Epitome's privacy posture is intended to support enterprise clients that need clear controller-processor boundaries, predictable data handling, and practical support for privacy obligations.
Roles and responsibilities
Where Epitome provides the Epitome Workforce Optimisation Platform to enterprise customers, the current draft positions Epitome primarily as a processor acting on the documented instructions of the client as controller Available now. In practice, this means the client determines the lawful basis and business purpose for the use of employee, candidate, or workforce data, while Epitome provides the platform, support, and agreed processing services.
Some data-processing details may vary by product scope, deployment model, and client workflow Supported with configuration, so role allocation should always be confirmed in the commercial and legal documentation for the engagement.
Categories of data processed
Current drafts indicate that Epitome may process categories of data such as identification data, employment data, education and certification data, role and competency data, skills enrichment data, and related workforce analytics Available now. The same drafts also state that special-category personal data is not intended to be processed unless expressly authorised in writing Available now.
Epitome is designed to process the data needed for workforce optimisation use cases while avoiding unnecessary collection and keeping sensitive-category processing tightly bounded.
Data residency and international transfers
Epitome's documentation states that regional hosting can be supported in specific AWS regions Supported with configuration. This helps clients align deployments to data residency and local regulatory needs where required.
Where personal data is transferred outside the EEA or UK, the draft DPA language states that Epitome will rely on recognised transfer mechanisms such as Standard Contractual Clauses, the UK Addendum, or other approved mechanisms Available now. Transfer impact assessments are described as Available on request.
Retention and deletion
Epitome's current material describes configurable retention schedules, secure deletion, and backup expiry handling Available now. Epitome aims to retain personal data only for as long as required by the agreement, client instructions, or applicable law, and supports deletion or return of data at the end of the relationship Available now.
Specific retention periods for application data, AI decision logs, backups, or audit trails may vary by use case, client requirement, or regulation Supported with configuration.
Data subject rights support
The current DPA summary states that Epitome supports controllers in addressing data-subject-rights requests such as access, rectification, erasure, portability, restriction, and objection Available now. In practice, these workflows depend on the client's legal role, internal process, and configured platform data model, but the trust-centre position should be that Epitome provides the technical and operational support needed to help clients respond appropriately.
Breach-notification support
Epitome's current draft states that confirmed personal-data breaches will be communicated to the client without undue delay, with a working target of notification within 72 hours of awareness where relevant Available now. As with most processor relationships, the client remains responsible for any regulator or data-subject notification required under law, while Epitome supports investigation, remediation, and evidence sharing.
Subprocessor governance
Epitome maintains a subprocessor register in its current draft documentation Available now and states that subprocessors are expected to operate under written agreements with equivalent data-protection obligations Available now. The most up-to-date subprocessor list and related transfer details can be shared as part of diligence Available on request, and material changes are intended to be notified in advance under the governing documentation Available now.
Overall, the privacy message for buyers is straightforward: Epitome is designed to operate with clear role separation, bounded data use, configurable retention, and practical support for privacy compliance rather than broad, vague privacy claims.