Last updated: May 26, 2025
Please read these terms and conditions carefully before using Our Service.
Privacy governance and accountability
Data minimization and lawful processing
Vendor and sub-processor management
Cross-border processing and transfers
Authentication, One‑Time Passwords (OTP), and Security Communications
Rights requests and privacy inquiries
Emprofy.com Terms of Use
Emprofy.com Data Security and Privacy Statement
Published by: PureVi Tech Solutions Inc. (“PureVi”)
Effective date: 01 January 2026
Last updated: 01 January 2026
Version: 1.2
This Data Security and Privacy Statement explains the security and privacy principles PureVi applies to emprofy.com (“Emprofy”) and how we protect personal information processed through our HR-Tech SaaS platform. It is intended to provide transparency to candidates/students, referees, organization customers, and website visitors.
Our role depends on how Emprofy is used
PureVi can act in different roles depending on the processing:
If you are participating in an organization’s hiring or verification process, the organization may be responsible for certain notices and decisions about your information.
We maintain a privacy and security governance program designed to support compliance with applicable privacy and data protection laws (including GDPR, CCPA/CPRA, PIPEDA, and the Australian Privacy Principles).
Our governance program includes: – Defined privacy and security responsibilities and escalation paths. – Privacy-by-design considerations throughout product and feature development. – Risk-based reviews for new or materially changed processing that may increase privacy or security risk. – Documented policies and procedures, including vendor governance, incident response, and access management. – Training and awareness for personnel with access to production systems or sensitive data.
Privacy contact: privacy@emprofy.com
Postal address: 1900 City Park Dr, Suite 300
Ottawa, ON, Canada
We aim to collect and process only the information reasonably necessary to operate Emprofy, provide requested services, maintain security, and meet legal obligations. We align processing to defined purposes and restrict access and use based on role, necessity, and authorization.
Where Emprofy is used by organization customers, we process personal information on documented instructions, subject to contractual restrictions in our DPA.
We use layered technical and organizational safeguards designed to protect confidentiality, integrity, and availability of personal information.
Our safeguards typically include:
Infrastructure and environment isolation – Emprofy is hosted on enterprise-grade cloud Microsoft Azure infrastructure. – Logical separation of environments (e.g., production, testing, development) and controlled change processes.
Encryption – Encryption in transit using modern TLS (e.g., TLS 1.2+). – Encryption at rest for stored data and backups (e.g., AES-256 where supported by underlying services). – Additional protections for sensitive data where appropriate (such as field-level encryption and stricter access controls).
Access control and identity management – Role-based access control (RBAC) and least-privilege access. – Multi-factor authentication for privileged access. – Segregation of duties for engineering/operations/support functions where feasible. – Logging of privileged administrative access and critical actions.
Monitoring, logging, and vulnerability management – Centralized security logging to support detection and investigation. – Monitoring and alerting for suspicious activity (for example, repeated failed login attempts, abnormal access patterns, or privilege changes). – Vulnerability management practices including patching and remediation tracking.
Secure development – Secure development lifecycle controls such as code review, dependency management, and security testing aligned to risk and system criticality.
Backup and disaster recovery – Regular backups of critical systems and data stores. – Tested restoration procedures for critical services. – Business continuity practices proportionate to platform risk.
Physical security – Physical security is provided by our cloud and data center providers and includes facility access and environmental protections.
No method of transmission or storage is completely secure; however, we work to maintain safeguards proportionate to the sensitivity of the information and the risk context.
We use vetted third-party service providers (vendors/sub-processors) to operate and support the Service (for example, cloud hosting, communications, analytics, payment processing, monitoring, and customer support tools). We assess vendors based on risk and require contractual protections appropriate to the nature of the processing, including confidentiality, security obligations, and restrictions on use and disclosure.
We maintain a current list of key sub-processors at: [Sub-Processor List URL].
PureVi is based in Canada. Emprofy may process personal information in Canada and other countries where our vendors or we operate. We apply safeguards designed to protect cross-border processing, including contractual safeguards with vendors and, where required, internationally recognized transfer mechanisms and supplementary safeguards.
We retain personal information only as long as necessary for the purposes for which it was collected and processed, including providing the Service, meeting legal obligations, resolving disputes, enforcing agreements, and maintaining security.
We maintain a retention schedule by data category and implement deletion or de-identification processes. If we are required to preserve data due to legal or security reasons, we apply a documented legal hold process.
Emprofy websites and web application interfaces may use cookies and similar technologies for essential operations, security, and (where enabled) analytics and preference management.
Where required by law, we provide appropriate cookie choices and honor applicable privacy signals and preferences. For details, see: [Cookie Policy URL].
Use of OTP‑Based Authentication: To protect user accounts and maintain the security and integrity of the Service, Emprofy may use authentication controls, including One‑Time Passwords (“OTPs”), delivered via SMS or other supported channels. OTPs are used solely for identity verification, login validation, and detection or response to suspicious or unusual account activity.OTP communications are transactional and security‑related in nature and are not marketing messages.
User Responsibilities: By providing a phone number for authentication purposes, you agree to:
You are responsible for all actions performed using your credentials, including OTP‑verified access, unless otherwise required by applicable law.
Security and Access Controls: OTPs are generated, transmitted, and validated as part of Emprofy’s access control framework. Authentication attempts and related events may be logged to support security monitoring, incident response, auditability, and compliance obligations.
We may restrict, suspend, or terminate access to the Service where authentication controls indicate elevated security risk or potential unauthorized activity.
Availability and Service Dependence: OTP delivery depends on third‑party telecommunications networks and service providers. While Emprofy implements controls to support reliable authentication, we do not guarantee uninterrupted delivery of OTP messages and are not responsible for delays or failures caused by carrier availability, network conditions, or factors outside our reasonable control.
Opt‑Out and Impact on Access: OTP‑based verification may be required to access certain features or the Service as a whole. Disabling or opting out of OTP‑based authentication may result in limited functionality or loss of access where alternative verification mechanisms are not available.
Organization Customer Context: Where OTP authentication is used in connection with an Organization Customer account or workflow, such use is subject to the applicable Order Form and Data Processing Agreement (DPA). Organization Customers are responsible for ensuring their authorized users comply with these Terms and applicable security requirements.
Relationship to Privacy Policy: Information about how phone numbers, authentication data, and security logs are collected, used, and retained is described in the Privacy Policy, which forms part of these Terms by reference.
AI and profiling transparency
Emprofy may offer AI-assisted features (e.g., generating summaries or organizing submitted information) to support platform workflows. Emprofy does not make hiring decisions; organization customers are responsible for decisions about applicants and must use the Service in compliance with applicable law.
We aim to provide transparency about AI-assisted features, including what data is used for the feature, what the feature produces, and available choices or controls, where applicable.
Individuals may submit privacy requests or inquiries by contacting: privacy@emprofy.com.
We verify identity as appropriate and respond according to applicable law. When PureVi acts as a processor/service provider on behalf of an organization customer, we support the customer in fulfilling applicable rights requests under the DPA and applicable law.
We maintain an incident response program to detect, respond to, and remediate security incidents. When an incident involves personal information, we assess notification obligations and coordinate notifications to customers, regulators, and affected individuals when required by applicable law and contract.
We may update this statement as our practices evolve. The “Last updated” date reflects the most recent revision. If we make material changes, we will provide appropriate notice.
The table below shows how each section of the statement aligns to key obligations across jurisdictions. It is designed as an operational crosswalk for your compliance/security team.
| Statement section | GDPR alignment | CCPA/CPRA alignment | PIPEDA alignment | APPs alignment |
| Role clarity (controller vs processor) | EDPB role guidance + GDPR processor contracting and accountability expectations (Art. 28) [13] | Contract constraints for disclosures to service providers/contractors and purpose limitations [14] | Accountability for outsourced processing; cross-border processing remains accountable [15] | APP 8 cross-border disclosure accountability (s 16C discussed in OAIC guidance) [16] |
| Governance and accountability program | Data protection by design/default (Art. 25), records of processing (Art. 30), DPIA duty for high-risk processing (Art. 35) [17] | CPPA regulations set expectations for comprehensive privacy practices disclosures; risk assessments/cyber requirements may apply depending on thresholds/uses [4] | Openness and meaningful consent expectations require accessible explanation of practices [18] | APP 1 requires open and transparent management [19] |
| Data minimization and purpose limitation | GDPR principles (Art. 5) and lawful processing structure [20] | “Reasonably necessary and proportionate” minimization requirement (1798.100(c)) [21] | Limiting collection (Principle 4) and limiting use/disclosure/retention (Principle 5) [22] | APP 3 requires collection reasonably necessary for functions/activities [23] |
| Security safeguards | Art. 32 requires risk-appropriate measures incl. encryption, resilience, and regular testing [24] | “Reasonable security procedures and practices” (1798.100(e)) [25] | Safeguards appropriate to sensitivity (Principle 7) [26] | APP 11 security obligations [27] |
| Vendor/sub-processor management | Processor contracting requirements and sub-processor controls through Art. 28 program design [28] | Service provider/contractor contract restrictions; and privacy policy disclosure expectations in CPPA regs [29] | Accountability for outsourced processing; comparable protections [15] | APP 8 cross-border disclosure “reasonable steps” often implemented via enforceable contracts [30] |
| Cross-border safeguards | Transfers only under Chapter V conditions (Arts. 44, 46), SCC framework, and supplementary measures guidance [31] | No GDPR-like transfer regime, but notices and vendor contractual controls remain critical [32] | Cross-border processing is permitted but accountability remains with the transferring organization [33] | APP 8 cross-border disclosure governance [16] |
| Retention and deletion | Storage limitation is a core principle (Art. 5) and transparency expectations require retention disclosure (Arts. 13/14) [34] | Notice-at-collection and CPPA regs require retention period/criteria; minimization applies to retention [35] | Principle 5 limits retention; OPC also provides retention/disposal guidance [36] | APP 11.2 requires destruction/de-identification when no longer needed (exceptions apply) [37] |
| Cookies and tracking controls | ePrivacy Article 5(3) + EDPB consent guidance; EDPB technical scope guidelines for modern tracking [38] | CPPA regulations address notice, opt-outs, and preference signals (where applicable) [39] | Meaningful consent expectations reinforce clarity and choice [40] | APP transparency duties support clear disclosures and controls [41] |
| AI and profiling transparency | GDPR Art. 22 and WP29/EDPB profiling guidance; transparency under Arts. 13/14 and WP260 guidelines [42] | CPPA ADMT rules define ADMT and establish pre-use notice/opt-out requirements in the regs when applicable [43] | Meaningful consent and openness expectations support clear explanations of AI uses and consequences [18] | APP 1/5 transparency expectations support clear disclosure of features impacting individuals [44] |
| Incident response and breach readiness | GDPR breach notification rules + EDPB breach notification guidance [45] | CPRA reasonable security duty; CA breach law 30-day deadline under amendments [46] | Mandatory reporting/notification when real risk of significant harm and breach recordkeeping [47] | NDB scheme for eligible data breaches likely to result in serious harm [48] |
Company
Legal
© 2026 emprofy.com - All Rights Reserved
