Privacy Policy

Secondframe ("we," "us," or "our") operates the Secondframe platform and related services (the "Service").

We are committed to protecting personal data and handling it responsibly, transparently, and in accordance with applicable privacy laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA), where applicable.

This Privacy Policy explains how we collect, use, store, and protect personal information when customers and candidates interact with our services.

Our platform is used by organizations ("Customers") to evaluate technical judgment logic.

In relation to candidate data submitted by Customers:

We process candidate personal data solely on behalf of our Customers and in accordance with their instructions.

A. Customer Account Information: When organizations create an account, we may collect name, company name, work email address, billing information, credentials, and communication history.

B. Candidate Information: Customers may submit candidate name, email address, assessment responses, uploaded documents, evaluation scores, and interview notes. We do not independently source candidate data.

C. Usage & Technical Data: We automatically collect IP addresses, device/browser types, log data, and interaction metrics to ensure security and performance.

We use collected information to provide and operate the Service, process assessments, generate reports, maintain security, and provide support.

We do not sell personal data. We do not use candidate data for advertising. We do not use candidate responses to train public AI models.

Where GDPR applies, we process data based on contractual necessity, legitimate interests (security and improvement), and Customer instructions. For candidate data, the Customer determines the lawful basis.

Customer and candidate data is retained as long as the Customer maintains an active account or until deletion is requested. Upon account termination, data is deleted within a reasonable period unless retention is required by law.

We do not sell or rent personal data. We may share data only with trusted service providers (hosting, payments), professional advisors, or authorities when legally required.

If data is transferred outside the original jurisdiction, we implement appropriate safeguards in accordance with applicable law.

We implement technical measures including HTTPS encryption, secure cloud infrastructure, and role-based access controls to protect personal data.

Depending on jurisdiction, individuals may have rights to access, correct, delete, or object to processing. Candidates should contact the hiring organization (Data Controller) directly to exercise these rights.

The Service is not intended for use by individuals under 16 years of age. We do not knowingly collect data from minors.

We may update this Privacy Policy periodically. Continued use of the Service after changes constitutes acceptance of the updated policy.

For privacy-related inquiries: