policies, standards, and guidelines came first. We use internal guidelines for design review, threat modeling, code review, security testing, penetration testing, and deployment. Beyond systems development, the governance of our business processes is influenced by international standards like ISO 27000 and NIST SP 800-53. Perhaps most importantly, we choose our partners carefully and pay close attention to compliance across our product supply chain.
-
Design Review and Threat Modeling: We start with Design, not Code. We always model our systems before development begins. Our Design phase includes both privacy and security checklists to ensure our architecture is guided by our principles. As part of our SDLC, we conduct threat modeling using Data Flow Diagrams of our systems to ensure privacy and security concerns are fully enumerated and considered. We pay close attention to user data and apply the STRIDE methodology in our threat modeling practice.
-
Development: Our products are developed according to the tenets of the 12-Factor App. At HirePurpose.ai, all code is reviewed by at least one application security engineer before it enters production. Our automated build pipeline includes a series of checks from source through build, with special attention paid toward container security. Depending on the language, HirePurpose.ai developers may make extensive use of Static Analysis Security Testing (SAST), linters, and code quality control tools. For example, our Go (Golang) applications are developed using tools like go_vet, gocyclo, and golint. Our Python applications follow pycodestyle (formerly PEP 8) standards. Our development is influenced by our secure coding guidelines, which offer language-specific patterns to avoid (e.g. using pickle and popen in Python, or eval() and setInterval() in JavaScript).
-
Continuous Integration: Our back-end Docker containers are scanned using Snyk in order to identify vulnerable dependencies in our open source supply chain. Containers with vulnerabilities require manual review and approval before they can be saved to our container registry.
-
Penetration Testing and Security Testing: We test our own applications using Dynamic Analsysis Security Testing (DAST). This practice includes use of external scanners like HackerTarget as well as penetration testing tools like Burp Suite. We also use external third-parties in order to verify the security posture for our apps and websites. The HirePurpose.ai website maintains top ratings for security, risk, and usability according to Mozilla Observatory, Google Lighthouse, and Bitsight.
-
Incident Response and Sunset: It's a fact of life that things go wrong sometimes. What matters is having an effective response. We take an incident responder's approach when it comes to dealing with security vulnerabilities in our supply chain. If you find a defect in any of our products, please Report a Security Vulnerability.
HirePurpose.ai GDPR and CCPA Privacy Policy
HirePurpose.ai is operated by ProdSec Ventures Ltd, a Delaware company. This privacy policy details how we use the personal data we collect from you when you use our websites, mobile apps, desktop applications, and browser extensions.
Additional Topics
Regular Usage Data
Usage data is collected automatically when using the our websites, apps, and services. Regular usage data may include information such as your device's Internet Protocol address (e.g. IP address), browser type, browser version, the pages of our services that you visit, the time and date of your visit, the time spent on those pages, unique device identifiers and other diagnostic data.
When you access our services by or through a mobile device, we may collect certain information automatically, including the type of mobile device you use, your device unique ID, your device IP address, your mobile operating system, the type of mobile browser you use, unique device identifiers, and other diagnostic data.
Information from third-party social media services
We allow you to create an account and log in to use our services through the following third-party social media services:
-
Google
-
Facebook
-
LinkedIn
-
Twitter
-
Github
-
Apple
If you decide to register through or otherwise grant us access to a third-party social media service, we may collect Personal data that is already associated with your third-party social media service's account, such as your name, username, and email address.
You may also have the option of sharing additional information with us through your third-party social media service's account. If you choose to provide such information and Personal Data, during registration or otherwise, you are giving us permission to use, share, and store it in a manner consistent with this Privacy Policy.
Additional Information Collected while Using our Apps
While using our apps, we may collect, with your permission:
-
Information regarding your location
-
Pictures and other information from your device's camera and photo library
-
We use this information to provide and improve features of our services. The information may be uploaded to the Company's servers and/or a Service Provider's server or it may be simply stored on your device. You can enable or disable access to this information at any time, through your device settings.
Marketing
We would like to send you information about products and services of ours that we think you might like, as well as those of our partner companies. If you have agreed to receive marketing, you may always opt out at a later date. you have the right at any time to stop us from contacting you for marketing purposes. If you no longer wish to be contacted for marketing purposes, please click here.
What are your data protection rights?
We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
-
The right to access – you have the right to request copies of your personal data. We may charge you a small fee for this service.
-
The right to rectification – you have the right to request that we correct any information you believe is inaccurate. you also have the right to request we complete the information you believe is incomplete.
-
The right to erasure – you have the right to request that we erase your personal data, under certain conditions.
-
The right to restrict processing – you have the right to request that we restrict the processing of your personal data, under certain conditions.
-
The right to object to processing – you have the right to object to our processing of your personal data, under certain conditions.
-
The right to data portability – you have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
-
If you make a request, we have one month to respond to you. If you would like to exercise any of these rights, please contact us at our email:
Cookies
Cookies are text files placed on your computer to collect standard Internet log information and visitor behavior information. When you visit our websites, we may collect information from you automatically through cookies or similar technology.
How do we use cookies?
We use cookies in a range of ways to improve your experience on our website, including:
-
Keeping you signed in
-
Understanding how you use our website
What types of cookies do we use?
There are a number of different types of cookies, however, our websites may use:
Functionality – We use these cookies so that we recognize you on our website and remember your previously selected preferences. These could include what language you prefer and location you are in. A mix of first-party and third-party cookies are used.
Advertising – We use these cookies to collect information about your visit to our website, the content you viewed, the links you followed and information about your browser, device, and your IP address. We sometimes share some limited aspects of this data with third parties for advertising purposes. We may also share online data collected through cookies with our advertising partners. This means that when you visit another website, you may be shown advertising based on your browsing patterns on our website.
How to manage cookies
You can set your browser not to accept cookies, and the above website tells you how to remove cookies from your browser. However, in a few cases, some of our website features may not function as a result.
Children's Privacy
Our services do not address anyone under the age of 13. We do not knowingly collect personally identifiable information from anyone under the age of 13. If you are a parent or guardian and you are aware that your child has provided us with Personal Data, please contact us. If we become aware that we have collected Personal Data from anyone under the age of 13, we will take steps to remove that information from our servers.
Disclosure of your Personal Data
Business Transactions
If HirePurpose.ai is involved in a merger, acquisition or asset sale, your Personal Data may be transferred. We will provide notice before your Personal Data is transferred and becomes subject to a different privacy policy.
Law enforcement
Under certain circumstances, we may be required to disclose your Personal Data if required to do so by law or in response to valid requests by public authorities (e.g. a court or a government agency).
Other legal requirements
We may disclose your Personal Data in the good faith belief that such action is necessary to:
-
Comply with a legal obligation
-
Protect the personal safety of users of our services or the public
-
Prevent or investigate possible wrongdoing in connection with our services
-
Protect and defend our rights or property from damage or loss
-
Protect against legal liability
-
Privacy policies of other websites
-
The HirePurpose.ai website and apps contain links to other websites. Our privacy policy applies only to our apps and websites, so if you click on a link to an external website, you should read their privacy policy.
Changes to our privacy policy
We keep our privacy policy under regular review and place updates on this web page. This privacy policy was last updated on 9 May 2023.
How to contact us
If you have any questions about the HirePurpose.ai privacy policy, the data we hold about you, or you would like to exercise one of your data protection rights, please do not hesitate to contact us.