Compliance Architects LLC (hereinafter, “CA”) is a specialized management consulting firm delivering quality, compliance and regulatory consulting services for our clients. We respect our third-party contractors and business partners and are committed to protecting your privacy and maintaining the security of your personal information. We treat personal data in accordance with applicable international, federal, state, and local data protection laws. CA is committed to being a good steward of this information and will take all the necessary steps to ensure that this information is protected. The purpose of this data privacy policy is to inform you of the personal data we may collect, how we use it, and how we protect it. If you have any questions or concerns about this privacy policy or about the controls in place to protect your personal data, please contact us at privacy@compliancearchitects.com.
This data privacy protection policy only applies to independent contractors, third-party companies, and/or other independent entities that perform work on behalf of CA for our client companies. Other CA privacy and data protection policies may be in effect for other situations, as appropriate.
Personal Data and Information We Collect
CA collects and retains certain personal, and sensitive personal data (by which we mean either a special category of personal data or data relating to criminal convictions and offences, as permitted under applicable laws) that you have provided to us, about you. This data may be encrypted and/or password protected before being saved on our systems.
The personal data and information collected may include, but is not limited to, the following information you may have provided to us:
- Identification Information including name, gender, age, date of birth, race or ethnicity, veteran status, personal and/or business telephone number(s), personal and/or business email address(es), home or business address(es), contact details, government-issued identification numbers such as national identification, national passport(s), visas, social security, or driver’s license number, photographs, demographic information, citizenship, nationality, marital status and emergency contact information provided.
- Resumes, and/or Documents that Include Educational and Professional Details including higher/further education, certifications, licenses, previous employment history, professional skills, specialized training, etc.
- Background check reports including financial, credit/debt, educational, employment checks, and reference checks in accordance with applicable law.
- Financial Information including bank account details, tax status, W-9 documents, income tax and other documents relevant to contracting and processing financial information within our contractual relationship.
- Information about your performance at prior consulting or employment situations, including location of employment or workplace, performance management documents and/or disciplinary information, as well as opinions expressed by your colleagues, individuals who you manage, supervisors, and clients of CA.
- Travel and Expenses Information including passport, visa details, bank account details, expense details, supporting bills.
- Information collected as part of CA or client surveillance and monitoring such as CA computer tools and systems surveillance data (if applicable), client physical access logs or surveillance records, client computer activity logs, and/or data and activity logs from systems and information conveyed over CA communication channels etc.
- Emergency contact details such as your personal phone number and personal email address and your approximate location that you may choose to share with us, for us to contact you in case of an emergency or crisis.
- CA time and recordkeeping information including time keeping logs and/or expense reports and supporting information from CA and/or client’s system.
- As you need to access CA systems remotely, we may collect information about your network access and your cloud access security related information such as the Internet Protocol (IP) address of your connected devices used for work purposes.
Sensitive personal data collected that you may have provided to us may include:
- Information relating to your Health such as physical examination results, accident and injury reports, disability status, results from pre-contracting drug screens, etc.
- Accommodation for disabilities – In certain instances, we may receive or request information related to health such as disability status in order to make any necessary accommodations during your work for CA.
- Information related to racial, ethnic origin or religious beliefs collected as a result of diversity surveys, as permitted under applicable laws.
- Data relating to criminal convictions and offences collected from background checks, as needed for client contract performance, and as permitted under applicable laws.
This information will be collected by CA in several ways through multiple channels while working with our organization and over the duration of relationship with you:
- Directly from you (via on-boarding online application(s), telephone, email and in person or in circumstances in which you have been engaged by CA or expressed an interest in future client consulting related opportunities with CA.
- Through referrals from our employees, contractors, and business contacts.
- From third parties (through recruitment agencies and background verification agencies), which may also include public sources such as professional networking platforms.
Purposes of Processing Your Personal Data
To meet a variety of legal obligations, minimize operational risk, and ensure we work with qualified and reputable third parties at our client sites and with our clients, CA must collect and process information about you for normal staff contracting purposes. CA will not exploit this data in any way, nor will we sell or provide this data to any third party for commercial gain. The information we hold, and process will be used for our management and administrative use only. We will keep and use it to enable us to run the business and manage our relationship with you effectively, lawfully and appropriately, during your capability and skills screening, affiliation and contracting process, while you are working for us, at the time when your contract ends and after you have left. This includes using your personal data to enable us to comply with our contract with you, to comply with any legal requirements, pursue our legitimate interests and protect or defend our legal position in the event of legal proceedings. If you do not provide this data, we may be unable in some circumstances to comply with our legal or contractual obligations and we will tell you about the implications of that decision. Your willingness to contract with CA constitutes your explicit acceptance of this Data Protection and Privacy Policy, and your acknowledgement of your notice of, and considerations of the implications of, these provisions. Some of the key processing activities may include:
- Timekeeping – We will ask you to input detailed information about your working time and client activities with us to enable us to track your working hours, bill clients for such time, to permit you to be paid by us for such services.
- Administration of Pay/Compensation – This information is requested as necessary for the performance of our obligations under your consulting agreement. If you do not provide the information requested, we will be unable to pay you the agreed compensation.
- Pay Taxes – Depending on the jurisdiction, or types of services, we may be legally obliged to pay certain taxes on your earnings, and if so, we will use the information provided by you to meet our legal obligations.
- Background Verification – We engage third-party vendors to carry out background verification checks including identity verification, educational verification, employment verification and criminal verification, as permitted under applicable laws, to pursue the legitimate business interest of the company, and on behalf of clients and in certain cases, established client obligations, and to comply with applicable legal requirements and where permissible under local law.
- Staff Administration – We keep contractor records in line with industry practice and as permitted under applicable laws, including information relating to work history with CA, CV (resume), references, and other client work performance related data. We keep a copy of your consulting agreement and any correspondence with you in the event of cessation of your immediate client engagement, or termination of your consulting agreement.
- Travel and Expense – From time to time, we may process personal data and engage travel and immigration vendors to facilitate consultant travel to client sites, validate expenses and relevant bills/ supporting in line with CA or our clients’ travel and expense policies.
- Monitoring and Surveillance – We monitor and record computer use in certain cases as permitted under applicable laws to provide for the safety and security of the company, the company’s clients and other stakeholders, including its assets and its staff, and in some cases we will be legally required to do so.
- Audit Compliance – We may process personal data as part of our audit processes and be required to host and receive third-party auditors, from time to time, in pursuit of our legitimate business interests to keep accurate records. We have ensured that only personal data absolutely necessary is processed during such audits in order to comply with applicable laws or specific contractual obligations.
- New Engagement Opportunities – We may retain relevant documents containing your personal data for future engagement related opportunities, to ensure you have maximum potential for engagement on future business opportunities and in pursuit of our legitimate business interests. As a general rule, we do not share this information, including your resume and/or name, with any client without your express permission.
- Disclosure of CV and Background Screening Information to Clients – In certain cases we may be required by CA clients to provide CV and background information directly to client companies either in anticipation of, or as part of, client service delivery. We will work with you to ensure the least information possible is provided and will minimize disclosures to clients to the maximum extent possible within our contractual obligations.
- Prevention of Fraud – We may process your personal data for the purpose of fraud prevention.
- Reporting Potential Crimes – We may process your personal data for the purpose of detecting and reporting potential crimes where permissible or required under federal, state or local law.
- Documents Produced by Contractors – We may store documents and records that are produced either solely by you or in combination with others, which may contain your personal data, for example your name, details of your role, and your CV, as permitted under applicable laws, and these may be shared with clients in the course of carrying out your duties and the business of the company, in pursuit of our legitimate business interests.
- Health and Safety and Occupational Health – Where necessary, we may process sensitive personal data relating to your health in order to comply with our health and safety and occupational health obligations, to consider how your health may affect your ability to do your assignment and whether any adjustments to your assignment might be appropriate. CA will process such information only based on your explicit consent or as otherwise legally permitted, to protect your vital interests, for the establishment or defense of legal claims, to facilitate medical diagnosis/ assistance/ treatment, and/or for the assessment of your working capacity.
- Equal Opportunity or Treatment – We may process sensitive personal data relating to your racial or ethnic origin and/or religious beliefs, in each case, as permitted under applicable laws, for the purposes of monitoring the existence or absence of equality of opportunity or treatment between groups of individuals. Such processing will only be carried out based on your explicit consent and you have the right to withdraw that consent at any time.
- Emergency Communication: During emergency situations (such as Covid-19 pandemic) we may need to process personal data in order to send important company communication. We may ask you to confirm your well-being and your whereabouts in such emergency situations, as permitted under applicable laws, in order for us to monitor your health and safety for the safety and security of the company and its staff. Where required by the law such processing will be carried out based on your explicit consent.
Data Monitoring & Security
Monitoring for security purposes
We have implemented industry standard security measures to help us to keep our systems and business safe and secure. The security measures implemented for the processing of personal data either routinely or occasionally (as appropriate), includes, but is not limited to:
- Email Security – We have email security measures in place that involve automated scanning of incoming and outgoing emails for potential threats. Threats, such as phishing emails or malware may be escalated to CA information technology security specialists for analysis and action.
- Activity Logs – We have audit trail capabilities as part of our automated systems to track who accesses, views, edits, downloads and otherwise processes data. This means that we have access to information about your usage of login credentials, websites and applications which may be referred to in the event of an issue.
- Multi-Factor Authentication (MFA) – If we provide you access to CA IT resources, we may additionally require you to enable multi-factor authentication by requiring you to install an application on your business or personal mobile device which will be used to verify your identity using a second factor (such as push notification), in addition to verification by password. MFA is an industry best practice to enhance security and verify user identity. Device and device ID data is not used in any way other than to send you a verification request on your unique device and grant you access to CA IT resources.
This processing is necessary for the purposes of the legitimate interests pursued by us to keep our business data and your personal data secure and confidential and in some cases to protect or defend our legal rights.
Monitoring for productivity, engagement, and performance
Business Intelligence and Analytics: We may use workplace analytics tools to monitor at individual and aggregate level, as permitted under applicable laws, your level of engagement and key performance indicators of the services CA provides to its clients. The data we receive may be used for understanding the productivity of the team or function you are a member of and other performance indicators, such as accuracy of processing, and ultimately to serve our clients better. It is our legitimate business interest to conduct such analysis, gather business intelligence and manage productivity and performance.
Monitoring Through Email Analytics: We may use email analytics tools in order to understand the ability of our contractors across the company to come together in engaging on different projects, as permitted under applicable laws The data we receive through email analytics may be used to monitor engagement and collaboration patterns of employees and contractors, based on various parameters, such as team members they work with and projects they work on. It is our legitimate business interest to conduct such analysis to help improve employee and contractor productivity.
We may also send targeted and relevant emails to employees and contractors to effectively distribute organizational information and leadership messages. In order to assess the effectiveness of organizational information and leadership messages we may gather metrics, such email open rate, read rate and time spent on reading such emails, to understand and improve our staff’s engagement with such emails.
In the future, if we intend to process your personal data for a purpose other than that mentioned above, we will update this policy accordingly.
With Whom We May Share Your Personal Data
We may use carefully selected third parties to carry out certain activities to help us to run our business (such as payment processing, cloud service providers, IT support vendors, etc.), to facilitate your travel and expense (corporate card vendors, travel and immigration vendors), to carry out background verification (background verification agencies) and to facilitate audits (third-party auditors) and for other business critical purposes.
- Where required or permitted by law, information may be provided to others, such as regulators and law enforcement agencies.
- We may share personal data with our clients, their third-party service providers, and/or our third-party service providers, as detailed below:
-
- Where required for your role, your business contact details may be shared with our clients and suppliers.
- During the course of your engagement on certain clients’ accounts, we may be required to share your personal data with our clients, their third-party service providers, and/or our third-party service providers. We may share your personal data with the respective client for its legitimate interest or its legitimate business reasons, such as, for example, for the prevention and detection of fraud, or to enable access to client systems. On a case-by-case basis, it may be necessary to share personal data such as your name, home address, date of birth, nationality and citizenship, passport, national identification, social security, or driver’s license number to perform our services for the respective client or theirs or our third-party service providers.
- We may also be required to share your personal data with our clients, their third-party service providers, and/or our third-party service providers to enable remote working for you in the context of emergency situations, such as Covid-19 pandemic or a business continuity plan. On a case-by-case basis, as permitted by applicable laws, it may be necessary to share personal data such as:
- your name and personal mobile phone number for the purpose of re-routing the incoming calls to your personal mobile phone.
- your name and home / domicile address for the purposes of enabling the respective client to deliver to you the equipment necessary for performing the daily working tasks remotely (e.g., laptops), based on the hand-over protocols signed by the you directly with the respective client.
- Your name and personal email address and/or cloud security related information (e.g., IP address), where necessary and/or required by the client, for the purpose of ensuring effective communication in case of emergency situations.
- We may also be required to share your personal data with our clients, their third-party service providers, and/or our third-party service providers to enable remote working for you in the course of our normal engagement with our clients in accordance with the agreed contractual terms.
- Where your personal data is shared it will only be shared on a strictly necessary basis and only for as long as it is necessary in accordance with applicable data protection laws. A client in certain circumstances may need to fulfil its legal and regulatory obligations in certain sectors and require personal data to confirm your identity and to assess your fitness and suitability to provide services to the client.
- We may also share your CV’s and background verification status to our clients, upon request, to comply with our contractual obligations, as permitted under applicable laws.
- From time to time, we may consider corporate transactions such as a merger, acquisition, reorganization, asset sale, or similar. In these instances, we may transfer or allow access to information to enable the assessment and undertaking of that transaction. If we buy or sell any business or assets, personal data may be transferred to a third party involved in the transaction.
Security
We have implemented industry standard security measures to keep your personal data secure and confidential, including and not limited to:
- Limiting access to any personal data that may be submitted by you, to those CA employees and contractors strictly on a need-to-know basis, such as to respond to your inquiry or request.
- Implemented physical, electronic, administrative, technical and procedural safeguards that comply with all applicable laws and regulations to protect your personal data from unauthorized or inappropriate access, alteration, disclosure and destruction. It is important for you to protect against unauthorized access to your password and to your computer, and your obligation relative to our systems is to maintain complex, at least 16 character passwords, and enable two-factor authentication (2FA) when available.
- CA consultant contractors and third-party providers who misuse personal data are subject to measures which may lead to the termination of engagement. If such activity constitutes intentional nefarious conduct, referrals may be made to appropriate law enforcement agencies.
International Transfers of Personal Data for Client Engagement Purposes
We transfer personal data to clients that maintain international business operations for the purposes described above. We may also transfer personal data to their or our third-party service providers outside of the US as described above. Your personal data may be stored in databases located outside of the US. The database may be controlled by an administrative staff located outside the US and can be accessed electronically.
Where we transfer personal data outside of US we either transfer personal data to countries that provide an adequate level of protection equivalent to what is stated within this policy, or, we have appropriate safeguards in place. Appropriate safeguards to cover these transfers are in the form of standard contractual/data protection clauses.
Where we transfer personal data outside the US we have covered these transfers by entering into standard contractual clauses in alignment with provisions mandated for privacy by the European Commission. If you would like more information on the any of the data transfer mechanisms on which we rely please contact us at privacy@compliancearchitects.com.
Period for Which Personal Data Will Be Stored
We store personal data in line with legal, regulatory, financial and best-practice business requirements. To ensure your availability, fit and capabilities for consulting work, your personal data will be collected, stored and processed by us before, during and after you are engaged with us. At your request, we will securely delete/destroy your records and related documents containing your personal data as soon as practicable and in line with our data retention policies, and any legal or regulatory requirements.
If you have expressed an interest in working for us in the future (e.g., under a temporary, contract or full-time arrangement) we will retain relevant records and documents containing your personal data, for future engagement-related opportunities. For more information on where and how long your personal data is stored, and for more information on your rights of erasure and portability, please contact us at privacy@compliancearchitects.com.
Your Rights
You have a right to:
- Request access to your personal data and request details of the processing activities conducted by CA.
- Request that your personal data is corrected if it is inaccurate or incomplete.
- Request erasure of your personal data in certain circumstances.
- Request restriction of the processing of your personal data by CA in certain circumstances.
- Object to the processing of your personal data in certain circumstances.
- Receive your personal data in a structured, commonly used and machine-readable format in certain circumstances.
- Withdraw any consent you have provided to us at any time by contacting us.
- Request full deletion of any and all data if you have no further intent or desire to remain in, be asked about, or participate in any business relationship with CA.
To exercise the rights outlined above in respect of your personal data you may submit a data subject request privacy@compliancearchitects.com.
Changes to This Privacy Notice
This privacy notice was updated by CA in January of 2023. To ensure you understand our current privacy practices, you are asked to review this Privacy Policy at least annually to understand your rights and participation under this policy.
Contact
The most senior executive of CA is the controller of data for the purposes of applicable legal and regulatory requirements and expectations in all jurisdictions. For more information about CA, please visit our website at https://compliancearchitects.com. This policy will always be located at the following CA website address: https://compliancearchitects.com/consultant-privacy
Thank you for your ongoing trust and relationship with Compliance Architects LLC.