BeyondTrust Candidate Privacy Notice

Your privacy and the protection of your personal data is important to us. This Candidate Privacy Notice describes how, why, and when BeyondTrust processes your personal data when you apply for a job with our organization.

Please note that when you receive and accept an offer of employment, we will process your personal data according to our internal Employee Privacy Notice, starting from the official date of employment.

BeyondTrust Corporation and its corporate affiliates (referred to as “BeyondTrust”, “we”, “us” or “our”) offer intelligent identity and secure access products and services.

We are the controller of your personal data and we are responsible for processing it when you apply for a job role.

Our principal office is located at 11695 Johns Creek Parkway, Suite 200, Johns Creek, Georgia 30097 and we are a U.S. corporation registered in Delaware. For more information on our global offices, see our Contact page.

Data Protection Officer (DPO): We have appointed a DPO who is responsible for answering questions about this Candidate Privacy Notice and the processing of your personal data. If you have questions, please contact our DPO, Valerie Moulden, at dataprotectionofficer@beyondtrust.com.

When you apply for a job with BeyondTrust, we may collect, use, store, and transfer different categories and types of your personal data. In this section you will find:

• The categories and types of personal data we process about you, including sensitive personal data;
• The purpose and the lawful ground for processing your data; and
• An explanation of how we collect your personal data.

Employment & Job Application Data: Education data and other employment related personal data on your application, resume, CV, and/or cover letter. For example, education, degrees and training history, previous employment information, professional experience, job title, qualifications and/or professional certifications, salary related information, professional references, and right to work information.

Contact Information: Your full name, your work and/or home address, home or mobile telephone number, personal or professional email address, and social media contact/accounts.

Identity Data: Information which relates to your identity, including your date of birth; passport or national identity card details, social security number (SSN), visa and work permit details, citizenship, and legal residency status.

Special Categories of Personal Data: Including gender, race and ethnicity, disability status, criminal convictions and offence records, and other sensitive data you may submit as part of your application.

Purpose/Activity:

Our recruitment process includes the following activities: (i) receiving your job application; (ii) setting up and conducting interviews and tests; (iii) assessing and evaluating of interview, tests, and overall application;(iv) carrying out references and background checks; (v) initiating procedure to enter into an employment agreement; and (vi) any other recruiting related activity.

We process your personal data as part of the above activities for the following purposes:

1. Assessing your skills, qualifications, and suitability for the role you have applied for;
2. Developing and improving our recruitment process;
3. Discussing and processing the application and/or communicating with you about the same;
4. Performing verifications and other checks in relation to (i) your right to work in the relevant location, if you need a visa or a work permit, and (ii) your references and professional background;
5. Verifying information on your resume/CV such as qualifications and employment history;
6. Complying with applicable legal and regulatory requirements (e.g. employment, health & safety, tax, immigration, and anti-discrimination laws);
7. Maintaining records regarding our hiring procedures and
8. Re- engaging with you for future opportunities.

Type of Personal Data:

1. Employment and job application data
2. Contact information
3. Identity data

Lawful Basis:

We use the following lawful grounds of processing in relation to job applications:

1. Processing is necessary in order to take steps at your request prior to entering into an employment contract with you;
2. Our legitimate interests in (i) deciding whether to offer and appoint you to a position, or (ii) to run our business and preventing fraud (verification of qualification and employment history); and
3. Processing is necessary for compliance with our legal obligations (e.g. verification of right to work).

Purpose/Activity:

We may perform background checks on job applicants to whom we would like to offer a position. During these background checks we may process certain criminal convictions and offences information about you. We have in place an appropriate policy document which we are required by law to maintain when processing such data. Please note that we carry out background checks to ensure that there is nothing in your criminal convictions history which makes you unsuitable for the position.

Type of Personal Data:

Special categories of personal data

Lawful Basis:

The processing is necessary for the purposes of carrying out certain obligations we have under employment, social security, or social protection law, as well as under equal opportunity and anti-discrimination laws.

Purpose/Activity:

During the recruitment process we may collect sensitive personal data such as your gender, race and ethnicity, or disability status. We collect and process this data to ensure meaningful equal opportunity monitoring and reporting, as well as to ensure we do not discriminate on the basis of any protected group status.

Type of Personal Data:

Special categories of personal data

Lawful Basis:

The processing is necessary for the purposes of carrying out certain obligations we have under employment, social security, or social protection law, as well as under equal opportunity and anti-discrimination laws.

Data provided by you:

You may provide us with your personal data when you submit an application via our Career webpage, Greenhouse platform, or via any other means.

Data we collect or receive from external third parties:

We may receive your personal data from the following third party subjects:

• Recruitment agencies that submit to us your resume, CV, or other documentation;
• BeyondTrust employees, where they submit a referral for you;
• Former employers;
• References you provided to us during the recruitment process;
• Professional social networking platforms;
• Credit reference agencies and background check providers; and/or
• Other service providers, as described in the Who We Share Personal Data With section below.

Please note that if you fail to provide information that is necessary for us to consider your application, we may not be able to process your application successfully.

We may share your personal data with external third parties in the following cases:

• Third party service providers and suppliers we use to carry out our recruiting activities. For example LinkedIn, Greenhouse, Hackajob, Calendly, Docusign, and Velocity Global. We require all third party suppliers to keep your personal data confidential and secure, as well as to treat it in accordance with the law. We do not allow our third party suppliers and service providers to use your personal data for their own purposes and we only permit them to process your personal data for specified purposes, such as carrying out the services they are performing for us, and in accordance with our instructions.
• Our background check providers, Sterling (EMEA and APJ) and Verified First (US and Canada).
• Third parties to whom we may choose to sell, transfer, or merge parts of our business or our assets. Alternatively, we may seek to acquire other businesses or merge with them. If a change happens to our business, then the new owners may use your personal data in the same way as set out in this notice. In the event of such change in ownership, we will try to notify you via email and/or a prominent notice on our website as soon as practicable for us to do so.

Please note that we do not "sell" or "share" (as defined under the California Consumer Privacy Act (CCPA)) your personal data for any form of monetary or non-monetary consideration.

We have appropriate physical, technical, and administrative data security measures to protect your personal data. This allows to prevent unauthorized access, use or disclosure, to maintain data accuracy, and to ensure the appropriate use of your personal data. However, no method of transmission over the Internet, or method of electronic storage, is 100% secure.

We have procedures in place to deal with any suspected data breach, and will notify you and/or any competent authority of a breach where it is legally required. For more information on our security program and certifications, visit our Trust Center.

We will only keep your personal data for as long as necessary to fulfil the purposes we collected it for. This includes the purposes of satisfying any legal, accounting, or reporting requirements. We consider different factors to determine the appropriate retention period for personal data. For example, we consider the amount, nature, and sensitivity of the personal data; the potential risk of harm from unauthorized use or disclosure of your personal data; the purposes of processing and if we can achieve those purposes in other ways; and the applicable legal requirements.

If you become one of our employees, your data will be kept in accordance with the retention periods set out in BeyondTrust’s internal employee policies.

BeyondTrust is an organization based in the US and operating globally. Your personal data may therefore be transferred outside of your country of residence or presence to where BeyondTrust or its third party suppliers and service providers operate. No matter where your personal data may be transferred, we will always protect it as described in this notice.

When we transfer personal data originating from the EU, the UK, or Switzerland, we rely on the following transfer mechanisms:

• Adequacy decisions, as adopted by the competent regulators (EU Commission, UK Secretary of State, or Swiss data protection authority); or
• EU Standard Contractual Clauses (SCCs), as amended or recognized by respectively the UK and Swiss regulators.

BeyondTrust complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. BeyondTrust has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. BeyondTrust has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

BeyondTrust is committed to processing personal data transferred from the EU, UK and Switzerland in compliance with the EU-U.S. Data Privacy Framework Principles, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. Data Privacy Framework Principles, listed below:

• Notice
• Choice
• Accountability for Onward Transfer
• Security
• Data Integrity and Purpose Limitation
• Access
• Recourse, Enforcement and Liability

If there is any conflict between this privacy notice and the Data Privacy Framework Principles, the Data Privacy Framework Principles prevails.

BeyondTrust is responsible and liable for the processing of data it receives, under the Data Privacy Framework, and subsequently transfers to a third party acting as an agent on its behalf. BeyondTrust complies with the Data Privacy Framework Principles for all onward transfers of personal data from the EU, UK and Switzerland, including the onward transfer liability provisions.

The Federal Trade Commission has jurisdiction BeyondTrust’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). In certain situations, we may be required to disclose EU or Swiss personal data in response to lawful requests by US public authorities, including to meet national security or law enforcement requirements. To learn more about the Data Privacy Framework and view our certification, visit the U.S. Department of Commerce's Data Privacy Framework List.

In compliance with the EU-U.S. DP, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, BeyondTrust commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF should first contact BeyondTrust at: dataprotectionofficer@beyondtrust.com.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, BeyondTrust commits to refer unresolved complaints concerning our handling of personal data received in reliance on the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of TRUSTe are provided at no cost to you.

Under certain conditions, that are fully described in Annex I of the DPF Principles, you may invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other DPF mechanisms.

We may update this Candidate Privacy Notice to reflect changes to our privacy and security practices. If we make any material changes, we will provide notice on our website as soon as practicable and, if possible, before the change becoming effective. We encourage you to periodically review this Candidate Privacy Notice for the latest information on how we process your personal data.

It is also important that the personal data we hold about you is accurate and up to date. Please let us know if your personal data changes during your relationship with us.

We will process your enquiries as soon as practicable in accordance with our legal requirements and, if appropriate, inform you which measures we have taken.

Last Updated: April 23, 2024