This Privacy Policy governs the collection, processing, storage, and transfer of personal data in connection with the Zabt.io platform operated by Zabt.io. It applies to institutional Customers, the Authorised Users who operate the Platform on their behalf, and the Candidates evaluated through it.
1. Scope and Applicability
1.1 Who This Policy Governs
This Privacy Policy (the "Policy") applies to Zabt.io ("Zabt," "we," "us," or "our"), the developer and operator of the Zabt.io platform (the "Platform"). This Policy governs our processing of personal data on behalf of our institutional clients, including Selection Committees, Grant Management Bodies, Government Funds, Accelerator Programmes, and Professional Evaluation Panels (collectively, the "Customers"). It further governs the personal data of individuals evaluated through the Platform ("Candidates") and natural persons who operate the Platform on behalf of a Customer ("Authorised Users").
1.2 Territorial Application
This Policy is designed to satisfy applicable data protection obligations under the General Data Protection Regulation (EU) 2016/679 (GDPR), the California Consumer Privacy Act (CCPA), and applicable sector-specific regulations. Where multiple legal frameworks apply, Zabt shall comply with the most stringent applicable standard.
2. Definitions and Data Roles
2.1 Key Definitions
The following definitions shall apply throughout this Policy. Capitalised terms not defined here shall have the meanings ascribed in the Terms of Service.
| Role | Definition |
|---|---|
| Data Controller | The Customer organisation that determines the purposes and means of processing personal data of Candidates and Authorised Users within the Platform. |
| Data Processor | Zabt.io, which processes personal data solely on behalf of, and under the documented instructions of, the Data Controller. |
| Candidate Data | Personal data relating to individuals submitted for evaluation: CVs, portfolios, financial disclosures, identification documents and other attachments stored in the Document Vault. |
| Evaluation Data | Rubric configurations, weighted scoring matrices, committee scores, annotations, ranking outputs and audit trail records generated through the evaluation workflow. |
| Account Data | Data pertaining to the Customer's organisation and its Authorised Users: organisational name, billing information, user credentials, role assignments and platform configuration settings. |
| Sub-Processor | Any third-party entity engaged by Zabt to process personal data on behalf of the Customer. |
2.2 Data Controller Obligations
Customers, as Data Controllers, are solely responsible for: (a) ensuring that the collection and submission of Candidate Data to the Platform has an appropriate lawful basis; (b) providing requisite notices and obtaining necessary consents from Candidates prior to processing; (c) responding to Data Subject Requests that fall within the Controller's domain; and (d) ensuring that the use of Evaluation Data complies with applicable employment, procurement, and anti-discrimination laws.
2.3 Data Processor Obligations
Zabt, as Data Processor, shall: (a) process personal data only on documented instructions from the Controller; (b) ensure that personnel authorised to process personal data are bound by appropriate confidentiality obligations; (c) implement the technical and organisational measures described in Section 6; (d) assist the Controller in fulfilling its obligations under applicable data protection law; and (e) delete or return all personal data to the Controller upon termination of the service relationship, as further described in Section 8.
3. Categories of Data Processed
3.1 Account Data
Account Data collected by Zabt includes the legal name and registered address of the Customer organisation; full name, professional email address and job title of Authorised Users; password credentials (stored exclusively in hashed, salted form); billing and payment information (processed via compliant third-party payment processors; raw card data is not retained by Zabt); platform configuration preferences, notification settings and API access tokens; and records of login events, IP addresses and session metadata for security and audit purposes.
3.2 Evaluation Data
Evaluation Data is generated by Authorised Users in the course of operating the Platform and includes rubric templates and weighted scoring criteria configured by the Customer; individual scores, ratings and qualitative annotations entered by committee members; aggregated leaderboard rankings and comparative scoring outputs; workflow state data including evaluation round assignments, submission deadlines and progression decisions; and complete audit trail records documenting all user actions, score submissions and system events.
Evaluation Data is strictly confidential to the Customer. Zabt shall not disclose Evaluation Data to any third party, including other Customers, except as strictly required by applicable law.
3.3 Candidate Data
Candidate Data is submitted by Customers into the Platform's secure Document Vault and may include full legal name, professional biography and contact information; curriculum vitae, academic credentials and professional portfolio documents; financial statements, grant expenditure reports and budget projections; identification documents where required for regulatory compliance; proposal narratives, project plans and supporting technical documentation; and any additional attachments uploaded by the Customer or by Candidates through a Customer-configured intake portal.
Sensitive Personal Data Warning. The Platform is technically capable of storing documents that may contain sensitive categories of personal data (as defined under GDPR Article 9). Customers are solely responsible, as Data Controllers, for ensuring that any processing of sensitive personal data has an explicit lawful basis and complies with applicable legal requirements.
4. Lawful Basis for Processing
4.1 Zabt's Lawful Basis as Processor
As a Data Processor, Zabt's lawful basis for processing personal data is the contractual relationship with the Data Controller, formalised through a Data Processing Agreement (DPA), which constitutes the documented instructions referenced in Article 28 of the GDPR. Zabt does not independently determine the lawful basis for processing Candidate Data; that determination rests exclusively with the Customer as Data Controller.
4.2 Processing for Account Administration
Zabt processes Account Data on the basis of contract performance (to provide the Platform service), legitimate interests (to maintain security and prevent fraud), and legal obligation (to comply with applicable financial and tax regulations). Account Data is not shared with third parties for commercial purposes.
5. Data Sovereignty and Non-Commercialisation
Zabt does not sell, rent, licence, or otherwise commercially exploit personal data or Evaluation Data. Candidate Data is never used to train AI or ML models.
5.1 Prohibition on Data Sale and Commercialisation
Zabt does not sell, rent, exchange, licence, or otherwise transfer personal data, Evaluation Data, or Candidate Data to any third party for commercial consideration. This prohibition is absolute and applies irrespective of whether the data is in identifiable, pseudonymised, or aggregated form.
5.2 Prohibition on AI and ML Model Training
Zabt expressly warrants that it does not use Candidate Data, Evaluation Data (including rubric configurations, scores, or committee annotations), or any data derived from the foregoing for the purpose of training, fine-tuning, testing, or evaluating any artificial intelligence or machine learning model. This prohibition applies to Zabt directly and to all Sub-Processors and affiliated entities.
5.3 Confidentiality of Evaluation Data
All scoring deliberations, rubric configurations, and rank-ordering outputs are treated as strictly confidential to the Customer organisation. Zabt personnel do not access Evaluation Data except where expressly authorised by the Customer for technical support purposes, and such access is logged in a permanent audit trail.
5.4 Data Residency
Customer data is hosted in infrastructure regions selected by the Customer at the time of account provisioning. Zabt does not unilaterally migrate Customer data to different geographic regions without prior written notice and Customer consent, except where required by applicable law or in an emergency to preserve data integrity.
6. Security Architecture and Technical Safeguards
6.1 Encryption at Rest
All Customer data, including Document Vault attachments, Evaluation Data and Account Data, is encrypted at rest using AES-256. Encryption keys are managed through a dedicated key management service with role-separated access controls.
6.2 Encryption in Transit
All data transmitted between client devices and the Platform, and between Platform components and Sub-Processors, is encrypted using TLS 1.3 with forward secrecy enabled. Connections using deprecated protocols (TLS 1.0, TLS 1.1) are rejected. HSTS headers are enforced to prevent protocol downgrade attacks.
6.3 Row-Level Security and Data Isolation
The Platform enforces Row-Level Security (RLS) at the database layer, ensuring each Customer's data is logically isolated from all other Customers'. RLS policies are enforced at the database engine level, not solely at the application layer.
6.4 Access Controls and Authentication
The Platform implements role-based access control (RBAC) with granular permission scopes. Multi-factor authentication is available for all Authorised Users and is mandatory for Administrator-level accounts. All authentication events are logged with timestamps and IP metadata.
6.5 Vulnerability Management and Penetration Testing
Zabt conducts periodic third-party penetration testing of the Platform's infrastructure and application layer. Critical and high-severity vulnerabilities are subject to mandatory remediation timelines.
6.6 Incident Response
In the event of a confirmed personal data breach affecting Customer data, Zabt shall notify the affected Customer without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
7. Sub-Processors and Infrastructure Partners
7.1 Sub-Processor Management Policy
Zabt maintains a formal Sub-Processor management programme. All Sub-Processors are bound by written Data Processing Agreements that impose obligations no less protective than those applicable to Zabt under this Policy and applicable law.
7.2 Current Sub-Processors
Zabt.io utilizes industry-leading, SOC 2 compliant sub-processors for cloud infrastructure, database management, and communication delivery. A detailed list of current sub-processors is available to institutional partners upon request at legal@zabt.io.
7.3 Sub-Processor Change Notifications
Zabt shall provide Customers with no less than thirty (30) days' advance written notice prior to the addition or replacement of any Sub-Processor. Customers who reasonably object on documented data protection grounds may terminate the relevant service upon written notice.
8. Data Retention, Portability, and Deletion
8.1 Retention During Active Subscription
Zabt retains Account Data, Evaluation Data and Candidate Data for the duration of the active subscription term and for a post-termination grace period as specified below.
8.2 Post-Termination Data Purge
- Access Suspension: Authorised User access is suspended immediately upon the effective date of termination.
- Export Window: A 30-day export window is provided to download all Evaluation Data and Candidate Data.
- Data Purge: Ninety (90) days following termination, all Customer data is permanently and irreversibly deleted from active systems.
- Backup Purge: Encrypted backup copies are purged within one hundred and eighty (180) days of termination.
8.3 Decision History Export
Customers may export their complete Decision History at any time during an active subscription, in JSON, CSV and PDF formats. Export requests are fulfilled within five business days.
8.4 Account Data Retention
Billing records and contractual documentation are retained for seven (7) years following the termination of a Customer relationship, in compliance with applicable financial record-keeping obligations.
9. International Data Transfers
Where personal data originating in the European Economic Area is transferred to Sub-Processors located outside the EEA, Zabt ensures that such transfers are subject to appropriate safeguards, including Standard Contractual Clauses as approved by the European Commission, or other lawful transfer mechanisms.
10. Rights of Data Subjects
10.1 Controller Responsibility for Rights Fulfilment
As Data Controller, the Customer is primarily responsible for responding to Data Subject Requests submitted by Candidates. Zabt shall provide commercially reasonable technical assistance to enable the Customer to fulfil its obligations.
10.2 Supported Rights Operations
The Platform includes administrative tools enabling Customers to retrieve all personal data held in relation to a specific Candidate, delete a specific Candidate's profile and associated documents, restrict processing flags that suspend automated scoring, and export a structured data package of an individual Candidate's data.
11. Cookies and Tracking Technologies
The Platform uses strictly necessary session cookies to maintain authenticated user sessions. Zabt does not deploy advertising cookies, behavioural tracking pixels, or third-party analytics scripts that transmit personal data to external advertising networks.
12. Amendments to This Policy
Zabt reserves the right to amend this Policy. Material amendments will be communicated to Customers via the registered account email address no less than thirty (30) days prior to the amendment's effective date.
13. Contact and Data Protection Inquiries
Privacy and data protection inquiries: privacy@zabt.io. General legal: legal@zabt.io. Standard inquiries are addressed within 5 business days; breach notifications within 72 hours.