About this notice
This Candidate Privacy Notice explains how personal data is collected and used when you receive an invitation to complete a cybersecurity assessment on the CyberHire platform.
If you are a business customer or a visitor to our marketing site, please read our main Privacy Policy instead.
Who the controller is
When you take an assessment, the company that invited you (the "Customer") is the controller of your personal data. They decide why and how your data is processed, and they hold the primary relationship with you for the purposes of this assessment.
CyberHire Limited operates the assessment platform and acts as a processor, handling your data strictly on the Customer's written instructions and under a Data Processing Addendum. If you have a question about why you are being assessed, what role you are being considered for, or how the Customer will use the result, please contact the Customer directly - usually the hiring team or HR contact who invited you.
Certain narrow processing activities are carried out by CyberHire as an independent controller - for example, platform security and fraud prevention, preventing multiple concurrent assessments for the same candidate, and complying with our own legal obligations. Where that is the case, this notice explains our legal basis.
What personal data we process
We collect and process the following categories of personal data about you when you take an assessment:
Information provided by the Customer or by you
- Your name and email address (provided by the Customer when they invite you).
- Optional profile information you choose to add (e.g. a profile picture).
- A password if you create a candidate account - stored as a bcrypt hash, never in plain text.
- If you enable multi-factor authentication, the MFA secret used to generate time-based codes, stored encrypted at rest.
Assessment activity
- Your answers to each question or challenge.
- Timestamps for when you started, submitted, and completed each task.
- Scores calculated from your answers.
- Any commands you run inside a challenge environment (for technical challenges that run on an ephemeral Linux virtual machine - see below).
- Whether you used any hints or marked items for review.
Challenge environments
Some challenges run inside a dedicated, ephemeral Linux virtual machine provisioned just for you on our infrastructure provider (Fly.io). The VM is bound to your assessment attempt and is destroyed once you finish or time out. Activity inside the VM (commands, files created, artefacts) is associated with your assessment result for the Customer to review and is retained according to the retention policy below.
Integrity signals
CyberHire supports three "integrity modes" the Customer can configure per assessment. Each mode captures a different amount of information about how you take the test. The mode that applies to your assessment is displayed on the assessment introduction page before you start.
| Mode | What is captured |
|---|---|
| Standard | Number of times you switch away from the assessment tab and return; number of paste actions into answer fields; number of screens detected on your device; timestamps for these events; your User-Agent string; your IP address and approximate location (country and city only, derived from an offline geolocation database - no precise coordinates). |
| Secure | All of the above, plus continuous screen-count monitoring during the assessment; a per-question browser fingerprint used to detect session hijacking; and additional events such as copy, cut, right-click, keyboard shortcuts known to bypass integrity controls, and attempts to open developer tools. |
| Proctor | All of the above, plus periodic webcam snapshots (still images, not continuous video) captured at configurable intervals during the assessment. Webcam capture requires your explicit in-browser consent and is disclosed to you before you start. You can decline the assessment if you are not comfortable with webcam capture. |
Integrity signals are shared with the Customer alongside your result so they can review the conditions in which the assessment was taken. We do not make any hiring decision based on these signals; the Customer decides how to interpret them.
Technical and session data
- Your IP address, which we use to detect abuse (for example, many attempts from the same address) and to derive your approximate location (country / country code / city) using an offline IP database (DB-IP Lite). We do not resolve precise coordinates, postal address, or street.
- Your User-Agent string and basic browser / device information.
- Authentication tokens, session duration, login timestamps.
What we do not collect
- We do not record continuous webcam video or audio. Webcam mode captures still images only.
- We do not enable keystroke biometrics or attempt to identify you from how you type.
- We do not access files on your device outside the challenge environment.
- We do not monitor your screen or webcam between assessments.
- We do not run advertising pixels or tracking cookies on the candidate assessment interface.
Legal bases for processing
Where CyberHire processes your data on behalf of the Customer, the Customer determines and relies on their own lawful basis (usually the performance of a contract, or the Customer's legitimate interest in hiring). Contact the Customer to understand their specific basis.
Where CyberHire processes your data as an independent controller (primarily for platform security and fraud prevention), we rely on our legitimate interests (UK GDPR Art. 6(1)(f)) - running a secure platform for all users.
Where the mode involves webcam capture, the Customer relies on your consent (Art. 6(1)(a)), collected in-browser immediately before any capture occurs. You can withdraw that consent at any time by closing the assessment; we will stop capturing further images. Already-captured images are retained subject to the retention rules below, unless you exercise your right to erasure (see below).
Who we share your data with
- The Customer - your answers, scores, integrity signals, webcam snapshots (if Proctor mode was enabled), and assessment session metadata are visible to authorised reviewers at the Customer.
- Our sub-processors - a small set of service providers that help us run the platform (email, payments, file storage, infrastructure, AI generation of challenges). The full list is at Sub-processors. Each is bound by a written processor contract with UK GDPR Article 28 terms.
- Law enforcement, regulators or courts, only where we are legally required to do so.
We do not sell your data. We do not share assessment data with other Customers.
International transfers
Our primary infrastructure is in the United Kingdom. Some of our sub-processors are established in the United States (for example, Anthropic for AI challenge generation). Where personal data is transferred outside the UK, we rely on UK adequacy regulations, the UK International Data Transfer Agreement (IDTA), or the UK Addendum to the EU Standard Contractual Clauses, as appropriate. Full details are in our Privacy Policy.
How long we keep candidate data
Unless the Customer instructs us otherwise in writing (subject to applicable law), we retain candidate assessment data for 24 months from the date the assessment closes. This covers:
- Your answers and scores
- Integrity signals (tab switches, paste events, screen counts, etc.)
- Webcam snapshots, where Proctor mode was used
- IP address and derived approximate location
- Challenge-environment logs and artefacts
After 24 months, these records are deleted or anonymised. Note that the Customer may export a copy of your result for their own records before the retention period ends - any such export is held by the Customer under their own retention policy; contact them directly to find out how long they keep it.
If you are invited to further assessments by a different Customer, those assessments start their own 24-month clock and are stored separately.
Your rights
You have the following rights under UK GDPR in relation to your personal data:
- Access - a copy of your personal data
- Rectification - correction of inaccurate data
- Erasure - deletion in defined circumstances
- Restriction - limitation of processing in defined circumstances
- Portability - a structured, machine-readable copy
- Objection - to processing based on legitimate interests
- Withdraw consent - where processing is based on consent (e.g. webcam capture)
- Not to be subject to solely-automated decisions that produce legal or similarly significant effects
How to exercise your rights
- For assessment data (answers, scores, integrity signals, webcam snapshots): the Customer is the controller. Please contact the hiring team or HR contact who invited you. If you cannot reach them, or you do not know who the Customer is, email us at legal@cyber-hire.com and we will help you identify the right contact and pass the request on.
- For your CyberHire candidate account itself (name, email, password, profile): email us directly at legal@cyber-hire.com. We will respond within one calendar month.
We do not make hiring decisions based on automated processing. Any automated scoring of your answers is reviewed by the Customer before any hiring decision is made.
Security
We protect candidate data with the same technical and organisational measures set out in Annex II of our Data Processing Addendum, including encryption in transit and at rest, role-based access, audit logging, and documented incident response.
How to complain
If you are unhappy with how your data has been handled, please contact us first at legal@cyber-hire.com, or the Customer directly. You also have the right to complain to the UK Information Commissioner's Office at ico.org.uk, or - if you are in the European Economic Area - your local supervisory authority.
Contact
Our Data Protection Officer is Michael Carthy. You can reach the DPO at legal@cyber-hire.com.