GDRP Compliance Analysis
Last Updated: November 1, 2023
Under the GDPR, Uptomic is a Data Processor, and our customers are Data Controllers.
- Uptomic’s Data Protection Officer & Security Officer - Michael Galkovsky (michael@uptomic.co)
- Uptomic’s Compliance Officer - Kevin Brown (kevin@uptomic.co)
Service Statement
CV and Job Parsing and Formatting
Uptomic SaaS service does not store documents sent to it for parsing or formatting, nor does it store the results from such processing. All processing takes place in memory. Neither documents nor results are ever written to disk or any other persistent storage unless directed so by customers, in which case the storage is owned and controlled by the customer and not Uptomic. Typically processing time is less than 3 seconds, after which the memory is reclaimed.
GDRP Applicable Articles
The following sections identify articles from GDRP relevant to Uptomic Data Processor responsibilities.
Chapter 2 - Principles
Article 9 - Processing of special categories of personal data
Our software only processes data contained in the resume or CV and does not use any other data source or processing. Although resumes/ CVs may contain data that is referred to in paragraph 1, paragraph 2e exempts us from Article 9.
Chapter 3 – Rights of the data subject
Article 13 - Information to be provided where personal data are collected from the data subject
Uptomic’s formatting services provides data specified in the formatting template and available from the CV. This allows the data controller to output the provided data to exactly meet the formatting requirements.
Article 15 - Right of access by the data subject
Since Uptomic stores no data sent to its SaaS CV formatting Services, and retains no PII ever, the data controller never needs contact Uptomic to accomplish its duties under this Article, as only the data controller, not Uptomic, has any such data.
Article 16 - Right to rectification
Since Uptomic stores no data sent to its SaaS parsing and formatting Services, and retains no PII ever, the data controller never needs to contact Uptomic to accomplish its duties under this Article, as only the data controller, not Uptomic, has any such data.
Article 20 - Right to data portability
Uptomic CV formatting service provides output in the customer specified format. This makes the information documented and portable, helping data controllers meet the obligations of 20.1
Chapter 4 – Controller and processor
Article 28 - Processor
Uptomic does use other processors and provides their GDRP compliances statements on request.
Article 29 – Processing under the authority of the controller or processor
Uptomic provides no batch processing directly. Each transaction is initiated and directed solely by the data controller and processed by Uptomic only as instructed.
Article 30 - Records of processing activities
Article 30.5 exempts Uptomic from this article. All records are fully maintainable and reportable by the data controller.
Article 31 - Cooperation with the supervisory authority
Uptomic will cooperate with supervisory authority if requested.
Article 32 - Security of processing
Uptomic encrypts all traffic between servers and subprocessors.
Article 33 - Notification of a personal data breach to the supervisory authority
See Uptomic DPA.
Article 34 - Communication of a personal data breach to the data subject
See Uptomic DPA.
Article 37 - Designation of the data protection officer
Uptomic is exempt from needing this position but elected to appoint one anyway.
Uptomic’s Data Protection Officer - Michael Galkovsky (michael@uptomic.co)