Candidate Privacy Notice

1.  What does this notice cover?

This notice describes how CyberArk (“CyberArk“, “we“, “us” or “our“) processes your personal information (including how we process your information via our recruitment platform – SmartRecruiters). It also describes your data protection rights, including a right to object to some of the processing which CyberArk carries out. More information about your rights, and how to exercise them, is set out in the “Your choices and rights” section. As used in this notice, “personal information” means information that identifies you or is reasonably capable of identifying you. It also includes similar terms under data privacy laws, such as “personal data” and “personally identifiable information.”

This notice applies to users of the CyberArk careers website and the SmartRecruiters platform. The data processing described in this notice may be limited as required by applicable law.

We may also provide you with additional information when we collect personal information, where we feel it would be helpful to provide relevant and timely information.

2.  What personal information we collect

When you apply for a job role at (or otherwise seek to work with) CyberArk, we will collect, use and disclose certain information directly from you as well as from third party sources.

  • Information we collect from you:

We will collect and process personal information from you through the application and recruitment process. Such information may include, but is not limited to:

  • Name and other personal information such as gender, date and place of birth;
  • Contact information, such as address, telephone number, and email address;
  • Internet protocol address and password when you register and login to the job application portal;
  • Internet or other electronic network activity on our job application portal;
  • Past employment history (including previous employers, job titles, or positions) and references in order to evaluate potential employees for employment;
  • Other academic, professional, and training information, such as academic degrees and professional qualifications;
  • Your CV/resume (which may include details of any memberships or interests);
  • National identifiers such as nationality/ies, national IDs/passport, social security/insurance numbers, immigration information, and visa status;
  • Information concerning your application and our assessment of it; and
  • Any other information you voluntarily provide throughout the process, through interviews or other forms of assessment.

In certain circumstances we are required or permitted by local law to process special or sensitive categories of personal information. We will only use such special or sensitive categories of personal information for limited purposes, as permitted under applicable laws, such as to provide human resources services; prevent, detect, and investigate security incidents; resist malicious, deceptive, fraudulent, or illegal actions; ensure the physical safety of natural persons; and verify or maintain the quality  of our human resources functions. CyberArk may also be required to collect information about your racial/ethnic origin, gender and disabilities for the purposes of equal opportunities monitoring, to comply with anti-discrimination laws or for government reporting obligations. Similarly, information about your physical or mental condition may be collected in order to consider accommodations we need to make for the recruitment process and/or subsequent job role. You may also provide, on a voluntary basis, other special or sensitive categories of personal information during the recruiting process.

  • Information we may collect from other sources:

We may collect some or all of the following personal information from other sources (in each case where permissible and in accordance with applicable law) when you apply for a role with CyberArk:

  • References provided by referees;
  • Other background information provided or confirmed by academic institutions and training or certification providers;
  • Criminal records data obtained through criminal records checks (only where required or proportionate under applicable law);
  • Information provided by background checking agencies and other external database holders (for example credit reference agencies and professional/other sanctions registries);
  • Information provided by recruiting or executive search agencies; and
  • Information collected from publicly available sources, including any social media platforms you use or other information available online.

3.  Why we collect, use and store this personal information

CyberArk collects and processes personal information for the purposes and lawful bases (as relevant under applicable laws), set out below. These are linked with your application and/or potential future employment and include:

For contractual necessity:

  • As required to take steps which are necessary before CyberArk can enter into an employment contract with you;
  • Reimburse you for any agreed expenses incurred in the recruitment and application process.

For purposes which are in CyberArk’s legitimate interests:

  • To make informed decisions on recruitment and assess your suitability for the role (including background checks as permitted by local law, which we will provide more information about you before they are carried out);
  • Analyse your application information to improve our recruitment processes and the applicant experience;
  • To host, administer, and communicate information related to CyberArk’s recruitment activities;
  • To answer your queries;
  • Improve our recruitment processes and activities as well as to keep you in mind for future roles (where your consent isn’t required under applicable laws) and communicate with you about future career opportunities at CyberArk; and
  • Send you relevant communications including newsletters informing you about open positions and news about CyberArk (where your consent isn’t required).

For compliance with legal obligations:

  • As required to comply with applicable laws and protect our legal rights including, but not limited to, in connection with legal claims, (including disclosure of information in connection with legal process or litigation);
  • If you are a successful candidate for employment, this will include verifying whether you have the right to work in the country in which you are applying for a job with CyberArk and checking whether the information you have provided in the application is correct and carrying out other background checks required by local law; and
  • In response to enquiries from authorities.

Where you give your consent:

  • On occasions where we ask you for consent, we will use the data for the purpose which we explain at that time.

Wherever we rely on your consent, you will always be able to withdraw that consent, although we may have other legal grounds for processing your data for other purposes, such as those set out above.

4.  How we disclose your personal information

As a global organization we have offices and/or employees across the world. Therefore, we may need to transfer your personal information to different CyberArk entities which are not located in your region as well as to third parties supporting us.

Personal information will primarily be processed by employees working in our Human Resources, IT and Finance departments. Your information will also be disclosed to service providers, for the purposes identified above. These service providers include IT service providers, recruitment agencies, background check providers and appropriate authorities (where relevant).

Primarily, our recruitment efforts are handled and managed via our recruitment platform – SmartRecruiters. Your job application, including your resume and your interactions with us along the process, will be processed via SmartRecruiters. By accepting this Candidate Privacy Notice, you consent to the process of your information by CyberArk via SmartRecruiters.

In the event that CyberArk is sold or integrated with another business, your details may be disclosed to our advisers and any prospective purchaser’s adviser and will be passed to the new owners of the business.

If you are an applicant in the United Kingdom (“UK”), Switzerland or the European Economic Area (“EEA”) and your personal information is transferred outside of these regions to an organisation in a country which is not subject to an adequacy decision by the European Union (“EU”) Commission or considered adequate as determined by applicable data protection laws, we will take steps to ensure your personal information is adequately protected (e.g., by way of EU Commission approved Standard Contractual Clauses,  a vendor’s Processor Binding Corporate Rules or by relying on  such other data transfer mechanisms as available under applicable data protection laws). A copy of the relevant mechanism can be obtained for your review on request by using the contact details below.

CyberArk does not sell or share for cross-context behavioural advertising your personal information with third parties. We also do not knowingly share for cross-context behavioural advertising, sell or disclose the personal information of children under the age of 16. For this reason, we do not offer a right to opt out of sale or sharing under applicable law.

Lastly, we may disclose your personal information with your consent or when required by law.

5.  Your choices and rights and instructions

Your choices and rights

Under certain data privacy laws, you may be entitled to privacy rights, subject to some limitations. Some or all of the rights below may apply to you depending on your state or country of residence (e.g., if you are a resident of California or in the UK, Switzerland or the EEA, among other jurisdictions). You may have the right:

  • to ask us for a copy of your personal information, which includes, as applicable, the right to know and access the personal information we have collected about you, including the categories of personal information, the categories of sources from which the personal information is collected, the business or commercial purpose for collecting, selling, or sharing personal information, the categories of third parties to whom we disclose personal information, and the specific pieces of personal information we have collected about you;
  • to correct, delete or restrict processing of your personal information;
  • to obtain the personal information you provide in a portable, structured, commonly used, and machine readable format (“data portability”) that may be transmitted to another entity at your request without hindrance;
  • to object to the processing of your personal information in some circumstances (in particular, where we don’t have to process the data to meet a contractual or other legal requirement);
  • to withdraw your consent (where applicable);
  • to access and opt-out rights related to the use of automated decision making technology, including profiling; and
  • to not be discriminated against for exercising any of your privacy rights, which includes us not (as applicable in the human resources context): (a) denying you goods or services; (b) charging you different prices or rates for goods or services, including through the use of discounts or other benefits or imposing penalties; (c) providing you a different level or quality of goods or services; (d) suggesting to you that you will receive a different price or rate for goods or services or a different level or quality of goods or services; and (e) retaliating against you for exercising your privacy rights.

These rights may be limited, for example if fulfilling your request would reveal personal information about another person, or if you ask us to delete information which we are required by law or have compelling legitimate interests to keep. If you have unresolved concerns, you have the right to complain to a data protection authority where you live, work or believe a breach has taken place.

Data that is mandatory is indicated on relevant forms that you complete. Where provision of data is mandatory, if relevant data is not provided, then we will not be able to process your application or reply to your queries. All other provision of your information is optional.

Instructions for exercising your choices and rights

You may exercise your privacy rights, if available, by emailing us at [email protected]. In some instances, we will need to verify your identity before honouring your privacy right request. We will verify your identity by asking you to provide pieces of personal information about yourself, which we will verify against personal information we may maintain about you in our systems. We will honor your privacy rights request within the time required under applicable privacy laws, which may vary from 30 to 45 days, unless we request an extension.

You may exercise your privacy rights through an authorized agent. If we receive your request from an authorized agent, we may ask for evidence that you have provided such agent with a power of attorney or that the agent otherwise has valid written authority to submit requests to exercise rights on your behalf. If you are an authorized agent seeking to make a request, please email us at [email protected]. We will ask for further information confirming your authority to act on behalf of the job applicant once we receive your request.

6.  How long we retain your personal information

Your personal information will be stored in accordance with applicable laws and kept as long as needed to carry out the purposes described in this notice (or as otherwise required by applicable law). If you are successful with your application and get hired, your personal information will be kept in accordance with our employee Global Privacy Notice – Workforce. If you are not hired, your personal information will be kept for the duration of the application process plus two (2) years after confirmation that your application was unsuccessful.

If you would like to opt out from CyberArk’s policy of retaining your information for the purposes of considering you for other suitable openings, please email [email protected].

7.  For Californian Data Subjects – Prior 12-month personal information handling practices

We provide in the chart below a summary of our prior 12-month personal information handling practices. You can learn more about the personal information we collect at or before the point of collection above in the What personal information we collect, Why we collect, use and store this personal information, and How we disclose your personal information sections.

Categories of Personal Information Sources Business or commercial purpose of processing and disclosure and recipients of personal information
 As identified in the “What personal information we collect” section. You or other sources, as noted in the “Information we may collect from other sources” section. We have not sold or shared for cross context behavioural advertising your personal information to third parties.

We disclose your personal information as detailed in the “How we disclose your personal information” section.

We collect your personal information for human resources and recruitment functions as described in greater detail in the “What personal information we collect”, “Why we collect, use and store this personal information”, and “How we disclose your personal information” sections.

8.  Updates to this privacy notice

We reserve the right to update this privacy notice at any time, and we will provide you with a new privacy notice when we make any substantial updates. We may also notify you in other ways from time to time about the processing of your personal information.

9.  Contact us

If you have questions about this privacy notice or wish to contact us for any reason in relation to our personal information processing, please contact us at [email protected].

Last updated: February 2024