Druva Applicant Privacy Notice

Effective Date: May 22, 2024

Last Updated: May 22, 2024

Introduction and Scope

This Druva Applicant Privacy Notice (“Notice”) applies to job applicants, employees, owners, directors, officers, medical staff members, or contractors of Druva, Inc. (“Druva”) from whom we collect Personal Information as a business. Druva collects your Personal Information, including sensitive Personal Information for human resources, employment application process, health and safety, and business-related purposes, including the business purposes identified below under “Use of Personal Information.”

We are committed to properly handling the Personal Information collected or processed in connection with your employment application relationship with us. We will not sell the Personal Information, including any sensitive Personal Information, we collect about applicants or share it with third parties for cross-context behavioral advertising.

To view our full Privacy Notice, visit https://www.druva.com/privacy-policy

Personal Information We Collect, Purposes, and Lawful Basis

We may collect the Personal Information, and sensitive Personal Information, categories listed in the table below. The Personal Information in each category of the table below will be retained for the statutory time requirement of the applicable geographic laws.

Personal Information Collection

For the purposes of this notice, Personal Information means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, or as otherwise defined by International Data Privacy laws, including, the California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act of 2020 (CPRA) (California Civil Code §§ 1798.100 to 1798.199) and its implementing regulations, as amended or superseded from time to time (collectively, “CCPA”).

Personal Information does not include information that is deidentified or aggregated.

The chart below provides the categories of Personal Information (as defined by the CCPA) we collect from job applicants. The examples of Personal Information provided for each category reflect each category’s statutory definition and may not reflect all of the specific types of Personal Information associated with each category.

Category of Information	We Collect	Lawful Basis
A. Identifiers Examples: Name, alias, postal address, unique personal identifier, online identifier, internet protocol address, email address, account name, social security number, national ID, driver’s license number, passport number, or other similar identifiers.	Yes	Legitimate Interest Legal Obligation Consent (where required)
B. Categories of Personal Information in Cal. Civ. Code Section 1798.80(e) Examples: Name, signature, social security number, physical characteristics or description, address, telephone number, passport number, driver’s license or state identification card number, insurance policy number, education, employment, employment history, bank account number, credit card number, debit card number, or any other financial information, medical information, or health insurance information.	Yes	Legitimate Interest Legal Obligation Consent (where required)
C. Characteristics of Protected Classifications under California or Federal Law Examples: Race or color, ancestry or national origin, religion or creed, age (over 40), mental or physical disability, sex (including gender and pregnancy, childbirth, breastfeeding or related medical conditions), sexual orientation, gender identity or expression, reproductive health decision making, medical condition, genetic information, marital status, military and veteran status, or genetic information (including familial genetic information).	Yes	Legitimate Interest Legal Obligation Consent (where required)
D. Commercial Information Examples: Transaction information, purchase history, and financial information.	No	n/a
E. Biometric Information Examples: Physiological, biological, or behavioral characteristics, including DNA, that can be used, singly or in combination with each other or with other identifying data, to establish individual identity, such as imagery of the iris, retina, fingerprint, face, hand, palm, vein patterns, and voice recordings, from which an identifier template, such as a faceprint, a minutiae template, or a voiceprint, can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health, or exercise data that contain identifying information.	No	n/a
F. Internet or Other Electronic Network Activity Information Examples: All activity on Druva’s information systems (such as internet browsing history, search history, intranet activity, email communications, social media postings, stored documents and emails, usernames, and passwords) and all activity on communications systems (such as phone calls, call logs, voicemails, text messages, chat logs, app use, mobile browsing and search history, mobile email communications, and other information regarding an employee’s use of company-issued devices).	Yes	Legitimate Interest
G. Geolocation Data Example: Time and physical location related to use of an internet website, application, or device[, and GPS location data from mobile devices of employees who participate in our vehicle reimbursement program].	No	n/a
H. Sensory Information Examples: Audio, electronic, visual, or similar information.	Yes	Legitimate Interest
I. Professional or employment-related information Examples: Job application or resume information and past and current job history.	Yes	Legitimate Interest Legal Obligation Consent (where required)
J. Non-Public Education Information (as defined in 20 U.S.C. 1232g; 34 C.F.R. Part 99) Examples: Records that are directly related to a student maintained by an educational agency or institution or by a party acting for the agency or institution.	No	n/a
K. Inferences Drawn from Personal Information Examples: An individual’s Consumer profiles reflecting a consumer’s preferences, characteristics, psychological trends, preferences, predispositions, behavior, attitudes, intelligence, abilities, and aptitudes.	Yes	Legitimate Interest
N. Personal Data about children under the age of 16	No	n/a

Use of Personal Information

We collect and use your Personal Information in accordance with the specific business and commercial purposes below:

Processing your job application.
Verifying your information and conducting background checks, where applicable.
Communicating with you about the recruitment process and/or your application.
Creating and submitting reports as required under local laws or regulations, where applicable.
Making improvements to our application, company culture, and recruitment process.
Managing employee onboarding, including promotions, transfers, and secondments.
Fulfilling your employment agreement.
Administering pay and benefits, expense reimbursement, and leaves.
Processing employee work-related claims (e.g., worker compensation or insurance claims).
Conducting training and performance reviews.
Ensuring compliance with our employee policies and security requirements.
Evaluating and improving employee safety.
Gathering evidence for internal investigations, litigation, disciplinary action, termination, or related activities.
Managing acquisitions, mergers, and reorganizations or sale of some or all of a company.
Complying with applicable laws, regulations, internal reporting needs, legal processes or enforceable governmental requests.
For other purposes that you would reasonably expect, or for which we provide specific notice at the time the information is collected.

In addition to using your personal data for the position for which you have applied, we may retain and use your personal data to inform you about and consider you for other positions that may be appropriate for you with your consent. If you do not want us to consider you for other positions, you may contact us as specified below under Contact Us and we will remove your personal data for that purpose.

We will only process your personal data for the purposes we collected it for or for compatible purposes. If we need to process your personal data for an incompatible purpose, we will provide notice to you and, if required by law, seek your consent. We may process your personal data without your knowledge or consent only where required by applicable law or regulation.

We may also process your personal data for our own legitimate interests, including for the following purposes:

To prevent fraud.
To ensure network and information security, including preventing unauthorized access to our computer and electronic communications systems and preventing malicious software distribution.

You will not be subject to hiring decisions based solely on automated data processing without your prior consent.

Collection and Use of Special Categories of Personal Data

The following special categories of personal data are considered sensitive under the laws of your jurisdiction and may receive special protection:

Racial or ethnic origin.
Political opinions.
Religious or philosophical beliefs.
Trade union membership.
Genetic data.
Biometric data.
Data concerning health.
Data concerning sex life or sexual orientation.
Data relating to criminal convictions or offenses.

We may collect and process the following special categories of personal data when you voluntarily provide them, or we receive them from a third party with your consent, when relevant for a particular position to carry out our obligations under employment law, or as applicable law otherwise permits:

Physical or mental health condition or disability status to determine appropriate workplace accommodations and evaluate fitness for a particular position.
Race or ethnic origin to comply with statutory obligations.
Previous criminal charges or convictions where relevant for the position.

Where we have a legitimate need to process special categories of personal data about you for purposes not identified above, we will only do so only after providing you with notice and, if required by law, obtaining your prior, express consent.

Data Sharing

We will only disclose your personal data to third parties where required by law or to our employees, contractors, designated agents, or third-party service providers who require such information to assist us with administering the recruitment process, including third-party service providers who provide services to us or on our behalf. We may use third-party service providers for various purposes, including, but not limited to, obtaining employment verification and background checks, and data storage or hosting. These third-party service providers may be located outside of the country in which you live or the country where the position you have applied for is located.

We require all our third-party service providers, by written contract, to implement appropriate security measures to protect your personal data consistent with our policies and any data security obligations applicable to us. We do not permit our third-party service providers to process your personal data for their own purposes. We only permit them to process your personal data for specified purposes in accordance with our instructions.

We may also disclose your personal data for the following additional purposes where permitted or required by applicable law:

To other members of our group of companies for the purposes set out in this Privacy Notice and as necessary to administer the application and recruitment process.
As part of our regular reporting activities to other members of our group of companies.
To comply with legal obligations or valid legal processes such as search warrants, subpoenas, or court orders. When we disclose your personal data to comply with a legal obligation or legal process, we will take reasonable steps to ensure that we only disclose the minimum personal data necessary for the specific purpose and circumstances.
To protect the rights and property of Druva.
During emergency situations or where necessary to protect the safety of persons.
Where the personal data is publicly available.
If a business transfer or change in ownership occurs and the disclosure is necessary to complete the transaction. In these circumstances, we will limit data sharing to what is absolutely necessary, and we will anonymize the data where possible.
For additional purposes with your consent where such consent is required by law.

Legal Basis for Processing

If you or the Druva role are located in Europe, Druva’s legal basis or grounds for collecting and using your personal information as described in this Privacy Notice falls into the following categories under applicable law. The specific ground will depend on the information concerned and the specific context and purposes for which Druva collects it.

Legitimate Interest: Druva processes certain data for recruitment, employment, and corporate legitimate interests of Druva and third parties and considers individual privacy impacts. Legitimate interests for Druva and third parties include administering an efficient recruitment process, managing and accessing applicants effectively, and Druva’s future interests to reconnect talented individuals with future opportunities. Druva will not rely on this ground where your interests and fundamental rights outbalance and override in our reasonable view.
Performance of a Contract: Druva processes personal information to perform our obligations under an agreement we have with you or to take steps prior to entering an employment contract with you, where you are considered for employment. For example, we use your personal information to make you a job offer or complete a contract of employment or services with you.
Other Legal Bases: In some cases, Druva may have a legal obligation to process your personal information, such as in response to a court or regulator order. Druva may also need to process your personal information to protect vital interests, or to exercise, establish, or defend legal claims.
Consent: In some cases, Druva asks you for your consent to process your personal information for specific activities/initiatives. You can withdraw your consent at any time, which will not affect the lawfulness of the processing before your consent was withdrawn. If you would like to withdraw your consent, you can do so by contacting us as provided in the “How to contact us” section below.

In some cases, such as background checks, you may also advise the third-party service provider of a consent withdrawal.
When personal information is required.

Druva will inform you if there is a legal or recruitment business requirement to provide personal information. Generally, we will ask for what is reasonably necessary. If you are unable to provide the requisite information, we will explain any consequences or delays regarding your applications. Druva considers the various lawful bases available and the most suitable under applicable law.

Where Druva or a third party seeks consent for certain processing purposes in accordance with applicable law, you should not feel obliged to provide this information. Consent is a voluntary ground. You will have a choice regarding the specific processing initiative and whether or not to provide the information.

We may have additional lawful bases and grounds where Sensitive Personal Information is processed.

International Data Transfers

Where permitted by applicable law, we may transfer the personal data we collect about you to the United States and other jurisdictions that may not be deemed to provide the same level of data protection as your home country for the purposes set out in this Privacy Notice. If you are located in the EU, we have implemented Standard Contractual Clauses to secure the transfer of your personal data to the United States and other jurisdictions.

Data Security

We have implemented appropriate physical, technical, and organizational security measures designed to secure your personal data against accidental loss and unauthorized access, use, alteration, or disclosure. In addition, we limit access to personal data to those employees, agents, contractors, and other third parties that have a legitimate business need for such access.

Data Retention

Except as otherwise permitted or required by applicable law or regulation, we will only retain your personal data for as long as necessary to fulfill the purposes we collected it for, as required to satisfy any legal, accounting, or reporting requirements, or as necessary to resolve disputes. To determine the appropriate retention period for personal data, we consider our statutory obligations, the amount, nature, and sensitivity of the personal data, the potential risk of harm from unauthorized use or disclosure of your personal data, the purposes we process your personal data for, and whether we can achieve those purposes through other means. We specify the retention periods for your personal data in our Record Retention Policy.

Under some circumstances we may anonymize your personal data so that it can no longer be associated with you. We reserve the right to use such anonymous and de-identified data for any legitimate business purpose without further notice to you or your consent.

If you are offered and accept employment with Druva, the personal data we collected during the application and recruitment process will become part of your employment record, and we may use it in connection with your employment consistent with our employee personal data policies. If you do not become an employee, or, once you are no longer an employee of Druva, we will retain and securely destroy your personal data in accordance with our Records Retention Policy and applicable laws and regulations.

Rights of Access, Correction, Erasure, and Objection

It is important that the personal data we hold about you is accurate and current. Please keep us informed if your personal data changes during the recruitment process. By law you may have the right to request access to, correct, and erase the personal data that we hold about you, or object to the processing of your personal data under certain circumstances. You may also have the right to request that we transfer your personal data to another party. If you want to review, verify, correct, or request erasure of your personal data, object to the processing of your personal data, or request that we transfer a copy of your personal data to another party, please contact us at privacy@druva.com. Any such communication must be in writing.

We may request specific information from you to help us confirm your identity and your right to access, and to provide you with the personal data that we hold about you or make your requested changes. Applicable law may allow or require us to refuse to provide you with access to some or all of the personal data that we hold about you, or we may have destroyed, erased, or anonymized your personal data in accordance with our record retention obligations and practices. If we cannot provide you with access to your personal data, we will inform you of the reasons why, subject to any legal or regulatory restrictions.

Additional Information for California Residents

For California residents, if you are submitting a request to access, please specify whether you would like to access personal information categories or specific pieces of personal information. In addition to many of the rights described above, California residents have the right to opt out of a business’s sale of your personal information or sharing of your personal information to third parties for targeted advertising. Druva does not sell your personal information or share your personal information with third parties for targeted advertising. Druva also does not use your Sensitive Personal Information for any purpose other than to operate our business, for legitimate recruitment-related purposes, or where otherwise permitted by, or necessary to comply with, applicable laws, and therefore does not provide a right to limit the use of Sensitive Personal Information.

When you submit a request, Druva will first acknowledge receipt of your request within 10 business days after receipt of your request. Druva will provide a substantive response to your request within 45 calendar days after its receipt. If Druva requires additional time (up to 90 days or the permitted time frame), we will inform you of the reason and extension period in writing.

Only you or an authorized agent (as described below) may make a verifiable consumer request related to your personal information.

How to Authorize an Agent. You may designate an authorized agent to submit your verifiable consumer request on your behalf only if the authorized agent has your written permission to do so and you have taken steps to verify your identity directly with us.
How We Verify Your Request. To respond to your request, Druva must verify your identity and/or the authority of your authorized agent. We will only use the personal information provided to us in that context to verify your identity or the authority of your authorized agent to make the request. Making a verifiable consumer request does not require you to create an account with us. To allow us to verify your request, we may require that you provide at least two pieces of personal information that we already have in our possession if we cannot already verify you. We will verify your consumer request by comparing the information you provide to information already in our possession and take additional steps to minimize the risk of fraud.

Right to Withdraw Consent

Where you have provided your consent to the collection, processing, and transfer of your personal data, you may have the legal right to withdraw your consent under certain circumstances. To withdraw your consent, if applicable, contact us at privacy@druva.com.

Data Protection Officer

We have appointed a Data Protection Officer to oversee compliance with this Privacy Notice. If you have any questions about this Privacy Notice or how we handle your personal data, or would like to request access to your personal data, please contact the Data Protection Officer at: privacy@druva.com. If you are unsatisfied with our response to any issues that you raise with the Data Protection Officer, you may have the right to make a complaint with the data protection authority in your jurisdiction by contacting the data protection authority.

Changes to This Privacy Notice

We reserve the right to update this Privacy Notice at any time, and we will provide you with a new Privacy Notice when we make any updates. If we would like to use your previously collected personal data for different purposes than those we notified you about at the time of collection, we will provide you with notice and, where required by law, seek your consent, before using your personal data for a new or unrelated purpose. We may process your personal data without your knowledge or consent only where required by applicable law or regulation.

Contact Information

If you have any questions, comments, or concerns about Druva’s processing activities, or need access to this Notice in an alternative form due to having a disability, please contact the privacy team at privacy@druva.com.