Compliance Framework

Privacy Policy

This document outlines the protocol for data handling within the Rare Professions Multi-Tenant Ecosystem. It details the rights of Candidates, the obligations of Subscribers, and our role as the Platform Provider.

Effective Date: January 25, 2026

1. Definitions & Scope

This Privacy Policy applies to the Rare Professions Platform ("Service"). For the purposes of this policy, we distinguish between:

  • "Subscribers": Recruitment Agencies or Corporate Entities using our SaaS infrastructure to manage their own recruitment processes.
  • "Candidates": Individuals submitting profiles via the Platform, either directly to Rare Professions or to a specific Subscriber.
  • "Platform Data": Data owned and controlled by Rare Professions (e.g., website metrics, internal candidate pool).
  • "Tenant Data": Data uploaded by Subscribers (e.g., their private candidate lists). Rare Professions acts strictly as a Data Processor for Tenant Data.

2. Information Collection

We collect information in the following capacities:

A. Candidate Data

Name, contact details, CV/Resume parsing data, skills taxonomy, employment history, and psychometric assessment results (if applicable).

B. Subscriber Data

Business registration details, authorized user credentials, billing information, and proprietary job descriptions.

Automated Collection: We utilize cookies, server logs, and behavioral analytics to monitor system performance, load balancing, and security integrity.

3. Data Processing & Algorithmic Logic

Rare Professions utilizes proprietary algorithms to match Candidates with Job Opportunities. By using the Service, you acknowledge:

  • Matching Logic: Our system processes semantic data from resumes to score relevance against job descriptions.
  • Bias Mitigation: While we strive for algorithmic neutrality, the final hiring decision rests solely with the Subscriber (Employer).
  • Data Isolation: Data uploaded by a Subscriber is logically isolated via multi-tenant architecture. Candidate data owned by "Agency A" is strictly inaccessible to "Agency B" unless the Candidate has explicitly applied to both.

4. Disclosure of Information

We do not sell personal data. Disclosure occurs strictly under these conditions:

Functional Necessity: Candidate profiles are shared with the specific Subscriber (Agency) to whom the application was submitted.

Sub-Processors: We utilize trusted third-party infrastructure providers (e.g., AWS, Vercel, MongoDB Atlas) for hosting, storage, and database management. All sub-processors are bound by Data Processing Agreements (DPA).

Legal Compliance: We may disclose data if compelled by a court order, law enforcement, or to prevent imminent physical harm.

5. Security Architecture

We employ a defense-in-depth strategy including but not limited to:

  • Encryption: Data is encrypted at rest (AES-256) and in transit (TLS 1.3).
  • Access Control: Role-Based Access Control (RBAC) ensures strictly least-privilege access for internal staff.
  • Penetration Testing: Regular security audits and vulnerability scanning.
Disclaimer: While we implement state-of-the-art security, no SaaS infrastructure is immune to zero-day vulnerabilities. Users are responsible for maintaining the confidentiality of their credentials.

6. User Rights (GDPR/CCPA)

Depending on your jurisdiction, you possess rights to Access, Rectification, Erasure ('Right to be Forgotten'), and Portability. If you are a Candidate managed by a Subscriber, your request should be directed to that Subscriber (the Data Controller). If you are a direct user of Rare Professions, contact our DPO.

7. Cross-Border Data Transfer

As a global recruitment platform, data may be processed in jurisdictions with differing data protection laws. We rely on Standard Contractual Clauses (SCCs) and adequacy decisions to legitimize international transfers.

DPO Contact

For formal inquiries regarding Data Sovereignty or Subject Access Requests (SARs), please contact our Legal Compliance Unit.