Scovai is designed with data protection at its core. This GDPR Policy outlines how we comply with the General Data Protection Regulation (EU) 2016/679 and describes the safeguards we implement to protect the rights of data subjects — particularly candidates whose personal data is processed through our AI-powered recruitment platform.
1. Our Role Under the GDPR
Scovai operates in two capacities depending on the context:
- Data Processor: When organisations (Tenants) use Scovai to manage their recruitment processes, we act as a data processor on behalf of the Tenant (the data controller). Processing is governed by a Data Processing Agreement (DPA).
- Data Controller: For our own website visitors, direct applicants to our talent pool, and account holders, we act as the data controller.
2. Data Protection by Design and Default
In accordance with GDPR Article 25, Scovai implements data protection by design and by default:
- Multi-tenant isolation: Each organisation's data is logically isolated. Users can only access data within their own tenant.
- Minimal data collection: We only collect data that is necessary for the recruitment functionality being used.
- Pseudonymisation: Vector embeddings used for semantic matching are not human-readable and cannot be reversed to reconstruct the original CV text.
- Access control: Role-based access control (RBAC) ensures that users only see data relevant to their role (Admin, Recruiter, or Candidate).
- Encryption: All data in transit is encrypted via TLS. Sensitive credentials are encrypted using AES-256-CBC at rest.
3. Consent Management
Scovai provides a built-in consent management system that:
- Records granular consent for specific processing purposes (CV parsing, AI scoring, psychometric assessment, interview participation, talent pool inclusion)
- Maintains a full audit trail of when consent was given, modified, or withdrawn
- Allows candidates to withdraw consent at any time through their profile
- Automatically restricts processing when consent is withdrawn
4. Automated Decision-Making Safeguards (Article 22)
Scovai uses AI for scoring, profiling, and assessment. We implement the following safeguards under Article 22(3):
4.1 No Solely Automated Decisions
The Platform is designed as a decision-support tool. AI outputs (scores, rankings, interview evaluations) are presented as recommendations to human recruiters, who retain full authority over hiring decisions.
4.2 Explainability
Every AI-generated score includes an Explainable AI (XAI) rationale that describes, in plain language, the factors that influenced the score. This includes:
- Which skills and qualifications contributed to the score
- What adjustments were applied and why
- How the candidate compares to position requirements
4.3 Right to Contest
Candidates can request human review of any AI-generated assessment or score through the Platform's compliance module. Tenants are notified and must respond to review requests within a reasonable timeframe.
4.4 Bias Monitoring
The Platform includes automatic bias monitoring that analyses AI scoring patterns for demographic disparities, including gender and age distribution across scores.
5. Data Subject Rights
Scovai supports the exercise of all GDPR data subject rights:
| Right | GDPR Article | How Scovai Supports It |
|---|---|---|
| Access | Art. 15 | Candidates can view all their data through their profile. Tenants can export candidate data via the compliance module. |
| Rectification | Art. 16 | Candidates can edit their profile data directly. Recruiters can update candidate information. |
| Erasure | Art. 17 | GDPR data export and deletion requests can be initiated through the compliance module with full audit logging. |
| Restriction | Art. 18 | Processing can be restricted on a per-candidate basis while disputes are resolved. |
| Portability | Art. 20 | Data can be exported in structured JSON format via the compliance module or API. |
| Objection | Art. 21 | Candidates can object to profiling and automated processing through their consent settings. |
| Automated decisions | Art. 22 | Human review requests can be submitted for any AI decision. See Section 4 above. |
6. Data Processing Agreements
All Tenant relationships are governed by a Data Processing Agreement (DPA) that specifies:
- The subject matter and duration of processing
- The nature and purpose of processing
- The types of personal data processed
- The categories of data subjects
- The obligations and rights of the controller and processor
- Sub-processor requirements and approval procedures
7. Data Breach Procedures
In the event of a personal data breach, Scovai will:
- Notify affected Tenants (data controllers) without undue delay and within 72 hours of becoming aware of the breach
- Provide detailed information about the breach, including the nature of the data affected, the likely consequences, and the measures taken to address it
- Assist Tenants in fulfilling their own notification obligations to supervisory authorities and data subjects
- Document all breaches in an internal breach register
8. Sub-Processors
Scovai minimises the use of sub-processors. Currently:
- AI processing: The majority of AI processing (CV parsing, scoring, assessments, interviews) runs on locally hosted infrastructure within the EEA. No candidate personal data is sent to external AI providers.
- Job description generation: Uses the Anthropic Claude API, but only position-related data (job titles, requirements) is sent — never candidate personal data.
- Infrastructure: All hosting infrastructure is located within the European Economic Area.
We will notify Tenants before engaging new sub-processors that handle personal data.
9. Data Retention and Deletion
Data retention periods are configured at the platform level and can be customised by Tenants within permitted ranges. Default retention periods are detailed in our Privacy Policy. Automated deletion processes run daily to remove data that has exceeded its retention period.
10. Contact the Data Protection Team
For GDPR-related enquiries, data subject requests, or to request a copy of our Data Processing Agreement:
Email: privacy@scovai.com