Responsible AI

Hirex is an AI-native applicant tracking system. AI is not a feature we added late. It sits at the centre of how the product works. That places real obligations on us, and real questions in front of our customers, candidates, and regulators. This page sets out, in plain terms, how we use AI, where the data goes, what we won't do, and how you stay in control.

If you are evaluating Hirex on behalf of a security or compliance team, the substantive answers you need are here. For more depth (model versions, transfer impact assessments, our DPIA), contact [email protected].

What we use AI for

Feature	What it does	Model provider
CV parsing	Extracts structured data (work history, education, skills, contact) from uploaded résumés	OpenAI or Google Gemini
Candidate match score	Scores how well a candidate fits a job's requirements	OpenAI, Anthropic
Evaluation summaries	Drafts a short summary of a candidate's profile against the job criteria	OpenAI, Anthropic
Content generation	Drafts job criteria, scorecard rubrics, and email content for the recruiter to edit	OpenAI, Anthropic
Video interview transcription	Speech-to-text on one-way video interview recordings, where this feature is enabled	Deepgram
Candidate sourcing	AI-assisted search for candidates across public professional profiles	Exa.ai

What we never do

We never automatically reject a candidate. Every rejection in Hirex requires an explicit human action.
We never make solely automated decisions about candidates within the meaning of Article 22 of the GDPR. Match scores, summaries, and rankings inform human decisions. They do not produce decisions on their own.
We never use customer or candidate data to train any AI provider's model. Provider contracts confirm this. Where the provider supports it, we operate on zero-retention enterprise tiers so that prompts and outputs are not retained by the provider beyond the immediate response.
We never share candidate data between customer tenants. Each tenant's data is logically isolated; enterprise tenants are physically isolated on dedicated infrastructure.
We do not engage in cross-context behavioural advertising or sell personal data under CCPA/CPRA.

Where AI processing happens

Hirex's production environment is hosted on AWS in the Ireland region (eu-west-1). Customer data at rest stays in the EU.

When a recruiter or candidate triggers an AI feature, the relevant data is sent to the AI provider for processing. Today, all four of our AI providers (OpenAI, Anthropic, Google, Deepgram) process data in the United States. These transfers are covered by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914, Module 2) and supplementary safeguards documented in our Transfer Impact Assessments, available to customers on request under NDA.

EU-resident endpoints exist on enterprise tiers from some providers (Anthropic, OpenAI, Google) and we evaluate moving to them on a per-customer basis where data residency is a contractual requirement. Contact us if EU residency for AI processing is a constraint on your deal.

EU AI Act posture

Hirex's CV scoring, match scoring, and video interview analysis fall under Annex III, Point 4 of the EU AI Act (Regulation (EU) 2024/1689): high-risk AI systems used in employment, workers management, and access to self-employment. We accept this classification.

Provider obligations for Annex III high-risk systems begin to apply on 2 August 2026. By that date, customers and Hirex jointly will need to satisfy:

Risk management system across the AI lifecycle. Hirex maintains one for the systems we build.
Data and data governance for training, validation, and testing of our model use. We use foundation models from third parties and do not train our own, but we document the data we send and the prompts we use.
Technical documentation: what each system does, its intended purpose, its limits.
Record-keeping: automated logging of AI actions, available to customers via audit log.
Transparency to deployers: this page is part of that.
Human oversight, built into every Hirex workflow. AI outputs are presented for human decision; nothing in Hirex produces a hire/reject outcome without a person clicking it.
Accuracy, robustness, cybersecurity: model evaluation, retry logic, prompt-injection defences.
Post-market monitoring: we track feature-level error rates, customer-reported issues, and regulatory developments.

As a deployer of upstream models (OpenAI, Anthropic, Google, Deepgram), we rely on the model providers to meet GPAI obligations under Articles 51-56 of the EU AI Act. We monitor their compliance posture and update sub-processors accordingly.

US state law posture

For customers hiring in the United States, the following state and city rules may apply. They are the customer's primary obligation, but Hirex assists with the documentation:

New York City Automated Employment Decision Tool (AEDT) rules (Local Law 144). If Hirex's match score or interview analysis is used to assist hiring for a NYC-based role, an annual independent bias audit and candidate notice are required. The customer must arrange the audit. Hirex provides the system documentation needed to support it.
Illinois Artificial Intelligence Video Interview Act. Use of Hirex's interview transcription on Illinois applicants triggers candidate notice and consent obligations on the customer.
Colorado AI Act (effective 1 February 2026), and similar laws in development in California, Texas, and other states. These impose obligations on deployers of high-risk AI in employment. Hirex provides the technical documentation customers need to meet them.

How AI decisions are presented

We believe AI scores without reasoning are a trust failure. Every match score and evaluation summary in Hirex is presented with the underlying reasoning: what the model considered, which CV evidence it weighted, what it could not assess. Recruiters can challenge or override any output without friction.

When a candidate is rejected, the rejection reason is recorded by the human recruiter, not by the AI. The audit log captures who made the decision, when, and with what AI information visible.

Bias and fairness

We take three positions on bias:

Anonymised screening is the default. During early-stage review, Hirex hides name, photo, address, age proxies, and other identifying features from the recruiter and from AI scoring. This is default behaviour, not a setting to configure.
We do not use protected characteristics as scoring inputs. Match scoring uses skills, experience, and stated requirements. We do not infer race, gender, age, religion, disability, or other Article 9 categories from CV content for use in scoring.
We test our scoring features for disparate impact before release and on an ongoing basis. Customers operating under bias-audit regimes (e.g., NYC AEDT) receive the technical documentation needed to commission their own audits.

Customer controls

Customers can:

Disable any AI feature at the tenant level. AI is opt-in for each customer; specific features can be turned off per-job or per-pipeline.
Set retention on AI-generated content (summaries, scores) separately from underlying candidate data.
Access a full audit log of AI actions in the tenant: what feature ran, when, on which candidate, who saw the output, what decision followed.
Export or delete AI-generated content alongside other candidate data.

Sub-processors used for AI

The AI providers we use are listed on our Sub-processors page along with all other sub-processors. We notify customers at least 30 days before changing AI providers.

Documentation available on request

Transfer Impact Assessment per non-EU AI provider
Data Protection Impact Assessment covering Hirex's AI processing
Technical documentation supporting EU AI Act provider obligations
AI feature inventory with version history
Bias-audit support pack for AEDT and similar regimes

Email [email protected].

Contact

AI questions, EU AI Act, bias audit support: [email protected] (Burak Yılmaz, Data Protection Officer)
Security: [email protected]
Privacy: [email protected]
Vulnerability disclosure: [email protected]