We're in the process of implementing our readiness programme across Codility. 

Codility is implementing technical and organisational measures to be fully compliant with GDPR by May 25th, 2018.

This involves: 

  • Conducting a gap analysis
  • Planning policy and technical changes, specifically around data access, management and portability
  • Reviewing our contract commitments with our customers and existing vendors

Current State: 

  • Data is stored in the United States with AWS in North Virginia
  • This is permitted under GDPR thanks to the AWS Data Processing Agreement (read about the AWS EU Data Protection here)
  • Data is stored in backups and we delete data from our database by request. 

Planned Changes:

  • In 2018 we will be offering data storage in the EU, most likely with AWS in Frankfurt.
  • Data will be stored for the duration of contracted period with our client, and a grace period thereafter. 
  • Data backups will include personal information for 3 months. 
  • Data logs will be retained for 2 year.
  • We will delete data by request. 

GDPR specifies two possible roles for a company with regards to Personal Data: a Controller and a Processor (on behalf of a Controller). Codility is both, depending on how it is used.

What personal data is processed by Codility on behalf of customers?

When candidates take a test run by a Codility customer, we store their:

  • email address
  • first and last name
  • a log of IP addresses they use during tests
  • potentially, at recruiter’s discretion: last school attended, academic degree, major, programming experience, and a link to profile (GitHub, LinkedIn, etc) 

If you are an employee of a Codility customer, or otherwise use Codility on their behalf, we store your name and email address.


Codility gathers and stores logs for the purposes of monitoring, debugging, and reacting to possible problems; in particular, we use them to make sure our verification process is fair and unbiased. Those logs may contain Personal Data, e.g. IP addresses. We keep them secure. In compliance with GDPR, it is planned to delete all log entries older than 2 years.

Compliance of our Subprocessors

To provide the best service to our customers we collaborate with a number of companies (e.g. AWS, Google Analytics, Intercom etc.). We are communicating with them to ensure full compliance in our entire network by May 25th.

We'll be sharing more detailed information regarding our progress.

Did this answer your question?