Terms and policies
Learn more about Chainguard policies and our legal documents.
Chainguard, Inc.
Global Candidate Privacy Notice
Last updated: March 2026
This Global Candidate Privacy Notice (“Notice”) applies to all job candidates, whether on a part-time, temporary or full-time basis, and including roles for a position as contractor or intern (“Candidates”). If you become employed by Chainguard, the processing of your personal information will be subject to Chainguard’s Employee Privacy Notice.
For the avoidance of doubt, nothing in this Notice shall be construed as forming part of a contractual relationship between us (whether or not your application is successful).
1. Introduction
Chainguard, Inc. ("Chainguard", "we" or "us") has issued this Notice to describe how we handle personal information that we hold about Candidates ("you"). We respect the privacy rights of individuals and are committed to handling personal information responsibly and in accordance with applicable law. This Notice sets out the personal information that we collect and process about you, the purposes of the processing and the rights that you have in connection with it.
If you are applying for a role outside of the U.S., the entity that employs or engages you will be the controller of your personal information. Please see the list of relevant entities in the Annex to this Notice.
If you have any comments or questions about this Notice, please contact us using the details provided under the “How to contact us” section below.
2. Personal information we collect and process when you apply for a position with us
We collect personal information about you when you apply for a position with us and during the recruitment process.
Sources of personal information
We collect this personal information from the following different sources:
● Information that you provide directly
We collect personal information directly from you when you submit your application. This could be by an application sent via our recruitment portal, our careers webpage, or by sending your application directly to a member of our staff. In connection with the recruitment process you may also choose to provide us with further personal information through any of these channels.
● Information from third parties
We may collect personal information from third parties. Where a third party is representing you or has contacted you on our behalf, including recruitment agencies and third-party recruitment platforms, such third parties may provide your personal information to us. We may also receive (or request) personal information from academic institution(s) with whom you have indicated you are or were affiliated in order to confirm your qualifications. We may also receive your personal information from the references you provide in order for us to obtain information about your previous employment or character. Where necessary and to the extent permitted by applicable law, we use background checking agencies, which may be located outside the EEA, to run industry-standard background checks. Depending on where you are located, this may include criminal history (eg. criminal convictions), global sanctions & enforcement, sex offender registrations, and other global watchlist searches to confirm your suitability for the role, to comply with legal and regulatory obligations, and to determine whether you are legally entitled to work in the countries where we are recruiting.
● Information that we collect indirectly
We collect your personal information indirectly, including through automated means, via our recruitment portal and website. Such information includes your IP address and information about the device used to complete and make your application. Some of the information we collect indirectly is captured using cookies and other tracking technologies. For further information about the types of cookies we use, why, and how you can control cookies, please see our Cookie Policy.
● Information that we collect from publicly available sources
We collect information about you from social media platforms aimed at making professional connections, such as LinkedIn, where you have made information available about yourself.
● Information that we create
During the recruitment process we may create information pertaining to your application, such as interview notes, feedback, internal communications and communications with you directly.
Categories of personal information
We collect the following categories of personal information from and about you through our application process.
● Contact Data: Name or alias, home address, personal telephone number and personal email address.
● Application Information, Professional and Academic Data: Position applied for, age, date of birth, gender, pronouns, compensation and salary data, eligibility for and participation in benefit schemes, and CV/résumé information such as previous roles, job descriptions, responsibilities and assignments, years of service, security clearance status, education, academic/professional qualifications and experience.
● Interview and Selection Recordings and Notes: Meeting recordings and notes made by interviewers, other staff, or interview transcriptions via third-party voice to text AI tools (eg. Metaview, GCP Gemini) in connection with your application and interviews.
● Sensitive Personal Information: Information that reveals your racial or ethnic origin, religious, political or philosophical beliefs, information about your health (including mental health) and disability, and sexual orientation.
● Background Checks: Criminal records data, results of reference checks such as verification of education, criminal, and employment history, screening checks such as against politically exposed persons registers, disbarment checks and other searches relevant to the role for which you are applying. This information will only be requested from you or obtained from third parties at the end of the recruitment process, once the offer has been made and you have accepted the position you applied for
● Nationality, Citizenship and Right to Work Information: Nationality and country of birth, citizenship and right to work information, government identification documents (including passports and residency permits) and, where relevant, visa information.
● Communication Data: Communications between us and you in relation to your application and the application process.
● Social Media Data: Details that you have provided in your application about your social media handle and information about you that you have made public on your social media account, such as LinkedIn.
● IT Data: Information collected through our recruitment portal and website (including by means of cookies and similar tracking technology, such as IP addresses, log files and login information). IT Data may also include inferred location based on your IP address or activities, device identifiers associated with your computer or device, mobile carrier and related information generated when you navigate our recruitment portal and website.
● Security and Access Data: Closed-circuit television (CCTV) footage in public or common areas on or near our premises (such as in car parking areas and in which case footage may include vehicle licence plates). It may also include other information obtained through electronic means such as security records (e.g. swipe card records, building entry / exit data to which Chainguard may from time to time have access) and if you are visiting a premises, physical or electronic guest book information containing name, photograph, vehicle licence plate and person(s) you are visiting).
3. Legal grounds for processing personal information – EEA and UK only
If you are based in the EEA or the UK, our legal basis for collecting and using your personal information will depend on the personal information concerned and the specific context in which we collect it. There are various legal bases on which we can rely on when processing your personal information. In some contexts, more than one ground applies.
We have summarized the most relevant grounds below:
Term | Ground for processing | Explanation |
Contractual necessity | Processing necessary for performance of a contract with you or to take steps at your request to enter into a contract. | Covers carrying out our contractual duties and exercising our contractual rights. |
Legal obligation | Processing necessary to comply with our legal obligations | Ensure we perform our legal and regulatory obligations. For example, providing a safe place of work and avoiding unlawful discrimination. |
Legitimate interests | Processing necessary for our or a third party's legitimate interests | We, and in some cases third parties, have a legitimate interest in managing and administering our businesses efficiently and responsibly. In pursuit of these interests, we may process your personal information where necessary to support these activities. Your data will not be processed on this basis if our or a third party's interests are overridden by your own interests, rights and freedoms. |
Consent | You have given specific consent to processing your data | In general, processing your data in connection with employment will not be conditional on your consent. However, there may be occasions where we do specific things such as provide a reference, seek to monitor diversity, or obtain medical reports and rely on your consent to do so. |
If we process sensitive personal information about you, we will ensure that, in addition to having a legal basis (as outlined above), one or more of the specific conditions for processing sensitive personal information under applicable privacy law is met. This includes:
● Where you have provided your explicit consent;
● Where the processing is necessary for the purposes of your or our obligations and rights in relation to employment in so far as it is authorized by law or collective agreement;
● Where the processing relates to data about you that you have made public; and
● Where the processing is necessary for the purpose of establishing, making or defending legal claims.
4. How we use your personal information (our purposes) and our legal basis for processing it
We use the personal information that we collect from and about you only for the purposes described in this Notice. Such processing is necessary to evaluate and make decisions about your job application, communicate with you, communicate with third parties about you, such as your references or former employers, comply with legal requirements, and pursue our legitimate interest in operating our business.
We may also use third-party artificial intelligence tools to review your resume, cover letter and application to assist our recruitment efforts. These technologies may assist in certain administrative aspects of our recruitment process, such as meeting coordination, interview summarization and post-interview internal analysis.
The following table provides more details on our purposes for processing your personal information and the related legal bases.
Purpose or Activity | Type of personal information | Legal basis |
To communicate with Candidates during the recruitment process | Contact Data Communications Data IT Data Social Media Data | - Legitimate interests of managing applications for positions with us. |
To assess suitability of Candidates for the role they have applied for | Contact Data Application Information, Professional and Academic Data Interview and selection notes Communication Data Social Media Data | - Legitimate interests of managing applications for positions with us. |
To maintain Candidate records | Contact Data Application Information, Professional and Academic Data Interview and selection notes Background Checks Nationality, Citizenship and Right to Work Information Communication Data | - Legitimate interests of managing applications for positions with us. |
Determine your eligibility to work | Nationality, Citizenship and Right to Work Information | - Legal obligation. |
To conduct criminal record and background checks | Background Checks | - Legitimate interests of managing applications for positions with us - With your consent (where required by applicable local law). |
To calculate proposed salary and assess eligibility for certain benefits | Contact Data Application Information, Professional and Academic Data Interview and selection notes Communication Data | - Legitimate interests of managing applications for positions with us. |
To enter into employment contracts or other contractual engagements | Contact Data Communication Data | - To take steps to enter into a contract with successful Candidates. |
To monitor and improve our application process | Contact Data Application Information, Professional and Academic Data Interview and selection notes Background Checks Nationality, Citizenship and Right to Work Information Communication Data IT Data | - Legitimate interest of reviewing and updating our application process. |
Physical and system security | Security and Access Data IT Data Including CCTV images and records of use of swipe and similar entry cards / systems if you visit our premises such as to attend an interview. | - Legitimate interest of ensuring the security of our systems and premises. |
Monitoring of diversity and equal opportunities | Sensitive Personal information Specifically, to the extent required or permitted by local law, information on your nationality, racial and ethnic origin, gender, sexual orientation, religion, philosophical beliefs, disability, age and other diversity markers. | - Legal obligation In relation to Sensitive Personal Information: To comply with employment obligations (if required by applicable law), or with your explicit consent. |
Address access needs and if a Candidate is successful to make workplace adjustments | Contact Data Sensitive Personal Information | - Legal obligation In relation to Sensitive Personal Information: To comply with employment obligations (if required by applicable law), or otherwise with your explicit consent. |
Disputes and legal proceedings | Contact Data Application Information, Professional and Academic Data Interview and selection notes Background Checks Nationality, Citizenship and Right to Work Information Communication Data IT Data Security and Access Data Any other information relevant or potentially relevant to a dispute or legal proceeding affecting us. | - Legitimate interests - Legal obligation |
5. Who we share your personal information with
We take care to allow access to personal information only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.
We share your personal information with the following categories of recipients:
● our group companies in order to administer human resources, staff member compensation and benefits at an international level on our HR platform, as well as for other legitimate business purposes such as IT services/security, tax and accounting, and general business management;
● third party service providers and partners on a "need to know basis" and in accordance with applicable data privacy law. This may include third parties who provide services to us or otherwise support our relationship with you and advice including our recruitment platform provider, Greenhouse, recruitment agencies, local employer of record services, Deel & Remote, (where applicable)], external marketing providers, professional advisors (such as our external legal counsel).
● any competent law enforcement body, regulatory, government agency, court or other third party (such as our professional advisers) where we believe disclosure is necessary (i) as a matter of applicable law or regulation (e.g. to provide certain salary information to tax authorities), (ii) to exercise, establish or defend our legal rights, or (iii) to protect your vital interests or those of any other person;
● a buyer or prospective buyer (and its agents and advisers) in connection with any actual or proposed purchase, merger or acquisition of the whole or any part of our business as permitted by law and/or contract;
● any other person with your consent to the disclosure (obtained separately from any contract between us).
6. How we keep your personal information secure
We take care to allow access to personal information only to those who require such access to perform their tasks and duties, and to third parties who have a legitimate purpose for accessing it. Whenever we permit a third party to access personal information, we will implement appropriate measures to ensure the information is used in a manner consistent with this Notice and that the security and confidentiality of the information is maintained.
We use appropriate technical and organisational measures to protect the personal information that we collect and process about you. The measures are designed to provide a level of security appropriate to the risk of processing your personal information. To that end, Chainguard has implemented and maintains an information security program in accordance with industry standards. Specific measures we use include encrypting your personal information in transit and at rest; implementation of other reasonable security defenses (including vulnerability management and access management).
7. International data transfers
Chainguard is headquartered in the United States with employees globally. Our third party service providers and partners also operate globally. This means that, in connection with our business and for employment, administrative, management and legal purposes, we may transfer your personal information outside of the country where you are located, including to the United States. As a result, your personal information may be transferred to a jurisdiction that may not provide the same level of data protection as your country of residence.
When we transfer your personal information internationally, we will take steps to ensure that your personal information is treated securely, lawfully, and in accordance with this Notice. Where we transfer your personal information to countries and territories outside of the EEA and the UK, for example, which have been formally recognised as providing an adequate level of protection for personal information, we rely on the relevant “adequacy decisions” from the European Commission and “adequacy regulations" (data bridges) from the Secretary of State in the UK.
Where the transfer is not subject to an adequacy decision or regulations, we have taken appropriate safeguards to require that your personal information will remain protected in accordance with this Notice and applicable laws. Where applicable, we enter into the Standard Contractual Clauses approved by the European Commission (and equivalent clauses in the UK) for transfers to our group entities and to our third party service providers and partners.
8. Data retention
We will store the personal information we collect about you for no longer than necessary and in accordance with our legal obligations and legitimate business interests. When we have no ongoing legitimate business need to process your personal information, we will either permanently delete it or anonymize it or, if that is not possible (e.g., because your personal information has been stored in backup archives), then we will securely store your personal information and isolate it from any further processing until deletion is possible.
If your application is successful and you become an employee, where permitted by local law, the personal information we collect during the application process may be transferred to your personnel file and stored in accordance with our Employee Privacy Notice.
If your application is not successful, we will hold your personal information to contact you (unless you have asked us not to) about any other relevant employment opportunities that may arise. We will retain your personal information for a reasonable period of time after the date your application was not successful, unless you request that we delete your application.
9. Your data privacy rights
Depending on your location and subject to applicable law, you may have the following data protection rights with regards to your personal information:
● You can access, correct, update or request deletion of your personal information.
● In certain circumstances, you can object to processing of your personal information, ask us to restrict processing of your personal information or request portability of your personal information.
● If we have collected and processed your personal information with your consent, then you can withdraw your consent at any time. Withdrawing your consent will not affect the lawfulness of any processing we conducted prior to your withdrawal, nor will it affect processing of your personal information conducted in reliance on lawful processing grounds other than consent.
● You have the right to complain to a relevant data protection authority about our collection and use of your personal information. For more information, please contact your local data protection authority.
● If you are located in California, please refer to the Annex for information about your data protection rights for your specific location.
You can make a request to exercise any of your privacy rights by contacting privacy-contact@chainguard.dev. We respond to all requests we receive from individuals wishing to exercise their data protection rights in accordance with applicable data protection laws.
10. Updates to this Notice
We may update this Notice from time to time in response to changing legal, regulatory, technical or business developments. When we update our Notice, we will take appropriate measures to inform you, consistent with the significance of the changes we make.
You can see when this Notice was last updated by checking the “last updated” date displayed at the top of this Notice.
11. How to contact us
If you have any questions, comments, or concerns regarding this Notice, please contact privacy-contact@chainguard.dev.
For translations of this Candidate Privacy Notice into other languages, please contact privacy-contact@chainguard.dev.
Annex – Country Specific Information
EEA / UK
If you are a Candidate residing in the EEA / UK the following additional information applies to you.
1. The data controller of your personal information is Chainguard, Inc.
2. In the UK, the statutory regulator is the Information Commissioner's Office. For contact details see: https://ico.org.uk/global/contact-us/.
3. The contact details for statutory regulators in the EEA are available at: https://www.edpb.europa.eu/about-edpb/about-edpb/members_en
Canada
If you are a Candidate residing in Canada, the following additional information applies to you.
1. In Canada, the statutory regulator is the Office of the Privacy Commissioner of Canada. For contact details see: https://www.priv.gc.ca/en/contact-the-opc/.
2. Subject to any restrictions and/or exemptions under applicable law, in addition to the applicable information set out in Section 9 of this Notice, you have the right to:
● Request access to your personal information;
● Request correction to your personal information;
● Request erasure of your personal information; and
● Withdraw your consent to the use or communication of your personal information
3. We may collect, use, and disclose your personal information described in this Notice for the purposes described in this Notice, and as otherwise required by law. We may collect, use, and disclose your personal information without your consent if authorized or required by law.
4. You may exercise any of the above rights by contacting us at privacy-contact@chainguard.dev.
California
If you are a Candidate residing in California, the following additional information applies to you. For purposes of this section, “personal information” has the same meaning defined in the California Consumer Privacy Act of 2018 (“CCPA”), as amended by the California Privacy Rights Act of 2020 ("CPRA") (collectively referred to as "CCPA").
1. Categories of Personal Information We Collect:
We may collect the following statutory categories of personal information, as enumerated by the CCPA, about you when you apply for a position with us and during the recruitment process:
● Identifiers and contact information, such as your: name, postal address, email address, phone number, date of birth, social security number, driver's license or state identification number, and other unique identifiers including online identifiers (e.g. IP address).
● Personal information categories listed in California Civil Code § 1798.80(e)) not already listed above, such as your signature, physical characteristics or description, bank account or other financial information, medical information, or health insurance information.
● Protected classification characteristics under California or federal law, such as your age, gender, racial or ethnic origin, national origin, citizenship, religious, marital status, sexual orientation, disability or veteran status.
● Internet or network activity information, such as your interactions with our website and job advertisement.
● Geolocation data, such as your approximate location based on your IP address. ● Audio, electronic, visual, and similar information such as call and video recordings of interviews.
● Professional or employment-related information, such as your employment history, CV/résumé information, reference checks and screening checks, position applied for, and interview notes.
● Non-public education information, such as your academic history, education grades, and academic/professional qualifications.
● Inferences drawn from any of the above personal information to create a summary about you, for example regarding your skills, preferences, and abilities. And
● Sensitive personal information, as defined by the CCPA, such as government identifiers (including your social security, driver’s license, state identification, or passport number, if applicable), your racial or ethnic origin, religious or philosophical beliefs, or union membership.
2. How we use your personal information and to whom do we disclose such information: The business and commercial purposes for which we collect this information are described in Section 4. "How we use your personal information (our purposes) and our legal basis for processing it" of this Notice. The categories of third parties to whom we disclose the information for a business purpose are described in Section 5. "Who we share your personal information with" of this Notice. We retain your personal information for the length of time as required under applicable law.
3. "Sales" and "Shares" of Personal Information: We do not "sell" or "share", as those terms are defined by the CCPA, the above categories of personal information. We also do not use or disclose your sensitive personal information for purposes that are not necessary to process your application.
4. CCPA Rights: Candidates residing in California have the following data protection rights:
● Know and Access: You have the right to request to know the personal information we have collected about you, and to access such personal information in a portable and commonly used format. Once we receive and confirm your verifiable request, we may disclose to you:
o the categories of personal information we have collected about you.
o the categories of sources from which your personal information was collected.
o the business or commercial purposes for collecting that personal information.
o the categories of third parties to whom we have disclosed that personal information. And
o the specific pieces of personal information we have collected about you.
● Correct: You have the right to request that we correct any of your personal information that we have collected from you that is inaccurate.
● Delete: You have the right to request that we delete certain personal information we have collected from you.
● Opt out of the Sale and Sharing of your personal information: You have the right to request that a business not "sell" or "share" your personal information with a third party, as those terms are defined under the CCPA. However, as noted above, we do not sell or share your personal information within the meaning of the CCPA.
● Limit the use and disclosure of sensitive personal information: We do not use or disclose "sensitive personal information" other than as described in Section 4 of this Notice or as otherwise permitted under the CCPA.
● Non-Discrimination: You have the right to not be discriminated or retaliated against for exercising any of your CCPA rights described above.
5. How to Exercise Your CCPA rights: You can make any of these requests to exercise your CCPA rights by emailing us at privacy-contact@chainguard.dev. We will respond to verifiable requests received as required by law. Please note that we may request certain information from you to verify your identity in order to respond to your request. Please also note that in California, an authorized agent may submit a rights request on your behalf. We may also request that an authorized agent verify their identity and authority to submit a rights request on your behalf.