This Job Candidate Privacy Notice (“Notice”) describes what personal data we, Upstream Security Ltd., and our affiliates (“Upstream”, “we”, “our” or “us”) – collect and process on our job candidates and applicants (“Candidate(s)”, “you” or “your”) with respect to the application and recruitment process, why we collect it and how we use it. It also describes how candidates may exercise their rights to such data held with us.

We strongly urge you to read this Notice and make sure that you fully understand and agree to it. If you do not agree to this Notice, please avoid providing us with your data.

You are not legally required to provide us with any personal data, but without it, we may not be able to process your application.

1. What data do we collect, how do we collect it, and how do we use it?

Throughout the application and recruitment process, you may provide us (or we may otherwise have access to) personal data about you, such as your identifying data, contact details, resume/CV, work-related data, education and qualifications, social media activity, etc. We may collect this data directly from you, as you provide it voluntarily through your application and candidacy review process, or from other sources such as recruitment agencies, background check services (as applicable and subject to applicable law), or your references.

We may use such data to assess our Candidates’ skills and qualifications, as well as to overall verify, consider and process their application and candidacy for any of our positions, and to communicate with them regarding such processes.

In addition, we may use it to act as permitted by, and to comply with, any legal or regulatory requirements. Should we wish to conduct any additional activities that may require the use of your data, we will request your specific consent in advance.

In some regions, we may also require you to submit information relating to your race, gender, and whether or not you have a disability to ensure our compliance with our legal obligations under applicable law. We may also collect information about a Candidate’s prior criminal convictions and offenses as part of background checks for specific roles if permitted or required by law. To the extent legally required, we will obtain your explicit consent prior to any such collection and use.

2. How we use this information

We will use and process your personal information as part of the employment application process at Upstream for the following purposes and in reliance on the lawful bases detailed below:

Purpose	Lawful Basis for Processing
Evaluating your suitability for a role at Upstream, and progressing your application	Contractual necessity Legitimate interest Compliance with legal obligations Consent (where appropriate)
Contacting you about other suitable roles within Upstream in the future
Creating your employee personnel file, if hired
Maintaining our internal records of recruitment and employment applications	Compliance with legal obligations Legitimate interest
Compliance with applicable legislation or industry codes applicable to the employer
Protecting the rights and interests of Upstream and its affiliates	Legitimate interest

If you reside in a territory governed by privacy laws under which “consent” is the only or most appropriate legal basis for the processing of personal data as described herein, your acceptance of this Notice will be deemed as your consent to the processing of your personal data for all purposes detailed in this Notice. If you wish to revoke such consent, you may do so at any time by contacting us at [email protected].

3. Where do we store our Candidates’ data?

Your personal data will be maintained, processed and stored by Upstream, our affiliates and Service Providers (as defined in Section 6 below) in the applied position’s location(s) in accordance with the respective position, in relevant Upstream’s different offices worldwide, as well as in other jurisdictions as necessary for the proper handling of your candidacy.

While privacy laws may vary between jurisdictions, Upstream, its affiliates and Service Providers processing personal data on our behalf are each committed to protecting personal data in accordance with this Notice, customary industry standards, and such appropriate lawful mechanisms and contractual terms requiring adequate data protection, regardless of any lesser legal requirements that may apply in the jurisdiction to which such data is transferred.

To the extent we transfer Candidates’ personal data originating from the European Economic Area (EEA), the United Kingdom (UK), or Japan to countries that have not been recognized as offering an adequate level of data protection by the relevant competent authority, we rely on appropriate contractual undertakings and data transfer mechanisms as established under applicable law, such as the standard contractual clauses adopted by the EU (available here) and the UK (available here).

4. For how long may we keep your data?

We may retain Candidates’ data even after the applied position has been filled or closed. This is done so we could reconsider Candidates for other positions and opportunities at Upstream; so that we may use their personal data as reference for future applications submitted by them; in case the Candidate is hired, for additional employment and business purposes related to their work; and as reasonably necessary to comply with our legal obligations, to resolve disputes, prevent fraud and abuse, enforce our agreements or otherwise protect our legitimate interests.

5. How will we secure your data?

Upstream has implemented security measures designed to protect the personal data of our candidates, including physical, procedural and electronic measures. These measures provide sound industry standard security, confirmed also by Upstream’s relevant security certifications. Please be aware that regardless of the measures we take and the efforts we make, we cannot and do not guarantee the absolute protection and security of any personal data stored with us.

6. Who will have access to your data?

Upstream will share your personal data with several selected third-party service providers, whose services and solutions complement, facilitate and enhance our own. These include any recruitment firms that have referred you to us (or vice versa), recruitment software providers, background checks providers, data storage and cybersecurity services, web analytics, and our business, legal, compliance and financial advisors (collectively, “Service Providers“). Such Service Providers may receive or otherwise have limited access to your personal data, depending on each of their particular roles and purposes in facilitating and enhancing our recruitment process, and may only use it for such purposes.

Additionally, we may disclose or otherwise allow access to your personal data pursuant to a legal request, such as a subpoena, search warrant or court order, or in compliance with applicable laws, with or without notice to you, if we have a good faith belief that we are legally required to do so, or that disclosure is appropriate in connection with efforts to investigate, prevent, or take action regarding actual or suspected illegal activity, fraud or other wrongdoing. We may also share your personal data with others, with or without notice to you, if we believe in good faith that this will help protect the rights, property or personal safety of Upstream, any of our customers or employees, or any member of the general public.

In addition, we may share personal data internally within our family of companies, for the purposes described above. Finally, should Upstream undergo any change in control, including by means of merger, acquisition or purchase of all or part of its assets, your personal data may be shared with the parties involved in such event.

7. How can you exercise your privacy rights?

If you wish to exercise your rights under applicable law to request access to your data, to rectify it, to erase it, or to port it, or to object to its processing, or to exercise any similar rights afforded to data subjects under the laws that apply to you – please send us an e-mail to [email protected], and we will respond within a reasonable timeframe and in accordance with applicable laws.

Please note that we may require additional information, including certain personal data, in order to authenticate and process your request. Such additional information may be then retained by us for legal purposes (e.g., as proof of the identity of the person submitting the request), in accordance with Section 2 above. We may redact from the data which we will make available to you any personal data related to others.

Additionally, you have a right to lodge a complaint with a competent data protection authority, such as the supervisory authority in the EU Member State of your habitual residence, place of work, or of the alleged GDPR infringement, the UK’s Information Commissioner’s Office, or your State’s Attorney General (as applicable).

8. Will this Notice be updated?

We may update this notice to reflect changes in our privacy practices. If we make any changes that we deem as “material”, we will update this page prior to the change becoming effective.

9.What if you have any questions?

If you have any comments or questions regarding our data practices or your privacy, or if you have any concerns regarding your personal data held with us, or if you wish to make a complaint about how your personal data is being processed by Upstream, please contact us via e-mail to [email protected].

***