Table of Contents
- 3. Data Processing Agreement (GDPR Article 28)
- 4. Subprocessor List
- 5. Security & Trust Statement
- 6. Acceptable Use Policy
- 8. AI Transparency & Bias Statement
- 9. Service Level Agreement
- 10. Vulnerability Disclosure Policy
- 11. Candidate Privacy Notice (Template)
- 12. Data Retention Policy
Spark Careers Enterprise
Trust & Compliance Document Pack
Privacy, Terms, DPA, Security, AI Transparency, and Operational Commitments
Effective: 27 April 2026
RisePoint Careers Corp.
Suite #193, 700 8th Avenue SW, Calgary, AB T2P 1H2
https://stepupcareers.com
3. Data Processing Agreement (GDPR Article 28)
This Data Processing Agreement ("DPA") forms part of the Terms of Service between RisePoint Careers Corp. ("Processor") and Customer ("Controller"). It applies where the Processor processes Personal Data on behalf of the Controller in connection with the Service and is required by Article 28 of Regulation (EU) 2016/679 (the "GDPR"), the equivalent UK GDPR, or other applicable data protection legislation.
3.1 Definitions
Terms not defined here have the meanings in the GDPR, UK GDPR, or the Terms of Service. "Data Subject," "Personal Data," "Processing," "Controller," "Processor," "Sub-processor," and "Supervisory Authority" have the meanings in the GDPR.
3.2 Subject Matter and Duration
The Processor will process Personal Data on behalf of the Controller to provide the Service. Processing continues for the duration of the subscription and for such additional period as required by applicable law or as set out in Section 12 (Data Retention).
3.3 Nature, Purpose, and Categories (Annex A — Details of Processing)
Nature and purpose: hosted recruitment software, including applicant tracking, resume intake, ATS analysis, AI-assisted candidate screening and assessment, candidate workflow management, hiring analytics, reporting, integration with third-party platforms connected by the Controller, and related communications.
Categories of Data Subjects: Controller's personnel and authorized users; Candidates and applicants whose data the Controller submits; third parties referenced in Candidate materials (e.g., referees, listed employers).
Categories of Personal Data: identity and contact data (name, email, phone, address); employment and education history; resume and CV content; job descriptions (which may contain hiring manager contact details); skills; candidate notes; interview feedback; screening and assessment outputs generated by the Service; technical and usage data (IP address, device identifiers, browser type, session activity); account data (role, permissions).
Special categories: where Candidates voluntarily include special category data (e.g., health, religion, trade union membership) in their resumes, the Controller remains responsible for having a lawful basis and appropriate safeguards. The Processor does not seek or require such data. The Processor's AI screening features are designed to exclude protected characteristics from scoring (see Section 8.10); however, the Controller should consider the risk that automated processing may indirectly reveal special-category information when conducting its data protection impact assessment.
Frequency: continuous, as directed by the Controller through use of the Service.
3.4 Processor Obligations
The Processor will:
Process Personal Data only on documented instructions from the Controller, including for transfers to a third country, unless required by law. The Processor will not process Personal Data for its own purposes, except to produce de-identified and aggregated data as permitted under Section 2.4 of the Terms of Service. If required by law to process Personal Data outside the Controller's instructions, the Processor will notify the Controller before processing unless prohibited from doing so.
Ensure persons authorized to process Personal Data are bound by confidentiality.
Implement the technical and organizational measures described in Annex B (Section 3.13).
Respect conditions for engaging Sub-processors (Section 3.6).
Assist the Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests for exercising Data Subject rights.
Assist the Controller with security, data breach notification, data protection impact assessments, and prior consultation obligations. For data protection impact assessments, the Processor will provide, upon reasonable request, information about the nature, scope, and purpose of processing, the technical and organizational measures in place, and the risks to Data Subjects, to the extent reasonably necessary for the Controller to complete its assessment.
At the Controller's choice, delete or return all Personal Data after the end of provision of services, and delete existing copies unless retention is required by law.
Make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow audits as set out in Section 3.8.
3.5 Controller Obligations
The Controller represents that it has a lawful basis to collect and share Personal Data with the Processor, has provided all required notices to Data Subjects, and has obtained any required consents. The Controller is responsible for the accuracy, quality, and legality of Personal Data and for the means by which it acquired it.
3.6 Sub-processors
The Controller provides general authorization for the Processor to engage Sub-processors. The current list is in Section 4. The Processor will:
Impose written data protection obligations on each Sub-processor that are no less protective than this DPA.
Remain liable to the Controller for the performance of each Sub-processor's obligations.
Give the Controller at least 30 days' prior notice of any intended addition or replacement of Sub-processors (by email to administrators and by updating the public list), during which the Controller may object in writing on reasonable data-protection grounds. If the Controller objects, the Processor will make commercially reasonable efforts to provide an alternative arrangement that avoids the use of the objected-to Sub-processor. If the parties cannot agree on an alternative within 30 days of the objection, the Controller may terminate the affected subscription and receive a pro-rata refund of prepaid fees for the unused portion of the subscription term. The Processor will provide summaries of the data protection terms imposed on each Sub-processor upon the Controller's reasonable request.
3.7 Security Incidents
The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Personal Data Breach affecting the Controller's Personal Data. The notice will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to mitigate. The Processor will provide ongoing updates as additional information becomes available and will cooperate with the Controller's investigation and remediation efforts. The Processor will document the facts of each breach, its effects, and the remedial action taken, and will make that documentation available to the Controller and, upon request, to the relevant supervisory authority. The Processor will provide reasonable assistance to the Controller in fulfilling the Controller's obligations to notify supervisory authorities and affected Data Subjects under applicable law.
3.8 Audits
On reasonable written notice, and no more than once per 12-month period (unless required by a Supervisory Authority or following a Personal Data Breach), the Controller may audit the Processor's compliance with this DPA. Audits may consist of (a) written responses to the Controller's security questionnaires, (b) documentation of the Processor's technical and organizational measures (see Annex B), (c) a SOC 2 Type II report or equivalent independent attestation, if and when one has been obtained, and (d) where the foregoing are insufficient to address the Controller's reasonable concerns, an on-site audit by a mutually agreed independent auditor subject to reasonable confidentiality, scope, and cost-allocation arrangements.
3.9 International Transfers
Where the Processor transfers Personal Data originating in the EEA, UK, or Switzerland outside those areas to a country without an adequacy decision of the relevant authority, the parties agree that the European Commission's Standard Contractual Clauses (Commission Decision (EU) 2021/914), the UK International Data Transfer Addendum, and — for Switzerland — the Swiss FDPIC requirements, are incorporated by reference. The Processor is the data exporter for onward transfers to Sub-processors and the data importer in transfers from the Controller.
3.10 Data Subject Requests
If the Processor receives a request directly from a Data Subject concerning Controller Personal Data, the Processor will not respond to the Data Subject except on the Controller's documented instructions and will forward the request to the Controller within five (5) business days of receipt. The Processor will provide reasonable technical and organizational assistance to enable the Controller to respond to Data Subject requests for access, rectification, erasure, restriction, portability, or objection, including by making available within the Service the tools necessary for the Controller to export, correct, or delete Personal Data. If the Controller notifies the Processor of a Data Subject request received by the Controller (in accordance with Section 3.5), the Processor will cooperate in the same manner.
3.11 Liability
Each party's liability under this DPA is subject to the limitation of liability in the Terms of Service. Nothing in this DPA limits either party's liability to Data Subjects under the GDPR.
3.12 Conflict
In the event of conflict, this DPA controls over the Terms of Service for matters concerning Processing of Personal Data.
3.13 Annex B — Technical and Organizational Measures
The Processor implements the following measures (summary; further detail in Section 5):
Access control: role-based access control (RBAC), least-privilege, named individual accounts, strong password requirements, and email-based verification at account creation; TOTP-based multi-factor authentication for privileged roles planned for rollout (timeline available on request).
Encryption: TLS 1.2+ in transit; encryption at rest for databases and object storage provided by the managed hosting provider.
Pseudonymization and minimization: AI summary generation uses a PII-minimized extract (no names, emails, employers, or raw CV text sent to third-party LLMs).
Malware protection: all uploaded files are scanned using ClamAV; infected files are quarantined and deleted.
Logging and monitoring: application and audit logs; tenant isolation enforced at the database query layer.
Backup and recovery: automated daily backups of the primary database; backup retention and recovery testing intervals are described in Section 12 (Data Retention Policy).
Change management: version control, peer review, CI pipelines, and staged deploys (staging → production).
Personnel: confidentiality obligations, background checks where permitted, and role-appropriate security training.
Vulnerability management: dependency scanning, security patching on a risk-prioritized schedule, and a responsible disclosure program (see Section 10).
Data deletion and disposal: upon termination or erasure request, Customer Data is permanently deleted from production systems and overwritten in backups within the retention windows described in Section 12.
Network and infrastructure security: hosting provider physical security controls (data center certifications available on request); application-layer firewall; DDoS mitigation provided by the hosting platform.
Incident response: documented runbook, defined escalation, post-incident review.
4. Subprocessor List
This page lists the third-party service providers (Subprocessors) that RisePoint engages to operate the Service on the Controller's behalf, as required by the DPA (Section 3.6). We update this list at least 30 days before any material change.
4.1 Core Infrastructure Subprocessors
4.2 Notes
Anthropic: input is a structured, PII-minimized extract (years of experience, seniority level, role titles without employer names, education level, certification counts). Raw resumes, names, and contact details are not sent. Anthropic's commercial API terms provide that customer data is not used to train foundation models.
DigitalOcean Spaces: object storage uses server-side encryption at rest. All traffic to and from Spaces uses TLS.
Stripe: card data is captured by Stripe-hosted elements. We store a customer reference and a subscription reference only.
Brevo: used for invitations, password reset emails, receipts, and support notifications. We transmit the recipient email and the message body only.
4.3 Onward Sub-sub-processors
Each Subprocessor may use its own sub-processors to deliver its services. Those sub-processors are listed in each vendor's published trust page. RisePoint remains liable for the acts and omissions of its Subprocessors and their sub-processors to the same extent as if it had performed the processing itself, as required by Section 3.6 of the DPA.
4.4 Change Notification Policy
We will give at least 30 days' notice before adding or replacing a Subprocessor by (a) updating this list and (b) emailing Customer administrators. During that period, a Customer may object on reasonable data-protection grounds by writing to support@stepupcareers.com. If we are unable to resolve the objection within the 30-day notice period, the Customer may terminate the affected subscription and receive a pro-rata refund of prepaid fees, as provided in Section 3.6 of the DPA.
5. Security & Trust Statement
Security is a first-class product concern at RisePoint. This statement describes the controls we operate today and the controls on our near-term roadmap. We update it as our program evolves.
5.1 Organizational Security
Confidentiality: all personnel are bound by written confidentiality obligations.
Background checks: conducted where permitted by local law for roles with access to production systems.
Security training: role-appropriate training at onboarding and annually thereafter.
Separation of duties: development, review, deployment, and production access are segregated.
5.2 Product Security
Authentication: email and password with bcrypt hashing (work factor 12). Single sign-on via SAML and OIDC is planned for rollout (timeline available on request).
Access tokens: short-lived access tokens (30 minutes) signed with RS256; refresh tokens valid for 14 days and rotated per use.
Multi-factor authentication: email-based verification is required at account creation. TOTP-based MFA for ongoing login sessions is planned for rollout (timeline available on request); organizations will be able to enforce it across their Users.
Authorization: role-based access control with granular permissions. Tenant isolation is enforced at every query by matching the authenticated organization ID.
Audit logging: privileged actions and data changes are written to partitioned audit tables with actor, timestamp, IP address, and user agent. An admin-facing viewer is on our near-term roadmap.
Malware scanning: every uploaded file is scanned with ClamAV before parsing or storage; infected files are quarantined and deleted, and the upload is flagged.
Input validation: centralized request validation, strict content-type checks on uploads, and server-side enforcement of all business rules.
Rate limiting and brute-force protection: API endpoints are rate-limited; login attempts are throttled and protected by Cloudflare Turnstile (see Section 4.1).
Dependency and code scanning: automated dependency scanning for known vulnerabilities; security-focused code review as part of the deployment process.
5.3 Data Protection
Encryption in transit: TLS 1.2 or higher with modern cipher suites for all traffic to and from the Service.
Encryption at rest: AES-256 encryption managed by our hosting provider for databases and object storage. Encryption keys are controlled by the hosting provider; customer-managed encryption keys are not currently supported.
Secret management: production secrets are stored as environment variables injected at deploy time by the CI pipeline; they are never committed to source control.
Key management: JWT signing keys are stored outside the application image and rotated on a defined schedule.
PII minimization in AI workloads: candidate summaries are generated from a structured extract that excludes names, contact information, employer names, and raw CV text (see also Section 8.10 — Protected Characteristic Exclusions).
Access logging: administrative and privileged actions are logged with timestamp, user identity, and action taken. Logs are retained for at least 12 months and are available for audit upon reasonable request.
5.4 Infrastructure and Operations
Hosting: US-based cloud infrastructure with managed networking and object storage. The specific hosting provider and its data center certifications are detailed in our Subprocessor List (Section 4).
Network: Cloudflare sits in front of the public surface, providing DDoS protection and bot-mitigation (Turnstile) on sensitive endpoints.
Change management: all code changes are reviewed via pull request; CI runs type-checking, tests, and build verification; deploys go through staging before production.
Backups: automated daily snapshots of the primary database; retention windows and restore testing intervals are described in Section 12 (Data Retention Policy).
Monitoring and alerting: application health, error rates, and infrastructure metrics are monitored continuously; automated alerts escalate anomalies to the engineering team.
Patching: operating system and runtime patches are applied on a risk-prioritized schedule; critical and high-severity vulnerabilities are addressed within the timelines described in Section 5.5 (Vulnerability Management).
5.5 Contact
Security questions and vendor questionnaires: support@stepupcareers.com
6. Acceptable Use Policy
This Acceptable Use Policy ("AUP") applies to all use of the Service (as defined in Section 2.1). It supplements Section 2.5 of the Terms of Service, into which it is incorporated. We may investigate suspected violations, remove content, suspend access, or terminate accounts in response to violations.
6.1 Prohibited Content and Conduct
You may not use the Service to:
Violate any law, regulation, court order, or the rights of any third party.
Discriminate unlawfully in hiring, including on the basis of race, color, religion, sex (including pregnancy, sexual orientation, or gender identity), national origin, age, disability, genetic information, veteran status, or any other category protected by law.
Make an employment decision based solely on an automated score or AI-generated output without qualified human review.
Upload content that is defamatory, harassing, threatening, hateful, obscene, or otherwise unlawful.
Upload personal information you have no lawful basis to share, including special category data under the GDPR where a lawful basis is not in place.
Upload malware, ransomware, spyware, or other malicious code.
Attempt to circumvent security features, rate limits, or access controls.
Reverse engineer, decompile, disassemble, or otherwise attempt to derive source code from the Service, except as permitted by law.
Probe, scan, or test the vulnerability of our systems except under our Vulnerability Disclosure Policy (Section 10).
Use the Service to send unsolicited commercial messages or to harvest contact information.
Use the Service to build a competing product, or to benchmark performance without our prior written consent.
Impose excessive load that degrades Service performance for other Customers.
Access the Service through automated means (bots, scrapers, or crawlers) except via documented APIs with valid authentication.
Share login credentials or allow unauthorized individuals to access the Service under your account.
6.2 Enforcement
We may remove content that violates this AUP and may suspend or terminate accounts for material or repeated violations. Where a violation poses imminent risk to the Service or to other Customers, we may act without prior notice. We will act proportionately and, for violations that do not pose an immediate security or legal risk, provide written notice and a cure period of not less than 15 days in accordance with Section 2.5.
6.3 Reporting
Report suspected violations to support@stepupcareers.com.
8. AI Transparency & Bias Statement
The Service includes AI-powered features that Customers use to accelerate hiring work. RisePoint develops and provides these features; Customers deploy them within their own hiring workflows. We are transparent about how these features work, what data they process, what decisions they support (and do not make), and how we mitigate the risk of unlawful discrimination. This statement is aligned with New York City Local Law 144 (AEDT), the EU AI Act, the Colorado AI Act, and the Illinois Artificial Intelligence Video Interview Act.
8.1 Where We Use AI
ATS Fit Scoring: a deterministic scoring engine compares structured signals derived from a resume against structured signals derived from a job description (skills, years of experience, seniority level, role family). It outputs a numeric score and a bucket (High / Mid / Low / Below threshold). This engine is rule-based, not a machine-learning model.
Candidate Summaries: a large language model generates a concise, human-readable summary from a PII-minimized structured extract — years of experience, seniority level, role titles without employer names, education level, certification count. The model never sees names, emails, phone numbers, employer names, or raw CV text.
8.2 What AI Does Not Decide
Neither the scoring engine nor the summary generator makes hiring decisions. They are decision-support tools. Every advance, reject, offer, or rejection decision is made by a qualified human reviewer inside the Customer organization. The Customer is responsible for those decisions.
8.3 Human Oversight Requirement
Customers must not use AI scores or summaries as the sole basis for any employment decision. The product surfaces this expectation in the interface and in customer onboarding materials.
8.4 Candidate Notice
Where a Customer uses the Service to evaluate a Candidate, we provide Customers with template notice language that can be surfaced to Candidates, including information about the use of AI-assisted screening, the opportunity to request accommodation, and how to exercise data subject rights. A template Candidate Privacy Notice is provided in Section 11 of this pack. Customers are responsible for customizing and delivering this notice in accordance with local law.
8.5 Bias Audit Program
Commitment: We commit to an independent bias audit of the ATS scoring engine prior to use by any Customer in New York City, in accordance with New York City Local Law 144 and 6 RCNY § 5-300.
Methodology: The audit will compute impact ratios across categories required by Local Law 144 (sex, race/ethnicity, intersectional categories), using representative data drawn from the Customer's historical selection or a valid test dataset as permitted by the rule.
Publication: Summary results, the date of the most recent audit, and the distribution date will be published on our website no later than the date of first use.
Cadence: Audits are refreshed at least annually or whenever we make a material change to the scoring engine. This audit program is also designed to satisfy the impact assessment and risk management obligations under the Colorado AI Act (see Section 8.8).
8.6 EU AI Act Positioning
As the provider of the ATS fit scoring engine, we classify it as a high-risk AI system under Annex III of the EU AI Act (employment and worker management). Customers who use these features are deployers under the Act and have their own obligations, including conducting fundamental-rights impact assessments. The following measures are in place or under active development (items marked "planned" are on our compliance roadmap):
Risk management system (documented).
Data governance and representativeness controls for reference data (skills taxonomy).
Technical documentation and logging sufficient to enable traceability of outputs.
Transparency information provided to deployers (Customers).
Human oversight by design — scores never execute an employment decision.
Accuracy, robustness, and cybersecurity controls described in Section 5.
A CE conformity declaration will be prepared before offering the high-risk AI system to deployers in the EU, on the EU AI Act's implementation timeline.
8.7 Illinois AIVIA (Artificial Intelligence Video Interview Act)
The Service does not currently use AI to analyze video interviews. If we introduce such a feature, we will collect prior Candidate consent, provide the required explanatory information, restrict data sharing to those whose expertise is necessary to evaluate an applicant, and destroy relevant videos upon Candidate request.
8.8 Colorado AI Act
As the developer of a high-risk AI system under the Colorado AI Act, we will provide Customers (who are deployers under the Act) with the disclosures required by the Act, including a statement describing the system, its intended uses, known limitations, training data type categories, risk mitigations, and performance evaluations. We will also publish a public statement summarizing the categories of high-risk AI systems we have developed.
8.9 Data Not Used for Model Training
We do not use Customer Data or Candidate data to train third-party foundation models. Our contract with Anthropic provides that data sent to the Claude API is not used for model training.
8.10 Protected Characteristic Exclusions
The scoring engine does not receive or use protected characteristics as inputs. It relies on skills, years of experience, seniority level, and role family. We do not build proxy features intended to approximate protected characteristics, and we monitor for disparate impact as described in Section 8.5.
8.11 Candidate Rights Regarding AI
Candidates may, subject to local law, request:
An explanation of whether AI-assisted screening was used;
Review of any automated assessment by a qualified human (where the Customer's workflow provides for this);
Accommodation for a disability that may affect the assessment;
The exercise of data subject rights under applicable privacy law (see Sections 1.8, 1.9, and the Quebec Law 25 provisions in Section 1.4).
Requests should be directed to the employer in the first instance; we will support the employer in responding.
8.12 Contact
AI governance questions: support@stepupcareers.com with subject line "AI Governance."
9. Service Level Agreement
This Service Level Agreement ("SLA") describes the uptime commitment and support terms for paid plans of the Service. This SLA is subject to the Terms of Service.
9.1 Uptime Commitment
9.2 Definitions
"Monthly Uptime Percentage" means total minutes in a calendar month, minus Unavailable Minutes, divided by total minutes in the month, expressed as a percentage.
"Unavailable" means the Service returns server errors on the core authenticated product surface for more than 5 consecutive minutes, as measured by our external monitoring.
"Excluded Time" means scheduled maintenance announced at least 48 hours in advance; emergency maintenance for security or integrity; failures caused by the Customer's systems, networks, or misuse; and force majeure.
9.3 Support
"Critical" means the Service is fully unavailable or a security incident is in progress.
9.4 Maintenance
Routine maintenance windows are advertised on our status page at least 48 hours in advance. We aim to schedule them outside peak business hours in the US Eastern time zone. Emergency maintenance may occur without prior notice where required to protect the Service or Customer Data.
10. Vulnerability Disclosure Policy
StepUpCareers welcomes reports from security researchers. This policy describes how to report a vulnerability and how we will respond.
10.1 Scope
In scope:
https://stepupcareers.com
app.stepupcareers.com and any subdomain serving the Service
Our public APIs (as documented)
Out of scope:
Third-party services we integrate with (report those to the vendor)
Findings that require physical access to a user's device
Social engineering of our personnel or Customers
Denial-of-service attacks or resource-exhaustion tests
Findings from automated scanners without a demonstrated impact
Missing best-practice configurations without a demonstrated impact (e.g., missing security headers with no exploitable impact)
10.2 Safe Harbor
We will not pursue legal action against you for good-faith security research that (a) complies with this policy, (b) avoids privacy violations, degradation of service, and destruction of data, and (c) gives us a reasonable opportunity to remediate before public disclosure.
10.3 How to Report
Email support@stepupcareers.com with:
A clear description of the issue and its impact
Steps to reproduce (and a proof-of-concept, if applicable)
Any tools or accounts you used
Whether you plan to publish, and if so, when
You may encrypt your report with our PGP key, available at https://stepupcareers.com/.well-known/security.txt.
10.4 Our Commitments
We will acknowledge your report within 3 business days.
We will keep you informed of progress at reasonable intervals.
We will remediate valid issues on a timeline that reflects severity: critical within 7 days, high within 30 days, medium within 90 days.
With your permission, we will credit you in any public advisory.
We do not operate a paid bug bounty program at this time. This may change in the future.
11. Candidate Privacy Notice (Template)
This notice is a template that our Customers (employers) may adapt and display to Candidates. It explains how their personal information is processed when they apply for a role through a Customer using the StepUpCareers platform.
11.1 Who Is the Controller
The employer to which you are applying is the Data Controller for your personal information. Spark Careers Enterprise acts as a Data Processor on the employer's behalf.
11.2 What We Collect
Your resume or CV and its contents (identity, contact, employment and education history, skills, and anything else you choose to include).
Information you provide in application forms.
Interview notes and communications that the employer records within the platform.
AI-generated screening summaries and fit scores produced by the platform (see Section 11.4).
Technical information necessary to deliver the application experience (e.g., IP address, device type).
11.3 How Your Information Is Used
To evaluate your application and communicate with you about it.
To produce a structured AI-assisted summary and ATS fit score to support human reviewers. AI does not make hiring decisions.
To comply with legal obligations (e.g., record-keeping for equal employment law).
To maintain a candidate pool for future roles, where permitted by law and the employer's retention schedule.
11.4 AI-Assisted Screening
The employer uses AI-assisted tools to help sort and summarize applications. Scoring is rule-based and uses structured attributes (skills, years of experience, seniority, role family). Summaries are generated from a PII-minimized extract. No employment decision is made by AI alone; a human reviewer makes or confirms every advance or rejection decision. You may request review by a human and reasonable accommodation where available.
11.5 Your Rights
Access, correct, delete, restrict, or port your personal information.
Withdraw your application at any time.
Object to processing or automated decision-making.
Lodge a complaint with your local Data Protection Authority.
Send requests to the employer first. Spark Careers Enterprise will support the employer in responding.
11.6 Retention
Your application data is retained according to the employer's retention schedule and applicable law. If you are not selected, your data may be retained for a period after the decision to comply with equal-employment record-keeping requirements.
11.7 International Transfers
Personal information may be processed in the United States. The employer and StepUpCareers use appropriate safeguards — including Standard Contractual Clauses, contractual commitments, and organizational measures — to ensure your information receives a comparable level of protection under applicable law.
11.8 Contact
Contact the employer directly for questions about your application. For questions about the platform itself, contact support@stepupcareers.com.
12. Data Retention Policy
RisePoint retains personal information and Customer Data for no longer than necessary for the purposes described in our Privacy Policy (Section 1) and the Customer's instructions, consistent with PIPEDA Principle 4.5 and other applicable data protection legislation. This policy summarizes our default retention schedule.
12.1 Retention Schedule
12.2 Customer-Controlled Retention
Customers may set stricter retention rules for Customer Data through platform settings or by written request to support@stepupcareers.com. On deletion by a Customer, records are soft-deleted immediately and hard-deleted from primary storage within 30 days, except where a legal hold requires continued retention.
12.3 Legal Holds
We may retain data beyond the periods above when required by law, regulatory request, or legal proceedings. Data on legal hold is segregated and access is restricted.
12.4 Anonymization
Where we wish to retain aggregated insights past the applicable retention window, we anonymize the underlying records so that an individual cannot be re-identified, using techniques aligned with the GDPR's definition of anonymization.
12.5 Backups and End-of-Life
Deletion requests are reflected in backups as backups cycle out within the backup retention window (30 days). We do not selectively edit backup archives.