EU AI Act (high-risk recruiting)
ReadyEffective Aug 2026. DPIA, human-review right, and decision-log retention all live.
Trust & compliance
How Hirona handles your data.
Every AI decision is logged, every subprocessor is listed, every region is pinned. What your legal + security teams need on one page.
Where your data physically lives.
GDPR Art. 28(2) requires 30 days notice before adding or removing any of these. Subscribe at subprocessors@hirona.ai.
- Vendor
- OpenAI
- Purpose
- LLM inference (HIGH / FAST tiers)
- Data categories
- Interview transcripts, resumes, evaluations
- Data location
- US; EU via Azure mirror
- Transfer
- SCC + customer consent
- Vendor
- Anthropic
- Purpose
- LLM inference (backup / specialty)
- Data categories
- Interview transcripts, resumes
- Data location
- US; EU via AWS Bedrock mirror
- Transfer
- SCC + customer consent
- Vendor
- Google (Vertex AI)
- Purpose
- LLM inference (Gemini tier)
- Data categories
- Interview transcripts, resumes
- Data location
- Multi-region (tenant-pinned)
- Transfer
- GCP DPA
- Vendor
- Microsoft (Azure OpenAI)
- Purpose
- EU-pinned LLM inference
- Data categories
- Interview transcripts, resumes
- Data location
- europe-west — EU
- Transfer
- SCC (Azure DPA)
- Vendor
- Clerk
- Purpose
- Identity provider (MVP)
- Data categories
- Email, name, Hirona roles
- Data location
- US
- Transfer
- SCC
- Vendor
- Stripe
- Purpose
- Billing, metered usage, tax
- Data categories
- Company billing address, tax IDs, card-last4
- Data location
- US; irreversibly pseudonymised at Stripe
- Transfer
- SCC (Stripe DPA)
- Vendor
- Google Cloud Platform
- Purpose
- Compute, Cloud SQL, GCS, KMS
- Data categories
- All tenant + candidate data
- Data location
- Per tenant region
- Transfer
- GCP DPA
- Vendor
- Sentry
- Purpose
- Error tracking
- Data categories
- Stack traces, redacted request context
- Data location
- US / EU selectable
- Transfer
- SCC
Regulations we build to.
NYC Local Law 144
LiveAnnual independent bias audit; AEDT candidate notice on every rejected outcome.
Illinois AIVIA
LiveAutomated-decision notice for IL candidates; ZIP + proxy-variable guards in the bias-audit pipeline.
GDPR (Art. 22 + 28)
LiveRight to human review, subprocessor change notification, erasure cascade across all systems.
Singapore PDPA + WFA
LiveStaging pinned to asia-southeast1. Candidate consent per WFA recruitment guidelines.
Colorado CAIA
ReadyDeployer registration + impact assessment template available on request.
SOC2 Type I
In prepControls evidence collection underway; Type II audit underway.
Receipts, not promises
Compliance, written down — not just on the slide deck.
What your auditors will check: which frameworks we map to, how long we keep the trail, what fraction of decisions ship with provenance, and how many vendors touch the data.
- 7
- Regulatory frameworks mapped
- 7yr
- Audit replay retention
- 100%
- AI decisions logged with provenance
- 8
- Subprocessors listed (DPA-bound)
Tenant data lives in Singapore by default.
Cloud SQL, GCS, and KMS keyrings are scoped to asia-southeast1. Cross-border transfer requires explicit candidate consent.
Singapore
asia-southeast1
PDPA + WFA aligned.
Ask our compliance team directly.
DPIA templates, DPA drafts, SOC2 control-mapping, bias audit samples — available on request to qualifying prospects.