Policy Center

1. Introduction

Welcome to Coheasy. We are committed to "Rehumanizing Hiring" by protecting the privacy and dignity of job seekers ("Candidates") and business users ("Clients"). This Privacy Policy explains how we collect, use, and secure your personal information when you use our platform, including our AI-driven resume analysis and psychometric assessment tools.

2. Our Role: Controller vs. Processor

To ensure compliance with the GDPR (EU), CCPA (California), and other privacy laws, we define our data processing roles as follows:

• For Candidates: When you create a Coheasy profile directly, we act as the Data Controller.
• For Clients: When a company uses Coheasy to process applicant data, the Client is the Data Controller, and Coheasy acts as the Data Processor. We process candidate data strictly according to the Client's instructions and our Data Processing Agreement (DPA).

3. Information We Collect

3.1 Information You Provide

• Account Data: Name, email, phone number, and professional history.
• Application Data: Resumes, CVs, cover letters, and portfolios uploaded to the system.
• Assessment Data: Responses to our work style assessments.

4. How We Use Your Information

We use your data to:

• Provide our "Decision Support" services to match Candidates with Client job openings.

AI Usage Disclosure: We use Artificial Intelligence to parse resumes and rank candidates based on skills and work style compatibility. We do not use your data to train the public models of third-party LLMs.

5. Automated Decision-Making & Human Oversight

Coheasy is a tool, not a recruiter.

• No Solely Automated Decisions: Consistent with GDPR Article 22, Coheasy does not make final hiring or rejection decisions based solely on automated processing. All AI recommendations must be reviewed by a human Client before a final decision is made.
• Right to Explanation: If you are rejected for a role where Coheasy was used, you have the right to request an explanation of the principal factors that led to the decision from the Client.

6. Data Sharing and Third Parties

We do not sell your personal data. We share data only with:

• Clients: Employers to whom you explicitly apply.
• Service Providers: Cloud hosting and AI sub-processors, subject to strict confidentiality agreements.

7. Data Retention

We retain your personal data only as long as necessary to fulfill the hiring process or as required by law.

• Candidate Profiles: Retained while your account is active. You may delete your account at any time.
• Anonymized Data: We may retain de-identified, aggregated data for statistical analysis and bias auditing purposes indefinitely.

8. Your Rights

Depending on your location (EU, UK, California, Canada), you have specific rights:

• Right to Access & Portability: Request a copy of the data we hold about you.
• Right to Correction: Fix inaccurate information.
• Right to Erasure ("Right to be Forgotten"): Request deletion of your PII from our servers.
• Right to Opt-Out of AI: You may request that your application be reviewed manually without AI processing, though this may delay your application status.

9. Contact Us

For questions regarding this policy, our use of AI or to exercise any described rights, please contact us at [email protected].

1. Our Commitment to Security

At Coheasy, we understand that trust is the currency of the hiring process. Because we process sensitive employment data and utilize High-Risk AI Systems, we maintain a comprehensive security program designed to protect the confidentiality, integrity, and availability of your data. This statement outlines the technical and organizational measures we implement to secure your information against unauthorized access, data breaches, and cyber threats.

2. Technical Infrastructure and Encryption

We rely on industry-leading infrastructure to ensure your data is secure at every stage of its lifecycle.

• Cloud Providers: Our platform is hosted on top-tier cloud service providers (e.g., AWS, Google Cloud) that maintain industry-standard security certifications, including ISO 27001, SOC 2 Type II, and PCI DSS Level 1.
• Encryption at Rest: All data stored in our databases is encrypted using AES-256 standards.
• Encryption in Transit: All data transmitted between your browser and our servers, or between our internal microservices, is encrypted using TLS 1.2 (Transport Layer Security) or higher.
• Secure APIs: We interact with your third-party accounts (e.g., Gmail, Outlook) exclusively via secure, limited-scope APIs (OAuth). We never see or store your email passwords.

3. The "Agent 1" Privacy Architecture

Coheasy employs a proprietary "Privacy-First" architecture designed to minimize the risk of data exposure during AI processing.

• Data Segmentation: We utilize a multi-agent system. Agent 1 extracts and isolates Personally Identifiable Information (PII)—such as names, addresses, and contact details—storing them in a secure, encrypted enclave. Agent 2 (the analysis engine) receives only anonymized, de-identified data for skills evaluation.
• AI Data Isolation: Data processed by our AI models is not used to train the public models of third-party Large Language Model (LLM) providers. We utilize enterprise API agreements that enforce zero-retention policies for training purposes.

4. Access Controls and Internal Security

We operate on a "Principle of Least Privilege," ensuring that access to data is restricted to those who strictly need it to perform their job functions.

• Employee Access: Only authorized employees trained in data privacy and security procedures are granted access to customer data. Multi-Factor Authentication (MFA) is required for all administrative access.
• Physical Security: We enforce strict physical access controls. No employee is permitted to store unencrypted Personal Information on insecure local machines or portable drives.
• Vendor Management: We vet all third-party sub-processors (e.g., cloud hosting, AI providers) to ensure they comply with GDPR and CCPA standards and sign Data Processing Agreements (DPAs) where appropriate.

5. AI Safety and Robustness

In compliance with Article 15 of the EU AI Act regarding High-Risk AI Systems, we implement measures to ensure our AI is resilient against errors, inconsistencies, and malicious attacks.

• Adversarial Testing: We conduct "red-teaming" and adversarial testing to identify vulnerabilities, including attempts at data poisoning or prompt injection attacks.
• Bias Monitoring: We continuously monitor our algorithms for "model drift" and discriminatory patterns to ensure the integrity of the hiring process remains intact.

6. Blockchain and Credential Verification

For features utilizing blockchain technology (The "Trust Chain"), we prioritize the "Right to Erasure."

• Hashing: We do not store PII directly on the blockchain. Instead, we store cryptographic hashes of credentials. This ensures that if you request data deletion, the on-chain data becomes mathematically disassociated from your identity, protecting your privacy on an immutable ledger.

7. Incident Response and Breach Notification

Despite robust defenses, no system is impenetrable. We have a documented Incident Response Plan to handle potential security events.

• Detection: We utilize automated logging and threat detection systems to identify unusual activity.
• Notification: In the event of a confirmed data breach that affects your Personal Information, Coheasy will notify you and applicable regulatory authorities (such as the ICO or DPA) within the timelines mandated by law (typically 72 hours under GDPR).
• Remediation: We will take immediate steps to contain the breach, investigate the cause, and implement corrective actions to prevent recurrence.

8. Responsible Disclosure

We welcome the contribution of the security research community. If you believe you have found a vulnerability in the Coheasy service, please report it to [email protected]. We pledge not to pursue legal action against researchers acting in good faith who:

• Report the vulnerability to us confidentially.
• Provide us reasonable time to resolve the issue before making it public.
• Do not access or destroy user data.

9. Limitation of Liability

While we follow generally accepted standards to protect the Personal Information submitted to us, no method of transmission over the Internet, or method of electronic storage, is 100% secure. Therefore, we cannot guarantee absolute security. You acknowledge that you provide your Personal Information at your own risk and that Coheasy is not liable for unauthorized access, hacking, or other security intrusions beyond our reasonable control.

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Principal Agreement") between Coheasy ("Processor") and the Client identified in the Principal Agreement ("Controller"). This DPA applies to the extent Coheasy processes Personal Data on behalf of the Client.

1. Definitions

• "Agent 1 Protocol" refers to Coheasy’s proprietary data ingestion system which segregates Direct Identifiers from Candidate Data prior to AI analysis.
• "AI Models" refers to the Large Language Models (LLMs) and psychometric algorithms utilized by Coheasy to provide the Services.
• "Candidate Data" means Personal Data relating to job applicants submitted by the Controller to the Processor.
• "Data Protection Laws" means all applicable laws regarding data privacy and security, including GDPR (EU), UK GDPR, and CCPA/CPRA (California).

2. Roles and Scope

2.1 Relationship

The Parties acknowledge that with regard to the processing of Candidate Data, the Client is the Controller and Coheasy is the Processor.

2.2 Nature of Processing

Coheasy shall process Personal Data only for the purpose of providing the "Decision Support" hiring platform, including resume parsing, skill ranking, and bias auditing, in accordance with the Controller’s documented instructions.

3. The "No Training" & AI Usage Covenant

3.1 No Training on Customer Data

Coheasy warrants that it shall not use Candidate Data submitted by the Controller to train, fine-tune, or improve the foundational models of third-party LLM providers for the general public. Data processed via API is subject to strict zero-retention policies for training purposes.

3.2 Automated Decision-Making (ADM)

Coheasy acts solely as a decision support tool. The Controller acknowledges that Coheasy does not make automated legal decisions (e.g., hiring or rejection) on behalf of the Controller. The Controller agrees to maintain "Human Oversight" (Human-in-the-Loop) for all high-stakes decisions to comply with GDPR Article 22 and Article 14 of the EU AI Act.

4. Security Measures & Architecture

Coheasy implements the following specific technical measures to ensure the security and confidentiality of Candidate Data.

4.1 The "Agent 1" Privacy Filter

• Upon receipt of a resume, "Agent 1" extracts Direct Identifiers (Name, Email, Phone, Address).
• Direct Identifiers are removed from the analysis environment.
• Only de-identified, vectorized text is transmitted to "Agent 2" for skills matching. This ensures that third-party LLMs never process PII associated with a specific identity.

4.2 Encryption

All Personal Data is encrypted at rest (AES-256) and in transit (TLS 1.2+).

5. Sub-processors

5.1 Authorization

The Controller grants general authorization for Coheasy to engage sub-processors (e.g., AWS for hosting, LLM providers for inference).

5.2 Liability

Coheasy remains fully liable to the Controller for the performance of its sub-processors. Coheasy warrants that all LLM providers are bound by Data Processing Agreements that prohibit the use of Controller data for model training.

6. Data Subject Rights

6.1 Assistance

Coheasy shall assist the Controller in fulfilling its obligations to respond to Data Subject requests (e.g., access, rectification, erasure) within the statutory timeframes.

7. Bias Auditing & Algorithmic Transparency

7.1 Bias Audits

To assist the Controller with compliance under NYC Local Law 144 and similar regulations, Coheasy shall conduct annual independent bias audits of its algorithms. Coheasy shall provide the Controller with a summary of Selection Rates and Impact Ratios upon request.

7.2 Logging

Coheasy shall maintain automatically generated logs of system operations to ensure traceability of functioning, consistent with Article 12 of the EU AI Act.

8. International Data Transfers

8.1 Standard Contractual Clauses (SCCs)

If Candidate Data is transferred from the EEA/UK to a third country (e.g., the United States) that has not received an adequacy decision, the Parties agree to abide by the EU Standard Contractual Clauses, which are incorporated herein by reference.

9. CCPA/CPRA Addendum (California)

For data originating from California residents, Coheasy acts as a "Service Provider." Coheasy is prohibited from:

• Selling or Sharing Candidate Data.
• Retaining, using, or disclosing Candidate Data for any purpose other than the specific business purpose of performing the Services specified in the Agreement.
• Combining Candidate Data with personal data received from other sources, except as permitted by law.

10. Audit Rights

Upon reasonable written request, Coheasy shall make available to the Controller information necessary to demonstrate compliance with this DPA. This may include summary reports of third-party security audits (e.g., SOC 2 Type II) or bias audit certificates.