At HackerRank, we take compliance very seriously. We are an ISO27001 certified organization that validates the controls we have put in place for Information Security and Management. For GDPR, we are working diligently to ensure that we are compliant with the rules laid out by the law and provide product functionality that enables our customers to remain compliant.
Because we process candidates on behalf of our customers, according to GDPR, we are considered a Data Processor and the customer organization is regarded as the Data Controller. In the capacity of a Data Processor, all the candidate information we receive or collect is handled securely with adequate data protection. We also have an incident response plan in place to address an unforeseen incident that can put customers’ candidates’ personal information at risk, in accordance with the Article 32 of the GDPR regulation.
Data Subject Consent -- As a processor, we require candidates to sign up using their emails to access our tests. In addition, when candidates take a test, we allow our customers to collect additional information including a resume of the candidate. Any profile information requested for collection by customers will come under the purview of GDPR. Such information would be data elements like name, education, location, gender, resume information, etc., that can identify an individual. According to Article 5 and 6 of the regulation, personal data can be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes (‘lawfulness, fairness and transparency’)”. Given that the processing should be fair, HackerRank ensures that we obtain consent from candidates. Our updated privacy policy clearly states how we process information in a fair and transparent manner.
While GDPR requires that a data subject can revoke their consent at any time, pursuant to above stipulations in Article 6, it also allows this request to be declined if the processing of this information is required for legitimate interests pursued by the data controller. In other words, our customers decide whether to accept or deny the request from the candidate. We will take action based on direction provided by the customer organization on how to proceed with any such request.
Data Management and Processing -- Under Article 46 of the regulation, data can be transferred outside EU borders if the processor has appropriate security measures in place, and if the customer organization (data controller) and HackerRank (data processor) have entered into a contract that includes contractual clauses specified by EU. HackerRank has a standard EU-specific data transfer and processing agreement to ensure compliance with GDPR. Article 49 provides an additional basis for such a transfer. Transfer of data is allowed where “necessary for the performance of a contract between the data subject and the data controller.” GDPR also stipulates that personally identifiable data should not be stored indefinitely. HackerRank's data retention policy provides flexibility to the customer (data controller) to define how long their candidates’ personal data should be stored and when it should be deleted. According to Article 25 of GDPR, processing should be done using appropriate security measures. HackerRank is ISO 27001 compliant. ISO 27001 is the best-known standard in the family providing requirements for an information security management system (ISMS) as established by International Organization for Standardization. This certificate is an assurance for our customers that we have put sufficient Asset Control and Access Management controls in place to safeguard customer and candidate data. We also secure and encrypt candidate data at rest. Our customers can be assured that we take data security very seriously and have controls in place to make sure we are compliant with global standards.
Rights of the Data Subject -- GDPR provides broad rights for data subjects on how to manage their personal data. Per Article 5, we established that the information needs to be collected, stored and processed since there is legitimate interest for the controller to make the system fair. So, our customer (data controller) can determine if the candidate’s (data subject’s) request is valid and can be fulfilled. Customers can also deem the request as invalid and not fulfill, according to their agreed upon terms with the data subject. As a processor, HackerRank gives flexibility to our customers to determine their data policies, which offer rights to their candidates. This includes:
- Ability to set a routine data deletion process at a cadence determined by the customer.
- Ability to export information regarding a candidate.
- Ability to delete information regarding a candidate. Any personal data is anonymized.
- Ability to edit candidate information.
Maintaining a Record -- According to Article 30 of GDPR, the customer organization needs to maintain a record of all activities pertaining the personal information of a data subject. HackerRank maintains a detailed Audit log of all the activities. As part of compliance, HackerRank will add any additional activities that customers need to be recorded. These logs are easily retrievable via HackerRank APIs.
Data Breach and Mitigation Process -- Article 33 states that for any potential data breach, the supervisory authority must be notified within 72 hours of occurrence. HackerRank has sufficient data monitoring mechanisms in place to become aware of any such breach. On discovery of a breach, HackerRank intends to notify our customer (controller) of the occurrence immediately, not exceeding 24 hours after the occurrence. The communication will be sent as per the guideline mentioned in Article 33. This will give sufficient time for our customers to convey the breach to the respective authorities.
HackerRank is hosted in Amazon Web Services (AWS) Virtual Private Cloud (VPC) and designed for high Availability with a tiered architecture across sub-regions with subnets and all data collected is encrypted in transit and at rest and is stored in AWS RDS and S3 contained within the VPC. HackerRank uses AWS Region us-east-1 (N. Virginia) as a primary location and AWS Region us-west-2 (Oregon) as the secondary DR location.
HackerRank has a Data processing agreement (DPA) that incorporates all the GDPR clauses and is available for execution
If you have questions about GDPR please speak with your HackerRank account team and we will get them answered for you.