How is candidate data handled across borders?

Candidate data lives in an encrypted dataroom from the moment of upload, never moving via email attachments. Region-specific residency controls keep Indian operations data in India, European data in Europe, and so on. Every document is versioned, access controlled at the document level, and logged. Transmission is encrypted end to end, satisfying GDPR, DPDP Act 2023, CCPA, and sector-specific requirements for cross-border processing.

What encryption standards apply to verification data?

Documents are encrypted at rest using AES-256 with per-tenant keys, and in transit using TLS 1.3. Every document is individually encrypted, not just the storage volume. This contrasts with dashboard platforms that rely on HTTPS in transit but may not encrypt documents individually at rest. On OutsourceVerify's data protection maturity scale, encrypted datarooms score 95 percent versus 15 percent for email attachment workflows.

How long is verification data retained?

Retention policies are configured per client at onboarding (12 months, 24 months, or whatever the client's regulatory environment requires). When a document reaches expiry, the system deletes it automatically across all storage layers including primary, backup, and archive. Deletion is certified with a timestamped record confirming which documents were deleted, when, and under which policy. This makes GDPR or DPDP erasure requests operationally feasible rather than aspirational.

What access controls govern verification data?

Access is granular at the document level, not binary at the platform level. Permissions are role-scoped: the HR coordinator who initiated the case has different access from a compliance reviewer or a verification analyst. Every access event (view, download, share) is logged with user identity, timestamp, and document version. This satisfies GDPR Article 32 requirements that dashboard platforms with only platform-level logs cannot meet.

BGV Data Handling and Privacy

Key takeaways

! Email attachments and download links create uncontrolled copies of candidate PII with no visibility into who accessed what.

4 Four distinct data handling risks accumulate silently: unencrypted transmission, uncontrolled access, missing audit trails, and retention gaps.

✓ A secure dataroom with encryption, versioning, granular access, and automated retention eliminates all four risks structurally.

? Five specific questions can reveal whether your vendor treats candidate data as a controlled chain or a file transfer.

“Candidate data is a controlled chain, not a file transfer.” The difference, card 09, OutsourceVerify home page

The home page card is intentionally brief. This article is the complete version. The core argument is straightforward: every candidate document that passes through a background verification programme contains personally identifiable information (PII), often including identity numbers, addresses, salary records, and educational credentials. How that data moves, who can access it, and what trail it leaves behind is not a technical footnote. It is a compliance obligation and, increasingly, a regulatory exposure point.

What data handling means in BGV

In background verification, "data handling" covers every touchpoint where candidate information is collected, transmitted, stored, accessed, or deleted. That includes the initial document upload by the candidate, the transfer of those documents to the verification team, the storage of evidence collected from institutions, the assembly and delivery of the final report, and the eventual retention and deletion of all associated records.

In a dashboard driven model, these touchpoints are typically loosely coupled. Candidate documents arrive as email attachments. Verification evidence is shared via download links that may or may not expire. Reports are emailed as PDF attachments. Access controls, to the extent they exist, are role based at the platform level but not at the document level. There is rarely a unified audit trail showing who accessed which document, when, and from where.

In an operator led model, candidate data lives in an encrypted secure dataroom from the moment of upload. Every document is versioned. Every access event is logged. Transmission is encrypted end to end. Retention policies are automated and enforced. The dataroom is not an add on feature; it is the infrastructure through which all verification activity flows.

Why this matters now Data protection regulations (GDPR, DPDP Act 2023, CCPA, and sector specific rules in financial services and healthcare) increasingly require processors to demonstrate not just that they have policies, but that they have operational controls governing how personal data moves through their systems. "We use SSL" is no longer a sufficient answer. Regulators want to see access logs, retention enforcement, and encryption at rest.

Four data handling risks in background verification

Most data handling failures in BGV are not dramatic breaches. They are structural weaknesses that accumulate quietly and surface during audits, investigations, or regulatory enquiries. Click each card to see the detail and the real world consequence.

Risk 01

Unencrypted transmission

Candidate documents containing identity numbers, salary slips, and educational certificates are sent as email attachments or via unencrypted file sharing links. Even when the platform itself uses HTTPS, the moment a document leaves the platform as an email attachment, it travels through mail servers, is cached in inboxes, and may be forwarded without restriction. The document is now outside any access control boundary.

Real world consequence A single forwarded email containing a candidate's Aadhaar card, PAN, and salary slip creates an uncontrolled copy of sensitive PII. If that email is compromised (through inbox breach, device theft, or accidental forwarding), there is no mechanism to revoke access or even know the exposure occurred.

Risk 02

Uncontrolled access

On dashboard platforms, access controls are typically binary: a user either has access to the platform or does not. Document level permissions are rare. This means that any user with platform access can view, download, and export documents for any candidate in the system. There is no segregation between the HR coordinator who initiated the case and the finance team member who shares the same account tier.

Real world consequence During a GDPR subject access request, the data controller must demonstrate who accessed the candidate's personal data and why. If the platform cannot produce document level access logs, the controller's response is incomplete. Repeated failures of this kind attract regulatory attention and, in some jurisdictions, administrative fines.

Risk 03

Missing audit trail

An audit trail in data handling means a timestamped, immutable log of every action taken on a document: upload, view, download, share, modify, and delete. Most dashboard platforms log platform logins and case status changes, but not document level activity. The result is a gap: you know a case was opened and closed, but you cannot demonstrate the chain of custody for the underlying documents.

Real world consequence When a regulator or internal auditor asks "who accessed this candidate's identity documents between March and June?", the answer should be a timestamped log. If the answer is "we don't have that level of detail," the organisation's data governance posture is exposed. This gap is especially costly in regulated industries (financial services, healthcare, government contracting) where document chain of custody is a compliance requirement.

Risk 04

Retention policy gaps

Data protection regulations require that personal data is retained only for as long as necessary and then securely deleted. In practice, email attachments persist indefinitely in inboxes, sent folders, and backup archives. Download links may expire, but the downloaded files remain on local machines. Dashboard platforms themselves may retain candidate data long after the verification is complete, with no automated deletion schedule aligned to the client's retention policy or regulatory requirements.

Real world consequence A candidate exercises their right to erasure under GDPR or DPDP. The controller instructs the vendor to delete all records. The vendor deletes the case from the platform, but copies of the documents remain in email threads, local downloads, and backup tapes. The erasure is incomplete. If the regulator investigates, the controller cannot certify full deletion because the data handling architecture never supported it.

The data security spectrum

Not all data handling methods carry equal risk. The chart below shows data protection maturity across five common handling methods used in background verification, scored against encryption, access control, audit trail completeness, and retention enforcement. The range runs from basic email attachment workflows at the low end to fully encrypted, versioned datarooms at the high end.

Data protection maturity

Data protection maturity by handling method

Composite score across encryption, access control, audit trail, and retention enforcement. Higher is more mature.

Email attachment (no encryption)15%

15%

Shared drive with password28%

28%

Dashboard with download links42%

42%

Platform with role based access61%

61%

Encrypted dataroom (versioned, audited)95%

95%

Maturity scores are composite assessments based on OutsourceVerify's internal data governance framework, weighted equally across four dimensions: encryption (at rest and in transit), access granularity (platform vs document level), audit trail completeness (login vs document level), and retention automation (manual vs policy enforced). Assessed April 2026.

The jump from "platform with role based access" (61%) to "encrypted dataroom" (95%) is not incremental. It represents a structural shift: from treating documents as files that happen to live on a platform, to treating documents as controlled assets with their own lifecycle, permissions, and audit history. Most dashboard vendors sit in the 40% to 60% range. Most operator led programmes with dedicated datarooms sit above 85%.

Dashboard data handling vs operator data handling

The side by side below compares how candidate data moves through a typical dashboard driven vendor versus an operator led programme. Same candidate, same documents, same verification scope. Different infrastructure, different controls, different audit trail.

Dashboard model

Candidate uploads documents to a web form; files stored on shared infrastructure
Verification team accesses documents via platform login (no document level permissions)
Evidence and reports shared via email attachment or expiring download link
Access logs limited to platform login events, not document level activity
Retention managed manually or not enforced; email copies persist indefinitely
Encryption in transit (HTTPS) but documents at rest may not be encrypted individually

Operator model

Candidate uploads documents to encrypted dataroom; files encrypted at rest with per tenant keys
Verification specialists access documents via role and case level permissions, enforced per document
Reports delivered within the dataroom; no email attachments, no uncontrolled downloads
Full audit trail: every view, download, and share event logged with user, timestamp, and IP
Retention policies automated per client contract; deletion enforced and certified
Encryption at rest (AES 256) and in transit (TLS 1.3); documents individually encrypted

The hidden cost of email based data handling Every email attachment creates an uncontrolled copy. A single candidate's BGV process might generate 8 to 12 email attachments across the verification lifecycle: document submissions, institutional responses, interim updates, and the final report. Multiply by 500 candidates per month and the organisation has created 4,000 to 6,000 uncontrolled document copies per month, scattered across inboxes, sent folders, and local drives, with no centralised visibility or deletion capability.

What a secure dataroom actually provides

The term "secure dataroom" is sometimes used loosely. In an operator led BGV programme, it refers to a specific set of capabilities that collectively ensure candidate data is a controlled chain rather than a file transfer. These are the five capabilities that matter.

Encryption at rest and in transit

Every document is encrypted individually using AES 256 at rest, with per tenant encryption keys managed through a dedicated key management service. All data in transit is protected by TLS 1.3. This is not platform level encryption (where the server disk is encrypted but files are readable by anyone with server access). It is document level encryption, meaning that even a server compromise does not expose document contents without the corresponding tenant key.

Versioned documents

Every document in the dataroom is versioned. When a candidate uploads an updated salary slip, the original is preserved as version 1 and the new upload becomes version 2. Both versions are retained for the duration of the retention period. This matters for two reasons: it provides a complete documentary record if a discrepancy arises during verification, and it ensures that the evidence chain is tamper evident. No version can be silently overwritten or deleted.

Granular access controls

Access is enforced at three levels: tenant (which client organisation), case (which candidate), and document (which specific file). A verification specialist working on Candidate A cannot access documents belonging to Candidate B, even if both candidates are from the same client. Client HR can view reports but not raw source documents. The compliance team can access audit logs but not candidate PII directly. These permissions are enforced by the system, not by policy.

Full audit trail

Every action on every document is logged: upload, view, download, share, version update, permission change, and deletion. Each log entry includes the user identity, timestamp (UTC), IP address, action type, and the specific document affected. The audit log itself is immutable and stored separately from the document store. This means the audit trail survives even if the documents themselves are deleted under retention policy. When a regulator asks "who accessed this candidate's Aadhaar card on 14 March?", the answer is a single log query.

Automated retention and certified deletion

Retention policies are configured per client at onboarding: 12 months post verification, 24 months, or whatever the client's regulatory environment requires. When a document reaches its retention expiry, the system deletes it automatically across all storage layers (primary, backup, and archive). The deletion is certified: a timestamped record confirms which documents were deleted, when, and by which retention policy. This is the mechanism that makes erasure requests operationally feasible, rather than aspirational.

Three scenarios where data handling failures cause real damage

Data handling risks are abstract until they materialise. The three scenarios below illustrate how structural weaknesses in data handling create tangible, costly consequences. Each is drawn from real patterns observed across the industry (details altered for confidentiality).

Scenario 1: Data breach from email attachment

A verification coordinator's email account is compromised through a phishing attack. The attacker gains access to 14 months of sent mail, which includes hundreds of email attachments containing candidate identity documents, salary slips, and verification reports. Because the documents were transmitted as unencrypted email attachments, every candidate whose data passed through that inbox is now a potential breach victim.

The organisation must notify all affected candidates under GDPR Article 34 (or equivalent local regulation). The notification letter must explain what data was exposed, how it was exposed, and what measures the organisation has taken. The honest explanation is: "Your documents were sent as email attachments because that is how our verification vendor operates." The reputational cost, the regulatory scrutiny, and the candidate trust damage are borne entirely by the client organisation, not by the vendor.

In an operator led model with a secure dataroom, the coordinator never had email copies of candidate documents. Even if the email account were compromised, no candidate PII would be exposed because the documents never left the encrypted dataroom.

Scenario 2: GDPR investigation reveals no access logs

A candidate files a complaint with a data protection authority, alleging that their personal data was accessed by individuals who had no legitimate reason to view it. The authority opens an investigation and asks the data controller (the employer) to provide a complete access log for the candidate's documents: who viewed what, when, and for what purpose.

The employer contacts the BGV vendor. The vendor can confirm that the case was opened on a certain date and closed on another date. They can provide a list of users who had platform access during that period. But they cannot produce document level access logs because the platform does not track who viewed or downloaded individual files. The authority records this as a failure to implement appropriate technical measures under GDPR Article 32.

In an operator led model, the dataroom audit trail provides the exact answer: a timestamped log showing every user who accessed the candidate's documents, which documents they viewed, and when. The controller's response is complete, specific, and defensible.

Scenario 3: Client audit finds uncontrolled data copies

A multinational client conducts an annual third party risk management (TPRM) audit of their BGV vendor. The audit includes a data handling assessment. The auditor asks: "How many copies of candidate documents exist outside the primary platform, and where are they stored?"

The vendor cannot answer the question. Documents have been emailed to verification specialists, forwarded to institutional contacts for confirmation, and downloaded to local machines for report assembly. The vendor estimates that for every candidate, three to five uncontrolled copies of their documents exist across email threads, local drives, and shared folders. The auditor flags this as a material finding: the vendor cannot demonstrate control over candidate data at rest.

The client now faces a decision: accept the finding and document the compensating controls (of which there are few), require remediation within 90 days (which may require the vendor to rebuild their data handling infrastructure), or exit the vendor relationship and onboard a provider whose architecture prevents uncontrolled copies from being created in the first place.

Operator led data handling in practice

The comparison below shows how data handling differs at each stage of the verification lifecycle. The dashboard path reflects the typical workflow at vendors who rely on email and platform downloads. The operator path reflects the workflow when all activity is mediated through an encrypted dataroom.

Dashboard path

01Candidate emails documents to HR or uploads to a web form with basic SSL.

02HR forwards documents to vendor via email attachment.

03Vendor team downloads attachments to local machines for processing.

04Verification evidence collected and stored in team shared drives or personal folders.

05Final report emailed as PDF attachment to client HR.

06No automated retention. Documents persist across inboxes, drives, and backups indefinitely.

Operator path

01Candidate uploads documents directly to encrypted dataroom via secure link.

02Documents encrypted at rest with tenant specific keys. No email transmission.

03Verification specialist accesses documents within the dataroom. Every view logged.

04Institutional evidence uploaded to the same dataroom, versioned and linked to the case.

05Final report published in the dataroom. Client accesses via authenticated portal. No email attachment.

06Retention policy enforced automatically. Certified deletion at expiry across all storage layers.

The structural difference is not about adding security features to the same workflow. It is about designing a workflow where uncontrolled copies cannot be created. In the operator model, documents never leave the dataroom as email attachments. There is no "forward" button. Downloads are restricted by policy and logged when they occur. The security is architectural, not procedural.

Email attachments

Per candidate in the operator model

100%

Documents encrypted

At rest and in transit, per document

Every

Access event logged

User, timestamp, IP, action, document

Five questions about data handling and security

These questions surface how your BGV vendor actually handles candidate data, beyond what their security certifications claim. The answers reveal whether candidate data is treated as a controlled chain or as files that move freely between systems.

How are candidate documents transmitted between the candidate, your team, and us? Are email attachments used at any point in the process?
Can you produce a document level access log showing who viewed a specific candidate's files, when, and from which IP address?
What encryption standard do you use at rest, and is encryption applied at the platform level or at the individual document level?
How is data retention enforced? Is deletion automated by policy or manual? Can you certify that deletion is complete across all storage layers including backups?
If we conduct a TPRM audit, can you demonstrate that no uncontrolled copies of candidate documents exist outside your primary platform?

Want a scored version of these questions? Our TPRM self assessment includes a data handling section with pre scored answer options. It produces a maturity radar covering data protection alongside the other eight dimensions in this series. Takes about 10 minutes.

Frequently asked questions

What is a secure dataroom in the context of background verification?

A secure dataroom in BGV is an encrypted, access controlled document management environment where all candidate documents, verification evidence, and reports are stored throughout the verification lifecycle. Unlike a generic file sharing platform, a BGV dataroom enforces document level permissions (not just platform level access), maintains a full audit trail of every view, download, and share event, and applies automated retention policies that delete documents at the configured expiry date. The key distinction from a standard dashboard is that documents never need to leave the dataroom as email attachments or uncontrolled downloads.

Why are email attachments a data handling risk in BGV?

Email attachments create uncontrolled copies of candidate PII. Once a document is sent as an email attachment, it exists in the sender's outbox, the recipient's inbox, any forwarded copies, and potentially on backup servers. None of these copies are subject to the access controls, audit logging, or retention policies that the primary platform enforces. If any of these email accounts is compromised, the candidate's personal data is exposed. The organisation has no mechanism to revoke access to or delete an email attachment after it has been sent. For a typical BGV programme processing 500 candidates per month, email based handling can generate thousands of uncontrolled document copies monthly.

What is the difference between platform level and document level encryption?

Platform level encryption means the storage medium (disk, volume, or database) is encrypted, but individual files are readable by anyone with server or database access. This protects against physical theft of hardware but not against insider threats, compromised credentials, or application level vulnerabilities. Document level encryption means each file is encrypted individually with its own key (or a tenant specific key), so that even with server access, a file cannot be read without the corresponding decryption key. In a properly implemented dataroom, document level encryption ensures that a server compromise does not automatically expose candidate documents.

How does automated retention work in a secure dataroom?

Automated retention is configured at client onboarding. Each client specifies a retention period (for example, 12 months post verification or 24 months, depending on their regulatory requirements). When a document reaches its retention expiry, the system automatically deletes it across all storage layers: primary storage, redundant copies, and backup archives. The deletion is certified with a timestamped record confirming which documents were deleted, when, and under which retention policy. This is critical for regulatory compliance because it ensures erasure requests and retention obligations are enforced operationally, not left to manual processes that may be inconsistently followed.

Can a BGV vendor with ISO 27001 certification still have data handling weaknesses?

Yes. ISO 27001 certifies that the organisation has an information security management system (ISMS) in place, but it does not prescribe specific technical controls for data handling at the document level. A vendor can hold ISO 27001 while still transmitting candidate documents via email attachment, lacking document level access logs, and relying on manual retention processes. The certification confirms that policies and procedures exist and are reviewed; it does not guarantee that the operational architecture prevents uncontrolled copies, enforces granular access, or produces a complete audit trail. This is why TPRM audits increasingly go beyond certifications and assess the actual technical controls in the vendor's workflow.

What regulations require document level audit trails for candidate data?

While no single regulation explicitly mandates "document level audit trails" by that name, several regulatory frameworks require controls that are operationally equivalent. GDPR Article 32 requires "appropriate technical and organisational measures" to ensure data security, which supervisory authorities have interpreted to include access logging. GDPR Article 30 requires records of processing activities. India's DPDP Act 2023 requires data fiduciaries to implement "reasonable security safeguards." In regulated industries, sector specific rules add further requirements: financial services regulators in the EU, UK, and Singapore require demonstrable access controls and audit trails for personal data processed by third party service providers. In practice, a document level audit trail is the most straightforward way to satisfy all of these requirements simultaneously.

How does data handling affect candidate trust?

Candidates submit highly sensitive personal information during the verification process: identity documents, salary records, educational certificates, and sometimes medical or financial records. How that data is handled directly affects their willingness to participate and their perception of the employer's professionalism. When candidates upload documents to a secure, branded portal with clear privacy notices and visible security indicators, trust is reinforced. When candidates are asked to email sensitive documents to a generic vendor address, or when they discover their documents were forwarded to multiple parties, trust erodes. In competitive hiring markets, candidate experience during BGV is an employer branding consideration, and data handling is a significant component of that experience.

Does OutsourceVerify use email to transmit candidate documents?

No. All candidate documents, verification evidence, and final reports are handled exclusively within our encrypted secure dataroom. Candidates upload documents via a secure, authenticated portal link. Verification specialists access documents within the dataroom under case level permissions. Clients access reports within the same environment. No candidate PII is ever transmitted as an email attachment. Our audit trail captures every document level access event (view, download, permission change), and retention policies are enforced automatically per client configuration. When a document is deleted at retention expiry, the deletion is certified and logged. This architecture ensures that uncontrolled copies of candidate data are never created.

References & further reading

How We Operate : the operating methodology section on the home page, where this deep dive series originates.
Speed vs artificial closure (article 01) : the first article in this series, covering verification speed and closure mechanics.
Audit defensibility (article 03) : how the evidence chain behind each verification withstands regulatory scrutiny.
Technology (article 08) : the infrastructure and tooling differences between dashboard and operator architectures.
Compliance brief : audit trail, documentation, and the questions TPRM teams ask about data governance.
TPRM self assessment : pre scored vendor evaluation framework including the data handling questions above.
GDPR Article 32: Security of processing. Regulation (EU) 2016/679.
India Digital Personal Data Protection Act, 2023, Section 8: Obligations of Data Fiduciary.

Next Step

Audit how your verification data is handled.

Run the InfoSec readiness scorecard to test your vendor's data path and access controls, or review our security posture in full.

Run InfoSec Readiness Scorecard Review Security Posture