This Statement applies to AuthBridge, AuthBridge’s clients or individuals who furnish their Personal Data to AuthBridge’s client or on behalf of AuthBridge’s client, directly submit to AuthBridge on iBridge or otherwise offline for undertaking Background verification services.

Important Note:

If you are a Candidate applying for the job position with AuthBridge, we are the controller of your personal information in such scenario. As a data controller/ Fiduciary AuthBridge will be responsible for ensuring that the processing of your personal information is protected as per applicable data protection law. Please read through the Recruitment Policy regarding the processing of the personal information of candidates.

Applicable Data Protection Law: Applicable Data Protection Laws means the relevant local and/ or international laws/ regulations basis the jurisdiction where the individual resides or located, whose personal data is processed by an organisation. Some of the applicable data privacy laws to AuthBridge are General Data Protection Regulation (GDPR) and Digital Personal Data Protection Act (DPDPA).

Personal Data: Personal Data is any data relating to an identified or identifiable natural person. This Personal Data may be further categorised as below, basis the jurisdictional Data Protection Laws:

• Sensitive Personal Data: Sensitive Personal Data is a specific set of “special categories” that must be treated with extra security.

Data subject/ Data Principal/ Individual: Means any identified or identifiable natural person; an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to the person’s physical, physiological, mental, economic, cultural or social identity. This may include the below, as per the jurisdictional Data Privacy Law:

• a child, includes the parents or lawful guardian of such a child;
• a person with disability, includes her lawful guardian, acting on her behalf.

Processing: Means any operation or set of operations that is performed upon Personal Data or on sets of Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, transfer, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, restriction, erasure or destruction.

Data Controller/ Fiduciary: Means a person, company or other body which determines the purposes and means of processing the personal information.

Consent: Means any freely given, specific, informed and unambiguous indication of an individual permission by which he or she signifies/ indicates agreement to the processing of personal data relating to him or her.

Data Processor: Means a person, company or other body who processes data on behalf of Data Controller/ Fiduciary.

Sub-processor: Means a person, company or other body used by the Data processor to assist in its processing of personal data for a controller.

Personal Data breach: Means a security event leading to the accidental, or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information.

The Personal Data collected will generally include:

• Individual name
• Date & place of birth
• Gender
• Contact number (mobile, residence) and/ or E-mail ID
• Family details (parents' name/ relatives names)
• Photograph of the individual
• Address details (previous, current, permanent)
• Identity details (passport/driving license/PAN card/voter card/ration card no.)
• Education details (degree/mark sheet/certificate)
• Employment history (previous, current)
• Professional reference (current, previous)
• Personal reference (known)
• Criminal record check (police verification)
• Fingerprint/drug checks / health records
• Financial details such as salary details/ statutory details such as PF/ Gratuity details/ credit details/ bank account details

The extent of Personal Data collected from you would vary depending on the background verification checks required by your employer/ AuthBridge’s client you have engagement with.

AuthBridge obtains Personal Data on behalf of our client(s) whether by telephone, e-mail, hard copy, via AuthBridge's online application form, and/or client's online portal. The specific kind of user data collection will depend on the services used by the clients.

We may also receive personal data about you from third party data sources such as government agencies, law enforcement bodies, publicly available records, public registries, court or tribunal records, insolvency registers, educational institutions, your referees or references, current and/or previous employers, and regulatory and licensing bodies.

As a processor or as a contractual Independent Controller/Fiduciary, AuthBridge does not undertake collection of Personal Data for Background verification unless AuthBridge or the Client has obtained the prior consent of the data subject.

Data Controller/ Fiduciary takes authorisation to process the data for Background Verification or it may use AuthBridge's services to undertake the consent/ authorisation of the Data Subject before the data is required to be processed by AuthBridge.

In case no authorisation of any sort has been obtained from you, please refrain from sharing any personal information with us.

In general, our client (i.e., your employer, or the entity with which you have applied for employment) is the Data Controller/ Fiduciary of personal data and determines the means and purposes for processing your personal data.

AuthBridge processes and discloses Personal Data of the data subject for providing background verification services in line with clients' contractual obligations.

Our client determines the lawful basis for such processing being Data Controller/Fiduciary. AuthBridge strictly processes the data in accordance with its client's contractual instructions.

AuthBridge, with partnerships globally, may need to transfer individual’s Personal Data to third party service providers including overseas' partners/ entities, verification sources as necessary for the performance of a lawful contract in accordance with its clients. Any such information transferred shall be subject to appropriate data privacy regulations and shall be strictly in accordance with the contractual obligations as agreed between us and our clients.

AuthBridge does not disclose Personal Data to any third party unless such disclosures would be necessary for AuthBridge provision of its business functions or for the provision of the service to the Client(s).

Such necessary disclosures would occur strictly in accordance with applicable laws and may include:

• Data shared with its employees to undertake and fulfill its business activities;
• Data shared with relevant sources to obtain verification;
• Instances where AuthBridge has contracted with third parties to assist in providing services to AuthBridge’s Client(s), including such elements as delivery, verification and system support;
• Where AuthBridge is under an obligation to disclose Personal Data to any governmental or statutory body to comply with applicable laws, regulations, regulatory requests/notices in the public interest.

• AuthBridge is certified to ISO/IEC 27001:2013 which defines the requirements for an Information Security Management System (ISMS) and is also SoC-2 Type II certified. AuthBridge’s processes and security controls provide an effective framework for protecting our clients' and our business information, including personal data.
• We maintain organizational and technical measures for all the personal data we hold. We have protocols, controls, and relevant policies; procedures; and guidelines to maintain these controls, considering the risks associated with the categories of personal data and the processing we undertake.
• We regularly monitor our systems to mitigate possible vulnerabilities and attacks. However, we cannot guarantee or warrant the security of any information transmitted via our websites.
• Our website and the server on which it is hosted is at AWS Mumbai. There are reasonable and appropriate controls also at AWS to secure your data against any accidental or unlawful loss, access or disclosure. For more details visit https://aws.amazon.com/privacy/
• We employ procedures, including contractual obligations, and require all third parties to respect the security of personal data about you and to treat it in accordance with the law. We do not grant permission for our third-party service providers to use personal data about you for their own purposes and only grant permission for them to process personal data about you for specified purposes and in accordance with our instructions.

AuthBridge does not undertake processing of personal data belonging to a minor (as defined under the applicable data privacy regulations), expect in cases, where its clients have obtained due consent from the parent/lawful guardian of the minor in accordance with the applicable regulations.

You have the following rights with respect to your Personal Data that we process, subject to the conditions and restrictions set out under the applicable laws and basis the jurisdiction in which you reside.

• Right to access: You are entitled to obtain a copy of your personal information, together with an explanation of the categories of data being processed, the purposes of such processing, and the details of third parties to whom the data may have been disclosed.
• Right to rectification: You are entitled to correct or update your personal information available with us.
• Right to erasure: You are entitled to get your data deleted from our records.
• Right to object to and / or restrict processing: You have the right to object to and / or restrict the processing or sharing of your data in some circumstances such as restrict the processing of personal data for criminal checks, or for direct marketing purposes.
• Right to data portability: You are entitled to obtain and reuse your personal information. You can either obtain the information from us and provide it to a third party or ask us to transfer your personal information directly to a third party.
• Right to withdraw or opt-out: You have right to withdraw your consent for any or all of the purposes for which your personal data has been collected provided at any time by contacting us.
• Right to not be discriminated against for exercising your individual rights regarding your personal data.
• Right to nominate (in the manner prescribed by the Central govt.) any other individual to exercise the above-mentioned rights, in the event of the death or incapacity (unsoundness of mind or infirmity of body) of the data principal.
• Right to complain and obtain redressal: You have the right to lodge a complaint with the competent supervisory authority, depending upon your jurisdiction, to obtain redressal.

Under privacy legislation your rights are exercisable against the Data Controller/ Fiduciary.i.e, AuthBridge's Client and therefore you should direct your requests to them at the address they provide to you.

On receiving the communications from its clients about your request, AuthBridge will act upon the same in accordance with the applicable law.

As AuthBridge collects your Personal Data only on behalf of its client, it is retained as per the retention period agreed with such client by way of a written agreement.

We commit to handle your Personal Data in a way that provides you trust and confidence. However, if at any time you have concerns over the handling of your Personal Data you are encouraged to contact your employer/AuthBridge's client you have engagement with.

If you wish to contact AuthBridge for any privacy related query/concern, then please send email at privacy@authbridge.com Or write back to:

AuthBridge’s Data Privacy Office (Dept-Compliance)
AuthBridge Research Services Pvt Ltd
Plot No. 123, II Floor, Udyog Vihar,
Phase IV – Gurgaon – 122 015
Haryana, India