Secure RPO Privacy Policy

HomeSecure RPO Privacy Policy

Effective Date: 1 August 2025

Secure RPO (“Secure RPO,” “we,” “our,” or “us”) values the privacy of every candidate, client, employee, and website visitor. This Privacy Policy explains how we collect, use, disclose, retain, and secure personal information when we perform recruitment and staffing services, operate www.securerpo.com, or otherwise engage with you. The Policy has been drafted to satisfy major privacy frameworks in the United States (including the California Consumer Privacy Act/Privacy Rights Act and emerging state laws), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), and India’s Digital Personal Data Protection Act 2023 (DPDP Act)

Overview

Secure RPO stores and processes candidate and client data in two primary Software-as-a-Service (“SaaS”) platforms:

 

    • Ceipal ATS & Workforce – a SOC 2–audited Applicant Tracking System hosted in the United States
    • Zoho Bigin CRM – a GDPR-, HIPAA-, and PIPEDA-aligned customer-relationship platform hosted in multiple global data centers.

 

Both providers act as data processors/service providers to Secure RPO, while Secure RPO remains the data controller/data fiduciary responsible for identifying lawful purposes and honoring data-subject rights.

The Policy applies to personal data collected through:

 

    • Resume submission, job applications, interviews, background checks, and onboarding.
    • Client onboarding, sales, and account management interactions.
    • Our public website, social-media pages, events, and marketing campaigns.

 

1. Key Definitions

 

Term Meaning
“Personal information / Personal data” Any information that identifies, relates to, describes, or could reasonably be linked to an identifiable individual, whether alone or in combination
“Processing” Any operation performed on personal information, such as collection, recording, storage, use, disclosure, or erasure
“Controller / Data Fiduciary” The entity that determines the purposes and means of processing personal information
“Processor / Service Provider” An entity that processes personal information on behalf of a controller
“Sensitive personal data” Data revealing health, biometric identifiers, financial information, Social Security/National ID numbers, precise geolocation, or children’s data

2. Categories of Information We Collect

2.1 Candidate Information

 

    • Identity data: full name, preferred name, date of birth, photographs
    • Contact data: postal address, email, telephone
    • Professional data: résumé/CV, certifications, employment history, salary expectations
    • Assessment data: interview notes, skills-test results, reference checks
    • Right-to-work & compliance data: visas, work authorizations, background-check outcomes (permitted under applicable law)

 

2.2 Client & Prospect Information

 

    • Company name, job-order details, points of contact, billing data.
    • Communications logs, contract documents, and CRM notes stored in Bigin.

 

2.3 Website & Device Information

 

    • IP address, browser type, pages visited, time-on-page, and cookies (see Section 11).
    • Marketing interaction data (email opens, SMS responses) collected via Ceipal and Zoho campaign tools

 

2.4 Sensitive Categories (Processed Only When Lawfully Required)

 

Sensitive Category Example Purposes Lawful Basis
Government ID numbers Work authorization for U.S. Form I-9, Canadian SIN, Indian Aadhaar Legal obligation / Consent
Health information Disability accommodation during interviews Explicit consent / Compliance with employment law
Minor data (under 16) Rare internship programs Parental consent / COPPA & DPDP child provisions

3. Legal Bases for Processing

Secure RPO relies on one or more of the following grounds:

 

    1. Contractual necessity – to assess candidates for roles requested by clients and to deliver staffing services
    2. Consent – where required for background screening, marketing emails, or processing sensitive data.
    3. Legitimate interests – improving recruitment efficiencies, preventing fraud, securing our systems; balanced against individual rights.
    4. Legal obligation – fulfilling immigration, labor, tax, and equal-opportunity regulations in the U.S., Canada, and India.

 

4. How We Use Personal Information

 

Purpose Description
Recruitment services Sourcing, screening, matching, coordinating interviews, feedback loops, offer management
Client relationship management Tracking job requisitions, account history, invoicing
Analytics & product improvement Anonymized metrics in Ceipal and Zoho dashboards to enhance service quality
Communications Email, SMS, or phone updates on application status; opt-out available at any time
Regulatory compliance I-9, E-Verify, OFCCP, CRA, DPDP Board inquiries, record retention
Security & fraud prevention Monitoring for unauthorized access, phishing, spam, or identity fraud

We never sell or rent personal information for advertising revenue.

5. Disclosures & International Data Transfers

5.1 Routine Disclosures

 

    • Service providers: Ceipal Corp. (U.S.), Zoho Corp. (global), background-check vendors, cloud-hosting partners. All are bound by written Data Processing Addenda incorporating Standard Contractual Clauses or equivalent safeguards.
    • Clients: Candidate résumé data and interview feedback are shared only with authorized client hiring managers under confidentiality obligation.
    • Affiliates: Secure RPO entities in the United States, Canada, and India share data internally under intra-group agreements that meet SOC 2 and DPDP requirements.

 

5.2 Cross-Border Mechanisms

 

Origin Destination Transfer Mechanism
Canada → U.S./India Ceipal/Bigin hosting PIPEDA contractual clauses & equivalent protections
India → U.S./Canada Candidate profile sync DPDP-compliant standard contracts & government-approved whitelists
EEA/UK → U.S. (rare) Client global mandates EU Standard Contractual Clauses + additional SOC 2 controls

6. Data Retention

 

Data Set Retention Period Rationale
Candidate files (hired) 7 years after termination Statute of limitations for employment claims
Candidate files (not hired) 3 years or shorter if lawful basis expires Talent-pool management & EEOC / CRA audit windows
Client contracts & billing 7 years Tax and accounting laws
Marketing contact data Until opt-out or 2 years of inactivity PIPEDA reasonableness test
Web logs & security events 12 months Threat-detection and forensic investigations

Secure RPO anonymizes or securely deletes data once retention thresholds elapse, except where preservation is mandated by law or litigation hold.

7. Security Measures

 

    • Ceipal and Zoho environments are SOC 2 Type II, ISO 27001 certified, and encrypt data in transit (TLS 1.2+) and at rest (AES-256).
    • Multi-factor authentication, role-based access controls, and peer-visibility restrictions in Bigin limit unauthorized access.
    • Regular penetration testing, vulnerability scans, and 24×7 logging in AWS/Azure cloud servers5.
    • Incident Response Plan aligned with NIST SP 800-61 and DPDP Rules; material breaches are reported to regulators and affected individuals within statutory time frames (e.g., 72 hours under DPDP Rules draft)

 

8. Individual Privacy Rights

Secure RPO honors rights afforded by applicable jurisdictions.

To exercise rights, email info@securerpo.com or submit an online request form. We will verify your identity via email or government-issued ID (redacted) and respond within the legally mandated period (45 days U.S.; 30 days Canada; reasonable under DPDP) Authorized agents may submit requests with signed permission and proof of identity

9. Special Notices

9.1 U.S. Applicants

Secure RPO provides the “CCPA Job Applicant Notice” outlining categories, purposes, and retention of personal information at or before the point of collection. We do not discriminate against applicants who exercise CCPA/CPRA rights.

9.2 Canadian Applicants

Our recruitment processing complies with the 10 PIPEDA Fair Information Principles, including Accountability, Consent, Limiting Collection/Use, Safeguards, and Openness. Complaints may be escalated to the Office of the Privacy Commissioner of Canada.

9.3 Indian Data Principals

Under the DPDP Act 2023, Secure RPO is a “Data Fiduciary.” You may file grievances with our Data Protection Officer or, after exhaustion of internal remedies, appeal to the Data Protection Board of India.

9.4 Children’s Data

We do not knowingly solicit or process data from individuals under 16 years of age without verifiable parental consent, consistent with COPPA, PIPEDA, and Section 9 of the DPDP Act.

10. Automated Decision-Making & Artificial Intelligence

Ceipal offers résumé-ranking algorithms and candidate-match scores; these tools assist recruiters but do not make final hiring decisions without human involvement. Candidates may request meaningful information about the logic involved and contest any automated output.

11. Cookies & Similar Technologies

Secure RPO uses:

 

    • Essential cookies – session management, authentication.
    • Functional cookies – language, location preferences.
    • Analytics cookies – Google Analytics to measure traffic; IPs are truncated where required by law.

 

Most browsers allow you to block or delete cookies. Disabling cookies may limit site functionality. We honor recognized opt-out preference signals for U.S. state privacy laws where technically feasible.

12. External Links & Social Media

Our website may contain links to third-party sites (e.g., LinkedIn, Glassdoor). Clicking those links may allow third parties to collect data; Secure RPO is not responsible for their practices. Social-media widgets may set their own cookies; your interactions are governed by those platforms’ policies.

13. Data Protection Officer & Contact Information

Data Protection Officer (Global):

Mr. Rishap Joshi
Secure RPO – Privacy Office
Suite 106, H32, Sector 63, Noida 201 301, Uttar Pradesh, India
Email: info@securerpo.com
Phone: +91-120-4900955

U.S. & Canada Representative:
Secure RPO, 112 Capitol Trail Suite A366, Newark, Delaware 19702, USA

14. Changes to This Policy

We may update this Policy to reflect new regulations, technologies, or business practices. Material changes will be announced on our website and, where required, emailed at least 30 days before taking effect. Continued use of our services after the effective date constitutes acceptance of the revised Policy.

15. California “Shine the Light”

California residents may request a list of third parties to whom we have disclosed personal information for direct-marketing purposes in the preceding calendar year. Email info@securerpo.com with “Shine the Light” in the subject line.

16. Complaints & Dispute Resolution

We encourage you to contact our DPO first. If unresolved:

 

    • U.S. – File a complaint with the California Privacy Protection Agency or your state Attorney General.
    • Canada – Office of the Privacy Commissioner of Canada, 30 Victoria Street, Gatineau QC K1A 1H.
    • India – Data Protection Board of India under the DPDP Act.

 

We will cooperate with regulators and, where applicable, participate in mediation or binding arbitration to resolve disputes.

17. Annex A – Brief Summary of Major Legal Requirements

 

Framework Key Obligations How Secure RPO Complies
CCPA/CPRA (California) Notice at collection; rights to know, delete, correct, opt-out of sales/sharing; data-protection assessments for significant risk processing Job-applicant notice and “Do Not Sell/Share” link; annual risk-assessment review
Colorado CPA, Virginia CDPA, Connecticut DPA, Utah UCPA, Iowa ICDPA Transparency, data-protection assessments, consumer rights Same core processes extended across U.S. states; universal opt-out mechanism honored
PIPEDA (Canada) Ten Fair Information Principles; meaningful consent; access within 30 days Consent forms built into Ceipal/Bigin; Canadian data stored in SOC 2 environments; internal Privacy Officer
DPDP Act 2023 (India) Lawful purpose, consent manager, notice, data-principal rights; Data Protection Board Updated recruitment consent templates; records of cross-border transfers; breach reporting workflow
SOC 2 Security, Availability, Confidentiality, Processing Integrity, Privacy Annual independent audits of Ceipal and Secure RPO infrastructure

18. Acknowledgment

By submitting your résumé, engaging Secure RPO’s services, or accessing our website, you acknowledge that you have read and understood this Privacy Policy and agree to its terms. If you do not agree, please do not provide personal information or use our services.

Last reviewed 25 July 2025. The English version of this Policy prevails in case of conflict with translated versions.