Privacy Policy

1. Introduction

OSSVantage.com and OSS Ltd (collectively, “OSSVantage,” “Company,” “we,” “us,” or “our”) respect privacy and are committed to protecting personal information. This Privacy Policy explains how we collect, use, disclose, retain, transfer, and protect personal information in connection with our website, staffing services, recruiting activities, staff augmentation services, professional services, cybersecurity consulting, vulnerability assessment, penetration testing, and related business operations.

This Privacy Policy applies to personal information we process about:

1. Website visitors.
2. Job applicants, candidates, consultants, contractors, employees, prospective employees, and contingent workers.
3. Client representatives, prospective clients, vendors, partners, and referral sources.
4. Individuals whose information is provided to us by candidates, clients, employers, staffing platforms, job boards, background- check providers, referral partners, professional networks, or public sources.
5. Individuals whose information may be processed incidentally or intentionally under written authorization in connection with cybersecurity, vulnerability assessment, penetration testing, incident response, or related services.

This Privacy Policy is global in scope. Some jurisdictions provide additional rights or require additional notices, described in the jurisdiction-specific sections below.

This Privacy Policy does not replace any signed client agreement, employment agreement, contractor agreement, master services agreement, statement of work, data processing agreement, confidentiality agreement, background-check disclosure, consent form, penetration-testing authorization, rules of engagement, or other written agreement. If a written agreement imposes stricter obligations on OSSVantage, that written agreement controls for the relevant engagement.

2. Personal Information We Collect

Depending on your interaction with OSSVantage, we may collect the following categories of personal information.

2.1 Identity and Contact Information

Name, email address, telephone number, business contact details, professional title, employer, social-media or professional-profile URLs (such as LinkedIn or portfolio links), and similar identifiers.

2.2 Candidate, Applicant, and Workforce Information

Resume, curriculum vitae, employment history, education history, certifications, licenses, skills, compensation expectations, availability, work and location preferences, portfolio materials, work samples, interview scheduling and outcome notes, candidate-to- job alignment scores generated by our matching tools, communications with us, assignment history, and timesheets submitted during active engagements.

2.3 Sensitive or Regulated Information

Where legally permitted and reasonably necessary, we collect:

• Tax classification status (W-2 vs 1099) for candidates engaged through our platform. We do not directly collect or store Social Security numbers, taxpayer identification numbers, or the underlying contents of tax forms; signed tax documents are retained in our document store as files but their text content is not parsed or extracted.
• Identity verification status and reference identifiers from our identity verification provider (Stripe Identity). The underlying government-issued identification documents (driver's license, passport, etc.), date of birth, and similar source materials are submitted directly to and held by our verification provider; we receive verification outcomes and metadata only.
• Bank-account verification artifacts from our banking verification provider (Plaid): an opaque account token, account holder name, last four digits of the account number, institution metadata, and verification timestamp. We do not store full account or routing numbers, online banking credentials, or transaction histories.
• Payment destination email for candidates who opt to receive payments via Wise, PayPal, or similar payout services.

We do not currently collect demographic information voluntarily provided for equal-employment-opportunity reporting, disability or accommodation information, health-related information, drug- screening results, immigration source documents, or background-check report contents. If we add any of these categories in the future, we will update this policy as a material amendment before collection begins.

2.4 Client and Business Relationship Information

Business contact information, role, employer, billing information, project requirements, staffing needs, cybersecurity requirements, meeting notes, contract details, intake-conversation transcripts, and communications.

2.5 Website, Device, and Usage Information

IP address, browser type, operating system, device identifiers, referring URLs, pages viewed, session activity captured by our authentication infrastructure, approximate location derived from IP, and form submissions. We use essential session cookies for authentication and security. We do not currently run third-party analytics or advertising trackers; if we add aggregated, privacy- respecting analytics in the future, this policy will be updated and (where required by law) consent will be obtained.

2.6 Cybersecurity, Vulnerability Assessment, and Penetration Testing Information

When OSSVantage performs authorized cybersecurity services under a written engagement, we may process IP addresses, domain names, hostnames, system logs, vulnerability data, exploit-validation evidence, network metadata, configuration data, screenshots, account identifiers, limited samples of affected data, security findings, testing artifacts, and other information necessary to scope, perform, validate, document, remediate, or report security risks.

Unless expressly authorized in writing, OSSVantage does not seek to collect production personal information during penetration testing except as reasonably necessary to prove the existence, severity, impact, or remediation status of a vulnerability. If personal information is encountered incidentally during authorized testing, OSSVantage will handle that information in accordance with the applicable agreement, rules of engagement, this Privacy Policy, and applicable law.

2.7 Communications and Records

Emails sent through our messaging infrastructure, in-app messages and direct messages between users of our platform, web-form submissions, intake-tool transcripts, and similar records.

3. Sources of Personal Information

We may collect personal information from:

1. You directly.
2. Job applications, resumes, forms, communications, and account registrations.
3. Clients, prospective clients, employers, former employers, and references.
4. Recruiters, staffing partners, job boards, professional networks, referral sources, subcontractors, and consultants.
5. Public sources, including professional profiles, publications, public websites, public databases, and business directories.
6. Identity verification providers, banking verification providers, and (where the engagement requires them) background-check providers, credential-verification providers, skills-assessment providers, payroll providers, tax or compliance vendors.
7. Cybersecurity tools, scanning platforms, logs, ticketing systems, cloud environments, client systems, and client-controlled test environments used during authorized engagements.
8. Vendors and service providers acting on our behalf.

4. How We Use Personal Information

4.1 Staffing, Recruiting, and Workforce Services

1. Identify, evaluate, screen, and communicate with candidates.
2. Match candidates with client opportunities, including with AI-assisted alignment scoring (see Section 10).
3. Submit candidate profiles, resumes, qualifications, and related information to clients or prospective clients.
4. Conduct interviews, technical assessments, and verification of qualifications.
5. Verify identity, work authorization, and qualifications.
6. Manage onboarding, assignment placement, timekeeping, and worker administration.
7. Maintain candidate pools, talent pipelines, and workforce records.
8. Support staffing, staff augmentation, professional services, and project delivery.
9. Comply with employment, labor, tax, immigration, equal- opportunity, workplace-safety, and other legal obligations.

4.2 Client Services and Business Operations

1. Provide, manage, improve, and market our services.
2. Respond to inquiries, proposals, requests for information, and support requests.
3. Manage client accounts, contracts, statements of work, invoices, payments, and vendor onboarding.
4. Communicate about services, projects, security matters, events, updates, and business opportunities.
5. Perform analytics, reporting, quality assurance, training, forecasting, and business planning.
6. Maintain records and enforce agreements.

4.3 Cybersecurity, Vulnerability Assessment, and Penetration Testing

1. Scope, authorize, perform, validate, document, and report authorized testing.
2. Identify vulnerabilities, misconfigurations, weaknesses, and exploit paths.
3. Validate security controls and assess business impact.
4. Preserve evidence necessary to support findings.
5. Support remediation, retesting, and risk management.
6. Maintain auditability, integrity, and traceability of security testing work.
7. Comply with client instructions, written authorization, legal obligations, and contractual obligations.

4.4 Security, Fraud Prevention, and Legal Compliance

1. Protect OSSVantage, our systems, personnel, clients, candidates, workers, and others.
2. Detect, prevent, investigate, and respond to fraud, abuse, unauthorized access, security incidents, policy violations, or unlawful activity.
3. Comply with subpoenas, court orders, government requests, regulatory obligations, and legal processes.
4. Establish, exercise, or defend legal claims.
5. Support audits, insurance claims, compliance reviews, and risk management.

5. Legal Bases for Processing

Where laws such as the EU General Data Protection Regulation (GDPR), UK GDPR, Swiss data protection law, Brazil's LGPD, or similar privacy laws apply, we rely on one or more of the following legal bases:

1. Performance of a contract or steps taken before entering a contract.
2. Compliance with legal obligations.
3. Legitimate interests, including recruiting, staffing, business operations, cybersecurity, fraud prevention, service improvement, and client delivery.
4. Consent, where required by law.
5. Protection of vital interests, where applicable.
6. Establishment, exercise, or defense of legal claims.

Where we rely on consent, you may withdraw consent at any time, subject to legal, contractual, operational, or compliance limitations.

6. Candidate Data and Client Submissions

By submitting a resume, profile, application, work sample, or similar information to OSSVantage, you authorize us to evaluate your qualifications and use your information for staffing, recruiting, placement, workforce administration, client submission, and related business purposes.

We may share candidate information with clients, prospective clients, hiring managers, affiliates, subcontractors, and service providers where reasonably necessary for recruiting, staffing, placement, professional services, verification, onboarding, compliance, or project delivery.

OSSVantage may format, summarize, enrich, or supplement candidate profiles using information provided by the candidate, public professional sources, assessments, references, or lawful third- party sources. Candidates are responsible for ensuring that information provided to OSSVantage is accurate, truthful, current, and not misleading.

7. Background Checks, Screening, and Work Authorization

Where applicable, OSSVantage or its clients may require background checks, identity verification, reference checks, credential verification, drug screening, work-authorization verification, or similar screening. Such screening will be conducted in accordance with applicable law and any required notices, authorizations, or disclosures.

Placement, employment, contract engagement, or client assignment may be conditioned on successful completion of lawful screening requirements.

8. Global Hiring and International Candidate Processing

OSSVantage may recruit, source, evaluate, hire, contract with, or place individuals globally, subject to applicable law. Processing may involve personal information from individuals located in the United States, Canada, the United Kingdom, the European Economic Area, Switzerland, Latin America, the Caribbean, Africa, the Middle East, Asia Pacific, and other regions.

Where we process personal information across borders, we use appropriate safeguards where required, which may include contractual commitments, data processing agreements, standard contractual clauses, transfer-risk assessments, vendor due diligence, access controls, encryption, role-based access, and similar protections.

Individuals should understand that personal information may be processed in the United States or other countries where privacy laws may differ from the laws of their place of residence. Where legally required, OSSVantage will implement appropriate transfer mechanisms (see Section 17 for EEA/UK/Switzerland specifics).

9. Cookies and Tracking Technologies

OSSVantage.com uses the following categories of cookies and similar technologies:

• Essential cookies: required for the website to function, including authentication, session management, and security. These cannot be disabled without affecting site functionality.
• Preferences: cookies that remember your settings between sessions.

OSSVantage does not currently use third-party advertising cookies, cross-context behavioral advertising trackers, or third-party analytics tools. If we add aggregated, privacy-respecting analytics in the future, we will update this policy and (where required by law) provide cookie banners, consent tools, opt-out links, and respect browser-based preference signals (such as Global Privacy Control).

You may control cookies through your browser settings; disabling non-essential cookies will not affect core site functionality.

10. Automated Decision-Making and AI Processing

OSSVantage uses artificial intelligence and automated tools provided by Anthropic to support certain business operations, including:

• Resume and profile processing: AI-assisted parsing of resumes and candidate profiles to structure information for human review.
• Candidate-job alignment scoring: AI-generated scores comparing candidate qualifications to job opportunities. Scores are informational and inform human decision-making; they do not determine placement, submission, interview, or engagement decisions.
• Intake conversations: Conversational AI assists clients during job-spec intake and assists internal staff during job-spec refinement. Outputs are reviewed and finalized by people.

These tools assist human decision-makers but do not make final placement, hiring, employment, or service-related decisions about individuals on a fully automated basis. Qualified personnel review and decide on all material outcomes.

Where applicable law provides rights related to automated decision- making (such as Article 22 of the EU GDPR), you may exercise those rights by contacting us at privacy@ossvantage.com.

11. How We Disclose Personal Information

OSSVantage may disclose personal information to:

1. Clients and prospective clients.
2. Candidates, workers, consultants, contractors, and personnel where necessary for staffing or service delivery.
3. Vendors, service providers, and processors that support recruiting, staffing, payroll, identity verification, banking verification, IT, cloud hosting, cybersecurity, communications, accounting, legal, and business operations (see Section 12).
4. Subcontractors and consultants performing services under confidentiality, security, and contractual restrictions.
5. Identity verification, banking verification, and (when engaged) background-check providers, payroll processors, tax advisors, and compliance providers.
6. Professional advisors, including attorneys, accountants, auditors, insurers, and financial advisors.
7. Government authorities, courts, regulators, and law enforcement where required or permitted by law.
8. Parties involved in a merger, acquisition, financing, restructuring, bankruptcy, sale of assets, transfer of business, or similar transaction.
9. Other parties with your direction, authorization, consent, or as disclosed at the time of collection.

OSSVantage does not sell personal information in the ordinary sense of exchanging it for money. However, some privacy laws define “sale,” “sharing,” or “targeted advertising” broadly. If our practices fall within those definitions, we will provide legally required notices and choices (see Section 16 for California specifics).

12. Subprocessors

OSSVantage uses third-party service providers (subprocessors) to support our operations. Current subprocessor categories include:

• Cloud infrastructure and database hosting (Supabase).
• AI and natural language processing (Anthropic).
• Transactional email delivery (Resend).
• Identity verification (Stripe Identity).
• Bank-account verification (Plaid).
• Anti-abuse and traffic protection (Cloudflare Turnstile).

We may engage additional subprocessors for electronic signature, background checks, calendar scheduling, and similar functions as those services are added. Any material change to the subprocessor list will be reflected in updates to this policy.

We require subprocessors to maintain appropriate confidentiality and security obligations through written agreements. A current list of named subprocessors is available upon request to clients with active engagements and may be required to be disclosed under certain data processing agreements.

13. Data Retention

We retain personal information for as long as reasonably necessary to fulfill the purposes described in this Privacy Policy, with a minimum baseline of three years following the end of an engagement or relationship. Longer retention periods apply where required or permitted by law, contract, audit, insurance, dispute resolution, tax, employment, immigration, security, or compliance obligations.

Specific retention windows vary depending on the type of information, the relationship, the jurisdiction, and applicable legal requirements:

• Candidate records: retained to consider individuals for future opportunities, unless deletion is required by applicable law or requested and legally available.
• Workforce records (W-2 or contractor): retained per IRS and state requirements (typically seven years post- engagement for tax records).
• Cybersecurity testing artifacts (where engaged): retained as long as reasonably necessary for reporting, remediation, validation, legal compliance, contractual obligations, auditability, and dispute resolution, unless a longer or shorter period is specified in the applicable statement of work or rules of engagement.
• Website and usage data: retained for operational purposes, typically in aggregated form after a defined period.
• Communications records: retained per applicable record-keeping requirements and legitimate business needs.

After retention windows expire, information is deleted or anonymized in accordance with our retention policy and applicable legal obligations.

14. Security

OSSVantage maintains a security program aligned with SOC 2 standards and uses administrative, technical, and physical safeguards designed to protect personal information against unauthorized access, disclosure, alteration, loss, misuse, and destruction. These safeguards include:

• Access controls and least-privilege principles.
• Encryption of data at rest and in transit.
• Continuous monitoring and logging.
• Vendor due diligence and risk management.
• Confidentiality obligations for personnel and subprocessors.
• Security awareness training.
• Secure software development practices.
• Incident response and notification procedures.

No system, website, network, transmission, or storage method is completely secure. OSSVantage cannot guarantee absolute security, but we work to maintain reasonable safeguards appropriate to the nature of the information and services involved.

To report a security concern, contact security@ossvantage.com.

15. Your Privacy Rights

Depending on your location and applicable law, you may have rights to:

1. Request access to personal information we hold about you.
2. Request correction of inaccurate personal information.
3. Request deletion of personal information.
4. Request restriction or objection to certain processing.
5. Request portability of certain personal information.
6. Withdraw consent where processing is based on consent.
7. Opt out of certain sales, sharing, targeted advertising, or profiling, where applicable.
8. Limit use or disclosure of sensitive personal information where applicable.
9. Object to or appeal automated decision-making where applicable.
10. Appeal a denial of a privacy request where applicable.
11. Lodge a complaint with a data protection authority or regulator.

To exercise rights, contact us at privacy@ossvantage.com. We may need to verify your identity before processing a request. We may deny or limit requests where permitted by law, including where information must be retained for legal, contractual, security, employment, tax, audit, dispute-resolution, or legitimate business purposes.

We will respond to verifiable requests within the timeframes required by applicable law (typically 30–45 days, with possible extensions where permitted).

16. California Privacy Notice

This section applies to California residents and supplements the rest of this Privacy Policy.

Your CCPA/CPRA Rights

Under the California Consumer Privacy Act, as amended by the California Privacy Rights Act, California residents have rights to:

• Know what personal information has been collected about you in the preceding 12 months.
• Access copies of your personal information.
• Correct inaccurate personal information.
• Delete personal information we hold about you.
• Opt outof “sale” or “sharing” of personal information (as defined under California law).
• Limit the use and disclosure of sensitive personal information.
• Non-discrimination for exercising your privacy rights.
• Use an authorized agent to submit requests on your behalf.

Categories of Personal Information Collected (Past 12 Months)

OSSVantage may have collected the following CCPA categories in the past 12 months:

• Identifiers (name, email, phone, IP address, professional identifiers).
• Personal information described in Cal. Civ. Code § 1798.80(e) (employment and education information).
• Commercial information (transaction history, services purchased).
• Internet or electronic network activity information.
• Geolocation information (approximate, IP-derived only).
• Professional or employment-related information.
• Education information.
• Sensitive personal information (tax classification status, identity verification status and reference identifiers, bank- account verification artifacts including last four digits).
• Inferences drawn from other information (for candidate matching and recruiting purposes).

Sources and Disclosure

Sources and recipients are described in Sections 3 and 11 of this Privacy Policy.

Sale and Sharing

OSSVantage does not knowingly sell or share personal information in the conventional sense. We do not currently run third-party analytics or advertising tools that would meet California's broader definitions of “sale” or “sharing.” If that changes, we will provide a “Do Not Sell or Share My Personal Information” link and honor applicable opt-out preference signals.

Sensitive Personal Information

If OSSVantage uses or discloses sensitive personal information for purposes other than those permitted under California law without the right to limit such use, we will provide a “Limit the Use of My Sensitive Personal Information” link.

Children

OSSVantage does not knowingly sell or share personal information of California residents under 16 years of age.

How to Exercise California Rights

Submit California privacy requests to privacy@ossvantage.com. We will verify your identity and respond within the timeframes required by California law.

17. European Economic Area, United Kingdom, and Switzerland Notice

If you are located in the EEA, United Kingdom, or Switzerland, you have rights under applicable data-protection law (GDPR, UK GDPR, or Swiss data protection law).

Controller and Processor Roles

OSSVantage acts as a controller for recruiting, staffing, candidate relationship management, website operation, and business operations. OSSVantage acts as a processor when processing personal information strictly on behalf of a client under a written agreement.

International Transfers

Where personal information is transferred from the EEA, UK, or Switzerland to the United States or another jurisdiction without an applicable adequacy decision, OSSVantage uses legally recognized transfer safeguards, including:

• Standard Contractual Clauses (SCCs).
• UK International Data Transfer Agreement or UK Addendum.
• Swiss-specific transfer terms where required.
• Transfer Impact Assessments where appropriate.

Contact privacy@ossvantage.com to request additional information about international transfer safeguards or to exercise your rights.

Supervisory Authority

You have the right to lodge a complaint with a data-protection authority in your country of residence or where the alleged violation occurred.

18. Canada, Brazil, and Other Jurisdictions

Where Canadian privacy laws (including PIPEDA and provincial laws), Brazil's LGPD, or similar laws apply, OSSVantage processes personal information in accordance with applicable requirements, including transparency, purpose limitation, consent where required, lawful processing, data-subject rights, security safeguards, cross- border transfer accountability, and retention limitation.

Individuals in other jurisdictions may have rights under applicable local law. Contact privacy@ossvantage.com to exercise applicable rights or raise questions about data handling.

19. Children's Privacy

OSSVantage's website and services are intended for adults and business users. We do not knowingly collect personal information from children under 13, or a higher age where required by applicable law. If we learn that we have collected personal information from a child without appropriate authorization, we will take reasonable steps to delete it.

20. Third-Party Websites and Platforms

Our website may link to third-party websites, job boards, professional networks, applicant tracking systems, client portals, payment providers, or other platforms. OSSVantage is not responsible for the privacy practices, security, content, or policies of third parties. You should review their privacy notices before providing information.

21. Changes to This Privacy Policy

We may update this Privacy Policy from time to time. The updated version will be posted on OSSVantage.com with a revised “Last Updated” date.

For material changes, we will provide additional notice (such as an in-app notification or email) where required by law and may, depending on the nature of the change, require renewed consent or acknowledgment before continuing to use our services.

22. Contact Us

Questions, requests, or complaints may be sent to: