GDPR Compliance and Data Privacy Framework Commitment

Ensuring Compliance with GDPR, SCCs, and Secure Data Transfers

CarrotHR, Inc. (DBA Assembly) is committed to safeguarding personal data and ensuring compliance with the General Data Protection Regulation (GDPR). Our security measures, transparent data processing practices, and legal mechanisms ensure that all transfers of personal data outside the European Economic Area (EEA) align with GDPR requirements.

‍

Cross-Border Data Transfers

Transfers of Personal Data Outside the EEA

Pursuant to GDPR Article 46, organizations transferring personal data outside the EU or EEA must implement legally binding and enforceable safeguards. CarrotHR, Inc. (DBA Assembly) ensures compliance through:

• EU Standard Contractual Clauses (SCCs): We rely on European Commission-approved SCCs to provide a lawful basis for data transfers outside the EU/EEA. Assembly commits to monitoring updates from the European Commission regarding SCCs and will implement new versions as required. If revised SCCs are issued, they shall automatically apply to all international data transfers.
• Data Privacy Framework (DPF) Compliance: CarrotHR, Inc. (DBA Assembly) is certified under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, ensuring compliance with GDPR and international data transfer requirements.
• Supplementary Security Measures: We employ end-to-end encryption, strict access controls, and data minimization techniques to protect personal data during international transfers.

For organizations requiring a Data Processing Agreement (DPA) that includes EU Standard Contractual Clauses (SCCs), CarrotHR, Inc. (DBA Assembly) is prepared to sign such an agreement. Entities seeking a DPA may contact us at support@joinassembly.com.

‍

For additional information regarding GDPR Article 46 and SCCs, visit the European Commission’s official page.

‍

‍CarrotHR, Inc. (DBA Assembly) Certification Under the Data Privacy Framework (DPF)

‍CarrotHR, Inc. (DBA Assembly) has obtained official certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF, in accordance with the U.S. Department of Commerce.

• DPF Certification: We adhere to the EU-U.S. and Swiss-U.S. DPF Principles, ensuring compliance with data protection regulations for personal data received from the European Union, United Kingdom, and Switzerland.
• Legal Oversight: If any conflict arises between CarrotHR, Inc. (DBA Assembly) policies and the DPF Principles, the DPF Principles shall govern.
• More Information: Our official DPF certification is available at www.dataprivacyframework.gov.

For more details regarding our DPF compliance, please visit our Privacy Policy. While CarrotHR, Inc. (DBA Assembly) is certified under the DPF, SCCs remain the governing legal basis for HR-related data transfers under GDPR compliance.

‍

‍User Rights and Data Protection Under GDPR

‍CarrotHR, Inc. (DBA Assembly) ensures that users have full control over their personal data in compliance with GDPR, including:

• Right to Access and Correction: Users may review or update their personal data through their account settings or by contacting support@joinassembly.com.
• Right to Erasure ("Right to be Forgotten"): Users may request the deletion of their personal data.
• Data Processing Transparency: Our Privacy Policy provides clear information on how and why we process personal data.

For any privacy-related inquiries, users may contact support@joinassembly.com.‍

‍

Ongoing Security and Compliance Measures

‍CarrotHR, Inc. (DBA Assembly) continuously enhances its security, data protection, and compliance measures to align with GDPR, Data Protection Authorities (DPAs), and industry best practices:

• SOC 2 Type II Certified: Regular security audits ensure compliance with industry standards.
• Encryption and Access Controls: Data is encrypted both in transit and at rest to protect against unauthorized access.
• GDPR-Compliant Processors: We work with trusted third-party vendors (subprocessors) to provide our services securely and efficiently. All subprocessors are contractually bound to comply with GDPR and other data protection laws.
• Access Subprocessor Information: To view our list of subprocessors or receive updates about changes, please contact us at support@joinassembly.com

For additional details on CarrotHR, Inc. (DBA Assembly) security measures and compliance, please review our Privacy Policy.‍

‍

Commitment to GDPR Compliance and Data Protection

‍CarrotHR, Inc. (DBA Assembly) is dedicated to ensuring the highest standards of data privacy for its users. By adhering to GDPR Article 46, SCCs, and the Data Privacy Framework (DPF), we ensure secure and compliant data transfers worldwide.For organizations requiring a Data Processing Agreement (DPA) with EU Standard Contractual Clauses (SCCs) or for any compliance-related inquiries, please contact support@joinassembly.com.