Cactus' Commitment to the GDPR
At Cactus, we are fully committed to preserving our users’ rights to data privacy and data protection. To that end, we have implemented both technical and organizational measures to ensure full compliance with the GDPR.
Data Processing and Ownership
Throughout the hiring process, our customers will collect Personally Identifiable Information (PII) from their candidates. This information is used to build candidate profiles and to administer pre-employment interviews and assessments with our software. When a candidate is invited to an assessment on Cactus, we store the following PII on behalf of our customer:
Name (first and last)
Data Subject Rights
Under the GDPR, individuals may exercise their rights to data portability, data rectification, and their right to be forgotten at any organization where they apply for employment. A simple way to think of this is as Candidate Data Rights under the GDPR.
We collect candidate data on behalf of our customers, and any requests regarding accessing, editing, or deletion of candidate data will be forwarded to our customers. We allow our customers to access their candidate data and comply with requests from their candidates in-app. This way, our customers are always in control of their candidate data.
The customer can determine if their candidate’s request is valid and can be fulfilled. We will take action based on the direction provided by our customer on how to proceed with any such request.
As a processor, Cactus provides flexibility to our customers to determine their own data policies and how they may offer these rights to their candidates. This includes the ability to access, edit, and delete information regarding a candidate. We also provide the ability to set a routine data deletion process at a cadence determined by the customer.
Data within Cactus is secured using industry-standard encryption. Data can be transferred outside EU borders if our customer and Cactus have entered into a contract that includes contractual clauses specified by the EU. Cactus uses a standard EU-specific data transfer and processing agreement to ensure compliance with the GDPR.
The GDPR also stipulates that personally identifiable data should not be stored indefinitely. Cactus' data retention policy provides flexibility to our customers to define how long their candidates’ PII should be stored and when it should be deleted. Data is stored for the duration of the contracted period with our customer, as well as a grace period thereafter.
Data Breach Prevention and Mitigation
We have sufficient data monitoring mechanisms in place to become aware of any data breach. In case a personal data breach occurs, we will send breach notifications per our internal incident response policy (within 72 hours of us discovering the breach). This will give sufficient time for our customers to convey the breach to the respective authorities.
Additionally, we will notify the concerned party through email (using the primary email address) for incidents specific to an individual user or an organization.
At Cactus, we are committed to the security and privacy of your data. We’re glad to comply and help you to comply with the GDPR. If you have any questions about your rights under the GDPR as a user, or how Cactus can help you with compliance as a customer, please get in touch with [email protected].
Frequently Asked GDPR Questions:
What data do we collect?
When a candidate begins an assessment on Cactus, we store the following candidate information on behalf of our customer:
If the hiring manager uses a Cactus account for inviting candidates to assessments, then we store the following information:
Where is candidate data stored?
Cactus candidate data is stored in Frankfurt, Germany.
Who is responsible for candidate data?
Cactus customers own the data of all candidates. The responsibility of updating and deleting all candidate data when requested by a candidate lies with the customer. Cactus is happy to provide our customers with the necessary support to carry out such requests.
How long is candidate data stored?
It depends on the customer. For customers located within the EU, we provide a GDRP setting that, when enabled, ensures the deletion of candidate data 6 months following the hiring decision. In addition, we always support data deletion through requests sent to [email protected] for all of our users.
Who has access to candidate data?
The following people have access to candidate data on Cactus:
Hiring managers who administer the assessment.
Reviewers who review the assessment.
Candidates themselves upon request to the customer.
The Cactus internal team when a support request is raised by the customer and data access is necessary to support the request.
Does Cactus maintain any subprocessor relationships?
Cactus is a data processor and engages certain onward subprocessors that may process personal data submitted to Cactus' services by the customer. These subprocessors are listed below with a description of the service and the location where data is hosted. This list may be updated from time to time:
Amazon Web Services, Inc. for hosting infrastructure, databases, and file storage, as well as log files (Frankfurt, Germany)
Stripe, Inc. for payment processing (USA)
How can a customer request the deletion of candidate data?
Customers may "archive" candidates themselves at any time in-app, and this data will be marked for deletion. Furthermore, you can email us at h[email protected] with a list of candidate data to be deleted.
Can deleted data be reinstated?
No, we cannot retrieve or reinstate deleted data.
If you accidentally clicked an "archive" button, please write us at [email protected] to see if it is possible to restore.