Candidate Privacy Notice

Last Updated: 12/15/2023

When you apply to work with any of the Cloudflare Group of companies (Cloudflare, Inc.
and its wholly owned subsidiaries as listed in our Privacy Policy (together, “Cloudflare” or
“we”), we will collect the personal data contained in your application. In this case, we are
a "data controller.” This means that we are responsible for deciding how we hold and use
personal data about you.

This notice provides applicants (whether for an employee, worker or contractor position)
with information about the personal data we collect, how and why your personal data will
be used, and how long we will retain it. It also provides you with certain information that
we are required to provide you under Applicable Data Protection Laws. Applicable Data
Protection Laws means all data protection laws and regulations of the jurisdictions of the
aforenamed Cloudflare companies that are applicable to the processing of personal data.

Your personal data will be processed for the purposes of managing our recruitment and
hiring-related activities, which include setting up and conducting interviews and tests for
applicants, evaluating and assessing the results thereto, conducting reference and/or
background checks, and as is otherwise needed in the recruitment and hiring processes.
We process your information as necessary for our legitimate interests (that is, the
solicitation, evaluation, and selection of applicants for employment) or where we have
your consent to do so.


1. DATA PROTECTION PRINCIPLES

We will comply with data protection laws and principles, which means that your data will
be:

  • Used lawfully, fairly and in a transparent way.

  • Collected only for valid purposes that we have clearly explained to you and not used in any way that is incompatible with those purposes.

  • Relevant to the purposes we have told you about and limited only to those purposes.

  • Accurate and kept up to date.

  • Retained only as necessary for the purposes we have told you about.

  • Kept securely.

2. INFORMATION WE COLLECT

In connection with your application for work with us, we will collect your personal data
from you, from recruitment agencies (who may provide us with information such as CVs,
and your named references. We gather, store, and use the following categories of
personal data about you:

  • The information you have provided to us in your resume, curriculum vitae, and/or cover letter.

  • The information you have provided on our application form, including but not limited to name, title, address, telephone number, personal email address, date of birth, gender, employment history, and qualifications.

  • Any information you provide to us during an interview.

  • Test results (if applicable to the role) and work sample.

  • Any information your references provide to us during a reference check.

In some cases, we may perform a background and/or credit check. When we do that, we
may collect the following categories of information from a background check provider:
name, title, address, telephone number, personal email address, date of birth, employment history, national ID, references, education. Section 4, below, provides more information about the "special categories" of Sensitive Personal Information we may collect, store, and use.


3. HOW WE WILL USE INFORMATION ABOUT YOU

We will use the above-described categories of personal data we collect about you to:

  • Assess your skills, qualifications, and suitability for the work.

  • Carry out background and reference checks as appropriate and in accordance with applicable law.

  • Communicate with you about the recruitment process.

  • Keep records related to our hiring processes.

  • Comply with legal or regulatory requirements.

It is in our legitimate interest to decide whether to appoint you to a role as it would be
beneficial to our business to appoint someone to that role. We also need to process your
personal data to decide whether to enter into a contract of employment or contract for
services with you. We may use your information to re-engage with you for future
employment opportunities.

4. IF YOU FAIL TO PROVIDE PERSONAL DATA

If you fail to provide information when requested, and that information is necessary for
us to consider your application (such as evidence of qualifications or work history), we
will not be able to process your application successfully. For example, if we require a
credit check or references for this role and you fail to provide us with relevant details, we
will not be able to take your application further

5. SENSITIVE PERSONAL INFORMATION WE MAY COLLECT, AND HOW WE USE IT

We may collect the following "special categories" of more sensitive personal data:
information about your race or ethnicity, religious beliefs, sexual orientation and political
opinions, if you choose to give us that information (“Sensitive Personal Information”). We
will hold this information for the purposes of legal compliance, diversity and equal
opportunities. We will use Sensitive Personal Information in the following ways:

  • We will use information about your disability status to consider whether we need to provide appropriate adjustments during the recruitment process, for example whether adjustments need to be made during a test or interview.

  • We will use information about your race or national or ethnic origin, religious, philosophical or moral beliefs, or your sexual life or sexual orientation, to ensure meaningful equal opportunity monitoring and reporting.

In addition, we will collect, store, and use information about your criminal convictions
history if we perform a background check. Typically, we perform background and/or
credit checks if we would like to offer you the role. Such an offer is usually conditional on
checks and any other conditions, such as references, being satisfactory. We are entitled
to ask you to apply for a basic criminal record check in order to satisfy ourselves that
there is nothing in your criminal convictions history which makes you unsuitable for the
role. Every role at Cloudflare requires a high degree of trust and integrity and therefore
requires a criminal background check. Such background checks are conducted in
accordance with applicable law.

We have in place an appropriate policy document and safeguards which we are required
by law to maintain when processing such data.

6. AUTOMATED DECISION-MAKING

You will not be subject to decisions that will have a significant impact on you based
solely on automated decision-making.

7. HOW WE MAY SHARE YOUR PERSONAL DATA WITH THIRD PARTIES

We share the above-described personal data with third-party service providers, including other entities in the Cloudflare Group for business purposes. These service providers help us manage our recruiting and hiring processes, communicate with applicants, schedule interviews, and, when appropriate, conduct background checks. The service providers we use include:

  • Greenhouse Software, Inc., a cloud services provider located in the United States of America and engaged by Cloudflare to help manage the recruitment and hiring process on Cloudflare’s behalf.

  • CrossHCQ, a cloud services provider located in the United States of America and engaged by Cloudflare to help facilitate the recruitment process on Cloudflare’s behalf.

  • Calendly, a cloud services provider located in the United States of America and engaged by Cloudflare to help manage interview scheduling on Cloudflare’s behalf.

  • HireRight, a cloud services provider located in the United States of America and engaged by Cloudflare to help manage background checks on Cloudflare’s behalf.

  • Checkr, a cloud services provider located in the United States of America and engaged by Cloudflare to help manage background checks on Cloudflare’s behalf.

  • HackerRank, a cloud services provider located in the United States of America and engaged by Cloudflare to administer coding tests to candidates on Cloudflare’s behalf.

  • Eightfold, a cloud services provider located in the United States of America and engaged by Cloudflare to help manage and re-engage with previous applicants on Cloudflare’s behalf.

  • Altair Global, a relocation services company based in the United States and engaged by Cloudflare to assist with the relocation for new hires on Cloudflare’s behalf.

  • Gant Travel, a service provider located in the United States of America and engaged by Cloudflare to assist with candidate travel during the interview on Cloudflare’s behalf.

All of our third-party service providers and other entities in the Cloudflare Group (Cloudflare, Inc. and its wholly-owned subsidiaries) are required to take appropriate security measures to protect your personal data in line with our policies. We do not allow our third-party service providers to use your personal data for their own purposes or to sell your personal data. We only permit them to process your personal data for specified purposes and in accordance with our instructions.

Cloudflare will not “sell” candidate personal information or “share” candidate personal information for the purposes of conducting behavioral or targeted advertising, as “sell” and “share” are defined under Applicable Data Protection Law.

Cloudflare is a U.S. based, global company. When you submit your personal data to any Cloudflare entity outside the United States, we transfer your personal data and special categories of personal data to countries where the Cloudflare Group

has offices in the legitimate interests of the Company and/or with your consent. The Cloudflare Group offices are listed here: https://www.cloudflare.com/about-overview/.

We recognise that the EU has established strict positions regarding the handling of personal data (including special categories of personal data, as appropriate) including requirements to provide adequate protection for personal data collected within the EEA and transferred outside the EEA. We will ensure that we only transfer personal data (including special categories of personal data, as appropriate) to a country or territory outside the EEA if that country or territory ensures an adequate level of protection for the rights and freedoms of individuals in relation to the processing of personal data (including sensitive personal data, as appropriate) or where adequate contractual or other safeguards to protect that data are in place.

Whenever a Cloudflare company transfers personal information originating from one country to another Cloudflare group company or a third party service provider or partner in a different country, we will implement appropriate safeguards, consistent with the laws of the territory from which the data is exported. We describe the safeguards we implement here. If you have any questions about or need further information concerning the safeguards Cloudflare has in place to protect your personal information, please contact us at privacyquestions@cloudflare.com.

When Cloudflare transfers personal data from the EEA, Switzerland, or the United Kingdom (UK) to the United States, we rely on our certifications under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), and the UK Extension to the EU-U.S. DPF. Should these certifications lapse or become otherwise invalidated, Cloudflare relies on the standard contractual clauses, including supplementary measures as necessary for transfers to the United States. We also use standard contractual clauses for other international transfers from the EEA, Switzerland, or the United Kingdom.

Self-certification to the Data Privacy Framework

Cloudflare complies with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF as set forth by the U.S. Department of Commerce. Cloudflare has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union in reliance on the EU-U.S. DPF and from the United Kingdom (and Gibraltar) in reliance on the UK Extension to the EU-U.S. DPF. Cloudflare has also certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To learn more about the Data Privacy Framework (DPF) program, and to view our certification, please visit https://www.dataprivacyframework.gov/.

In compliance with the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF (together, the “DPFs”), Cloudflare commits to resolve DPF Principles-related complaints about our collection and use of your personal information. EU, UK, and Swiss individuals with inquiries or complaints regarding our handling of personal data received in reliance on the DPFs should first contact us by emailing sar@cloudflare.com or via mail to: Cloudflare, Inc., 101 Townsend St., San Francisco, CA 94107, Attn: Data Protection Officer. We will respond to your inquiry within 30 days of receipt and verification of your identity.

In compliance with the DPFs, Cloudflare commits to refer unresolved complaints concerning our handling of personal information received in reliance on the DPFs to TRUSTe, an alternative dispute resolution provider based in the United States. If you do not receive timely acknowledgment of your DPF Principles-related complaint from us, or if we have not addressed your DPF Principles-related complaint to your satisfaction, please visit

https://feedback-form.truste.com/watchdog/request for more information or to file a complaint. The services of TRUSTe, LLC are provided at no cost to you. You have the possibility, under certain conditions, to invoke binding arbitration for complaints regarding DPF compliance not resolved by any of the other mechanisms set out in this DPF Notice or our Privacy Notice. For more information, please see Annex 1 of the DPF Principles, available here.

The Federal Trade Commission has jurisdiction over Cloudflare’s compliance with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF). We may be required to disclose personal information we receive under the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF in response to lawful requests by public authorities, including to meet national security or law enforcement requirements.

Cloudflare is liable for the processing of personal information it receives under the DPF Principles and subsequently transfers to a third party acting as an agent on its behalf. Cloudflare shall remain liable under the DPF Principles if its agent processes such personal information in a manner inconsistent with the DPF Principles, unless Cloudflare proves that it is not responsible for the event giving rise to the damage.

8. HOW WE SECURE YOUR DATA

We have put in place appropriate security measures to prevent your personal data from
being accidentally lost, used or accessed in an unauthorized way, altered or disclosed. In
addition, we limit access to your personal data to those employees, agents, contractors,
and other third parties who have a business need-to-know. They will only process your
personal data on our instructions, and they are subject to a duty of confidentiality.
Details of these measures may be obtained from privacyquestions@cloudflare.com.

We have put in place procedures to deal with any suspected data security breach and
will notify you and any applicable regulator of a suspected breach where we are legally
required to do so.

9. HOW LONG WE KEEP YOUR INFORMATION

We will retain your personal data for a period of up to 3 years after we have communicated to you our decision about whether to appoint you to a role. We retain your personal data for that period so that we can show, in the event of a legal claim, that we have not discriminated against candidates on prohibited grounds and that we have conducted the recruitment exercise in a fair and transparent way. After this period, we will securely destroy your personal data in accordance with internal policies and procedures.

10. YOUR RIGHTS OF ACCESS, CORRECTION, ERASURE, AND RESTRICTION

Under certain circumstances, by law you have the right to:

  • Request access to your personal data (commonly known as a "data subject access request"). This enables you to receive a copy of the personal data we hold about you and to check that we are lawfully processing it. If you are a California resident, you can also request the following:

1. categories of personal information,

2. the categories of sources from which the personal information is collected,

3. the business or commercial purpose for collecting, selling, or sharing personal information,

4. the categories of third parties to whom we disclose personal information, and

5. the specific pieces of personal information that we have collected about you.

  • Request correction of the personal data that we hold about you. This enables you to have any incomplete or inaccurate information we hold about you corrected.

  • Request erasure of your personal data. This enables you to ask us to delete or remove personal data where there is no good reason for us continuing to process it. You also have the right to ask us to delete or remove your personal data where you have exercised your right to object to processing (see below).

  • Object to processing of your personal data where we are relying on a legitimate interest (or those of a third party) and there is something about your particular situation which makes you want to object to processing on this ground. You also have the right to object where we are processing your personal data for direct marketing purposes.

  • Request the limitation or restriction of processing of your personal data. This enables you to ask us to suspend the processing of personal data about you, for example if you want us to establish its accuracy or the reason for processing it. If you are a resident of California, you may have the right to limit some uses of your Sensitive Personal Information.

  • Request the transfer of your personal data to another party.

  • Non-discrimination for exercising your privacy rights.

If you want to make a request with respect of your rights relating to your personal data, please send your request to sar@cloudflare.com in writing.

Please note, that we may be required to ask you for further information in order to confirm your identity before we provide the information requested. Specifically, we may send a separate email to verify your email address on file. We will respond to your request as soon as reasonably possible. Should we not be able to respond to your request within thirty (30) days after receiving your request, we will inform you in writing within thirty (30) days of the time by which we will be able to respond to your request. If we are unable to provide you with any personal data, make a correction or delete personal data requested by you, we shall generally inform you of the reasons why we are unable to do so (except where we are not required to do so under Applicable Data Protection Laws).

California residents also have the right to designate an authorized agent to make a
request on their behalf. If you would like an authorized agent to submit a request on your
behalf, we require that either (a) you must directly confirm with us that you provided the
authorized agent permission to submit the request, (b) you must provide the authorized
agent with your power of attorney in accordance with the law of the jurisdiction in which
you are located, or (c) the request must otherwise be submitted in accordance with
Applicable Laws.

You also have the right to object to our processing of your data where we are processing
such data in our legitimate interests or to withdraw your consent for processing where
our processing is based on having received your consent. To object or withdraw your
consent, please contact us at sar@cloudflare.com.

11. DATA PROTECTION OFFICER

We have appointed a Data Protection Officer (“DPO”) to oversee compliance with this
privacy notice. If you have any questions about this privacy notice or how we handle
your personal data, please contact the DPO at dpo@cloudflare.com.













































































Website Terms of Use

Self-Serve Subscription Agreement

Service-Specific Terms

Privacy Policy

Cookie Policy

Trust & Safety

Transparency Report

Domain Registration Agreement

Modern Slavery Act Statement

Third Party Code of Conduct

Candidate Privacy Policy

Have Questions?


If you have questions about these terms or anything else about Cloudflare, please don't hesitate to contact us:

+1 (650) 319-8930

Cloudflare, Inc.
101 Townsend St,
San Francisco, CA 94107
USA