VGS HR Data Privacy Framework Notice

Updated: DEC 9, 2024


Very Good Security, Inc. (“VGS”, “we”, “us”, “our”) complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. VGS has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. VGS has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) Program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

Who:

Applicants, employees, and ex-employees of VGS.

Collection:

VGS collects Personal Data from you when you apply to work at VGS. for example by:

  • Voluntary submission to VGS;
  • Voluntary submission to third-party job posting sites or through recruiters; and
  • Additional Personal Data when you start employment with Evaluate.

HR Personal Data:

For the purposes of this Human Resources Privacy Notice, includes your name, email, phone number, social security number (if applicable), work permit number (if applicable), Right to Work (if applicable), USCIS visa number (if applicable), address and bank account information.

Use

VGS collects HR Personal Data from you for the following purposes:

  • Job Applicants: We collect HR data from job applicants to track incoming job applications and coordinate interviews.
  • Current Employees and Ex-Employees: We collect HR Data from employees for legitimate business purposes related to employment including, but not limited to, security related background checks, verification of employment, payroll, expense reimbursement and travel.

How does VGS store your data?

VGS stores your data with third party services who process HR data on behalf of VGS, including but not limited to:

  • Billing services
  • SaaS providers (e.g. our HR and recruiting CRMs)
  • Cloud service providers

VGS' contracts with third party service providers prohibit the providers from using your data on their own behalf.

NOTICE

As described in VGS's Privacy Notice, VGS will provide timely and appropriate notice of the data we are collecting, how we will use it, and the types of third parties with whom we may share it. We will provide this notice by posting our Privacy Notice on our Website, or, if the changes are significant customers will be provided an updated notice via email.

VGS processes its Customer's client's data according to the terms of the written agreement between VGS and the Customer.

CHOICE

VGS offers customers the opportunity to choose to opt out of having personal data transferred to third parties for reasons not listed in our Privacy Notice or used for purposes beyond those for which the data were collected. VGS does not sell data.

VGS written agreements with Customers limits our ability to disclose personal information to third parties or to use personal information for purposes other than those specified in the contract. VGS will assist in putting individuals who directly contact us regarding exercise of choice in contact with the EU controller to provide a choice mechanism.

ONWARD TRANSFER

VGS shares data with third parties to facilitate various business processes. A full list of reasons VGS shares data can be found in the Privacy Notice in the section entitled “With Whom Does VGS Share Your Data?”. VGS only shares Personal Information required for the third party to perform its services, and they will not be authorized to use it for any other purpose, unless you have consented to such disclosure.

For the actions of third party agents VGS engages to process data on our behalf, VGS remains responsible and liable under the Data Privacy Framework Principles if a third party agent processes the personal data in a manner inconsistent with the Data Privacy Framework Principles, unless VGS proves that we are not responsible for the event giving rise to the damage.

SECURITY

As described in our Security Statement, VGS is committed to securing our customers' data. We include security terms in our third party contracts, and our hosting services have been assessed by third party auditors in accordance with both PCI-DSS and SOC2 Security Standards.

VGS Customers are responsible for implementing security measures appropriate to the nature and volume of data stored on or transferred to VGS's system.

DATA INTEGRITY

VGS operates under contractual requirements governing data retention, accuracy and purposes of processing. When VGS does collect personal information, we will take reasonable measures to verify that the personal information we collect is relevant and reliable for its intended use, and that it is accurate, complete, and current. Contact privacy@verygoodsecurity.com.

ACCESS

VGS offers individuals from whom it directly collects information reasonable access to their Personal Information and will provide such individuals reasonable opportunity to correct, amend, or delete inaccurate information. Contact privacy@verygoodsecurity.com.

If contacted by one of our customers' clients, VGS will work with the EU controller to facilitate access through the Customer's access methods.

Compliance with VGS EU Privacy Notice:

VGS otherwise represents and warrants that it handles your data in accordance with the EU-U.S. DPF, the UK Extension to the UK Extension to the EU-U.S. DPF), and the Swiss-U.S. DPF as noted in our Data Privacy Framework Notice available at: https://www.verygoodsecurity.com/dpf-privacy-notice

ENFORCEMENT

VGS is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC). Under Section 5 of the Federal Trade Commission Act (15 U.S.C. § 45), failure to abide by commitments to implement the DPF Principles may be challenged as deceptive by the FTC. The FTC has the power to prohibit such misrepresentations through administrative orders or by seeking court orders.

VGS periodically assesses its Privacy Notice and Data Privacy Framework Notice to ensure that they are accurate, comprehensive, and prominently displayed. VGS is committed to ensuring that complaints are resolved in a timely manner, and we will investigate and attempt to resolve any complaints and disputes regarding the collection, use, and disclosure of Personal Information in accordance with the Privacy Principles.

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, VGS commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU and UK individuals and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF should first contact VGS at:

Very Good Security, Inc.
General Counsel
207 Powell Street, Ste 200
San Francisco, CA 94102

Or by email: privacy@verygoodsecurity.com

Recourse

In compliance with the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF, VGS commits to cooperate and comply with the advice of the panel established by the EU data protection authorities (DPAs) and the UK Information Commissioner's Office (ICO) and the Swiss Federal Data Protection and Information Commissioner (FDPIC) with regard to unresolved complaints concerning our handling of human resources data received in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF and the Swiss-U.S. DPF in the context of the employment relationship.

Under certain conditions, described more fully on the Data Privacy Framework website, you may invoke binding arbitration when other dispute resolution procedures have been exhausted. The services of the relevant Independent Recourse Mechanisms above are provided at no cost to you.