GDPR & Security at ShortlistKit
Last updated: April 22, 2024
1. Our Commitment
ShortlistKit was built for EU data-protection from day one.
We store data in Frankfurt (EU-Central-1) and follow the strict technical and organisational measures described below.
2. How We Handle Your Data
| Topic | You Are | We Are | What It Means |
|---|---|---|---|
| Candidate Data (documents you upload / forward) | Controller | Processor | You decide purpose & lawful basis; we process only under your instructions. |
| Customer & Usage Data (account, billing, logs) | – | Controller | We determine purposes for this limited data and keep it secure. |
Download our self-serve DPA (Data-Processing Agreement) → PDF auto-fills your company name & e-signature.
3. Data Residency & Transfers
- Primary storage: AWS Frankfurt (Germany).
- International transfers: When we must send data outside the EEA (e.g., Stripe US), we rely on Standard Contractual Clauses.
4. Sub-processors
| Vendor | Purpose | Location | Safeguard |
|---|---|---|---|
| AWS | Hosting & S3 file storage | Germany | ISO-27001, SCCs |
| OpenAI (or equivalent LLM) | CV parsing & scoring | USA | Pseudonymised input, SCCs |
| Stripe | Payments | USA / EU | PCI-DSS, SCCs |
| Postmark / Amazon SES | Transactional email | EU / USA | SCCs |
| Google APIs | Optional Sheet export | Worldwide | OAuth 2.0, limited scope |
Last reviewed: April 2024 – we'll e-mail customers 14 days before adding a new sub-processor.
5. Security Controls
- Encryption in transit – TLS 1.2+
- Encryption at rest – AES-256 across DB & object storage
- Least-privilege access – Role-based IAM, hardware MFA for production ops
- Pen-testing – Independent test annually; critical findings patched within 30 days
- Back-ups – Encrypted, replicated, 30-day retention, disaster-recovery drill twice a year
6. Your Privacy Tools
- One-click "Delete All Candidate Data" inside Settings → GDPR Delete (complete within 24 h).
- Workspace-wide export: CSV, Excel, or Google Sheets.
- Individual candidate delete button on every profile.
- Access, correction, portability requests: e-mail privacy@shortlistkit.com (response ≤ 30 days).
7. Breach Notification
If we ever detect unauthorised access to personal data, we will notify affected customers and supervisory authorities within 72 hours, in line with GDPR Art. 33/34.
8. Availability & Uptime
ShortlistKit targets 99.5% monthly uptime, excluding scheduled maintenance (notified in advance).
9. Need More Info?
- Full Privacy Policy → Privacy Policy
- Terms of Service → Terms of Service
- Contact our DPO → privacy@shortlistkit.com
Last security questionnaire completed: April 2024 — request a copy at security@shortlistkit.com.