Security & compliance
GlobalMatch processes sensitive employment data and runs AI that the EU classifies as high-risk. This page explains, in plain English, how we comply with the GDPR and the EU AI Act — and what your rights are when you interact with us.
All processing happens in the EU. No transfers to third countries.
Data minimisation, purpose limitation, and Art. 25 privacy by design from day one.
We treat the hiring AI as Annex III high-risk and meet the corresponding obligations.
GDPR — General Data Protection Regulation
We are the controller for our marketing site (this page, signup forms, founder communications). For candidate processing inside our product, the hiring company is the controller and we are the processor under a DPA (Art. 28). Both relationships are governed by the GDPR.
Lawful basis
Early-access signups: explicit consent (Art. 6(1)(a)). Candidate evaluation in the product: contract performance with the employer plus the employer's legitimate interest, with strict purpose limitation. We never repurpose data outside the hiring decision.
What we collect
From this site: your name, email, optional company or target role, locale, and submission source. From candidates inside the product: only what the employer requests — resume, structured interview answers, scoring artifacts. No biometric profiling, no inferred sensitive categories beyond what the candidate volunteers.
Retention
Marketing leads: retained until you unsubscribe or 24 months without activity, then deleted. Candidate data: deleted on the employer's instruction, with default retention windows set per role and configurable per workspace.
Processors
Resend (email delivery, EU region), Vercel (hosting, Frankfurt region for the landing), AWS (eu-central-1 for product data), and a small list of subprocessors maintained at /datenschutz. Each is covered by a Data Processing Agreement with SCCs where applicable.
Security
Encryption in transit (TLS 1.3) and at rest (AES-256). Least-privilege access. Annual penetration tests once we exit closed beta. Per-tenant isolation. Tamper-evident audit logs.
DPIA
We maintain a Data Protection Impact Assessment (Art. 35) for the AI-assisted screening workflow and share it with employers who need it for their own DPIA obligations.
EU AI Act — high-risk hiring AI
The EU AI Act (Regulation 2024/1689) classifies AI systems used in recruitment and selection as high-risk (Annex III, point 4). As a provider we meet — and as a deployer you receive — the following:
Risk-management system (Art. 9)
Documented risk register covering bias, hallucinated capabilities, data poisoning, and model degradation. Risks are re-assessed before every release and audited by an external reviewer annually.
Data governance (Art. 10)
Curated training and evaluation sets, documented provenance, and ongoing checks for representativeness and bias across age, gender, nationality, and disability where lawfully observable.
Technical documentation (Art. 11)
We maintain Annex IV technical documentation: system architecture, datasets, performance metrics, known limitations, and post-market monitoring. Available on request under NDA.
Logging (Art. 12)
Automated, tamper-evident logs of every model call: inputs, outputs, scoring rationale, human overrides. Retained for the duration of the employment process plus the audit period required by your supervisory authority.
Transparency to deployers (Art. 13)
We provide a usage manual covering intended purpose, accuracy metrics, known biases, human oversight measures, and the technical and organisational measures needed on your side.
Human oversight (Art. 14)
Built into the product, not bolted on. Recruiters see structured evidence next to every score. Auto-rejection is technically disabled. Override and explanation are first-class flows.
Accuracy, robustness, cybersecurity (Art. 15)
Documented accuracy thresholds, model versioning, adversarial-prompt monitoring, and a coordinated vulnerability disclosure programme.
Deployer obligations (Art. 26)
We help you meet your own Art. 26 obligations: human oversight assignment, candidate information notices, fundamental-rights impact assessment templates, and monitoring guidance.
Fundamental-rights impact assessment (Art. 27)
Public-sector deployers and certain credit/employment uses must run an FRIA before deployment. We provide a starter template aligned with the European Commission's guidance.
Your rights
If you signed up on this page, or if you've been evaluated by an employer using GlobalMatch, you have the rights below. We respond within 30 days under GDPR Art. 12(3).
- Right of access (Art. 15) — get a copy of everything we hold on you.
- Right to rectification (Art. 16) — correct anything that's wrong.
- Right to erasure (Art. 17) — be forgotten, subject to legal retention.
- Right to restriction (Art. 18) — pause processing while we resolve a dispute.
- Right to portability (Art. 20) — export your data in a machine-readable format.
- Right to object (Art. 21) — including objecting to processing based on legitimate interest.
- Right not to be subject to a solely automated decision (Art. 22) — guaranteed by the product, regardless of which employer you talk to.
- Right to a meaningful explanation of any AI-assisted decision that affects you (AI Act Art. 86).
Email dpo@globalmatch.tech (TODO — replace with the real DPO contact). You can also lodge a complaint with the Berlin Commissioner for Data Protection (BlnBDI) or your local supervisory authority.
This page is informational. It is not legal advice and does not substitute for the formal Datenschutzerklärung at /datenschutz or our Data Processing Agreement, which together govern any contractual relationship.