GDPR Summary & FAQs

The Routes software is managed by CV Technologies Ltd. We act in the following roles in respect of the data we process:

• Data Controller: client account data (organisation name, contact details and transactional data) and the business information needed to fulfil our contractual obligations.
• Data Processor: user account data and content uploaded by our client and their registered users.

Routes is a digital career passport platform that helps organisations support learners or service users to build a verified, media-rich CV recording their skills, achievements and progress. It also gives organisations a control centre to track development, provide endorsements and connect learners more effectively with employers.

The addition of the ‘Routes Talent Pool’ allows clients to link in their own approved employers to browse or automatically match prospective applicants to openings.

Yes. The use of Routes is likely to be optional and therefore it is recommended that consent is obtained. At the point of sign up, users are provided with our user-facing privacy notice and prompted to consent to the basic processing necessary to set up their account. We recommend reviewing this to assess if any additional consent is required for your organisation’s particular use of the system.

To set up a user account, Routes will only require a name and email address. A link will then be sent to the user with a temporary password to finish set up. Once changed by the user, their password is secure and hidden to us.

The client will determine during the design phase with us whether or not any further data fields are mandatory for the user during set up (for example, class group, date of birth).

Once account set up is complete, the parent organisation and user will load their profile with the information necessary to collate their digital CV. This is typically limited to data related to personal and professional development of our users, qualifications, progress, CVs etc. Routes will also collect some analytical data such as cookies automatically to help improve our services and the user experience.

All data including archives and backups are stored on a cloud-based platform hosted by Microsoft Azure. The data centres are located in the United Kingdom and are equipped with robust security measures to safeguard data. Microsoft Azure are the only third-party organisation that we sub-contract to process user data (sub-processor). Data is encrypted both at rest and in transit.

Yes. Some of the features of the Routes app utilise AI to help users make the most of their experience. AI features within Routes are powered by and hosted within our Microsoft Azure infrastructure and data submitted to the service is not used to train models, nor is data retained beyond what is necessary to process the request.

Usage is limited to:

• Prompts to help the user improve the content of their digital CV
• Matching a user to a potential job opportunity with approved employers registered on the Routes platform (talent pool only)

As there is the possibility of automated decision making taking place in these processes, it is important to consider:

• Clearly notifying users that AI is in use and their data may be subject to automated decision making.
• Including the use of AI in any consent forms provided to users unless an alternative lawful basis can be established.
• Carefully considering the processing of special category data on the app to safeguard against any bias in automated decision making.
• Considering human input where possible to provide clarity to any automated decision making.

The talent pool is an optional feature which you can choose to add onto your subscription. It allows you as the client to link in approved employers that you work with. Once linked in to Routes, employers can browse CVs for potential candidates or use the features to match candidates with a specific opening they have.

Approved employers will have access to user CVs for as long as they are linked in to the Routes software unless consent is withdrawn by the user. We do recommend that you link in vetted and approved employers only, ensuring that agreements and safeguards are in place to maintain appropriate usage of user CVs.

User data is typically kept for a period of 24 months following the termination of an agreement between the client and CV Technologies Ltd. We will also securely delete user accounts and data if an account has been inactive for 24 months.

CV Technologies Ltd reserves the right to retain user data longer term if there is a legal obligation to do so. We will not typically retain user data for longer than 6 years in such cases.

CV Technologies Ltd do not monitor user data; we will only access user accounts if it is strictly necessary for system support and maintenance. Access in such cases is limited to 2 staff members who are subject to non-disclosure agreements and routine security training.

Our physical premises are secured by high perimeter fencing, controlled visitor access and CCTV.

CV Technologies Ltd are Cyber Essentials Plus accredited.

The following technical security measures have been implemented via the Microsoft Azure platform and are routinely monitored to ensure optimum security:

• Encryption (Data at Rest): 256-bit AES encryption (FIPS 140-2 compliant)
• Encryption (Data in Transit): Data Link Layer, TLS & HTTPS
• Firewall / Intrusion Detection
• Anti-Virus: Malware Scanning
• Back Up Provision: 240 mins (holds for 8 hours & retains 2 x latest backups)
• Accreditations: ISO 27001, Cyber Essentials Plus, G-Cloud, UK-PASF

Our system monitoring procedures include real-time network and endpoint monitoring, intrusion detection and log analysis to identify and respond to any anomalies and security threats.

CV Technologies Ltd have not experienced any significant security incidents to date. Recovery plans and data breach procedures are in place to ensure that we can handle any breach of security quickly and efficiently without impacting services too much.

We will notify our clients and users without undue delay in the event of a data breach.

Users can find out more about how and why their data is processed by visiting our website to access our latest Privacy Policy. This also includes information about what rights individuals have in respect of their own personal data. See our Privacy Policy and User Privacy Notice.

CV Technologies Ltd is registered with the Information Commissioner’s Office (ICO) and renews its subscription annually upon reference: ZB470508.

Our ‘Data Protection Policy’ outlines how we comply with the UK General Data Protection Regulation (UK-GDPR).

A Data Protection Impact Assessment (DPIA) has been conducted to assess any risks associated with data processing; this will be reviewed on an annual basis or sooner should a change in legislation or a significant change in processing occur.

As a developer of software designed to be used by children (those individuals under the age of 18), we must comply with the ICO Children’s Code to ensure the best interests of the child is at the heart of the services that we provide.

In summary, we have implemented the following measures:

• No marketing activity present on the app or supporting processes
• No nudge techniques or reward systems
• No links to third party websites or subscriptions
• Location data is not processed
• No links to social media or chat functions; users can only submit a request to their learning mentor
• Age appropriate controls in place; sharing features restricted for younger users
• Age appropriate privacy information available upon request
• Measures to support user rights