Compliance
Procurement and AI Governance Pack
This pack gives procurement, privacy, security, and recruitment reviewers a consolidated description of Evalgist Shortlist. It supplements the Data Processing Agreement, Privacy Policy, Shortlist Terms, security information, and subprocessor register. Those documents control where their terms apply.
Shortlist is a private-pilot, AI-assisted document-evaluation service. It compares application documents with customer-defined criteria and presents scores, summaries, and literal quoted evidence for a human reviewer. It is not an applicant-tracking system and does not make or communicate a hiring, selection, or rejection decision.
GDPR Article 22
Evalgist Shortlist is designed for human-reviewed decision support. It compares application documents with customer-defined criteria and presents scores, summaries, and quoted evidence. It does not make or communicate hiring, selection, or rejection decisions. Customers must not use a Shortlist output as the sole basis for a decision that legally or similarly significantly affects a person. The customer remains responsible for its decision workflow, lawful basis, notices, and any assessment required under Article 22 GDPR.
Meaningful human oversight
A reviewer must be able to inspect the source document and quoted evidence, understand the stated criteria and the role of the output, identify obvious errors or missing context, disregard or override any score or recommendation, record a different assessment, and remain responsible for the final decision. A nominal click-through or routine acceptance of the output is not the intended workflow.
EU AI Act position
The EU AI Act lists AI systems used to analyse or filter job applications or evaluate candidates among the employment use cases that may be high-risk. Evalgist prepares Shortlist on that baseline. Evalgist develops and supplies the system; the customer selects the recruitment context and uses the system in its decision process. Final role and classification questions depend on the intended use and the applicable legal framework. Evalgist does not describe Shortlist or a customer's use as compliant by default.
A public-sector or public-service deployer may have additional assessment, registration, notice, logging, monitoring, and human-oversight duties when the relevant high-risk rules apply. The customer must evaluate those duties for its own use before deployment. Because the implementation timetable and guidance may change, customers should consult the European Commission's current AI Act implementation materials rather than rely on a fixed date in this document.
Processing and provider chain
Analysis uses Anthropic models, and scanned PDFs may use Mistral OCR. Both are routed through OpenRouter with zero-data-retention routing enabled. Shortlist stores product data in a dedicated Supabase project in Ireland and runs on Vercel. Clerk provides the shared Evalgist identity layer. PostHog provides bounded product analytics and Sentry provides error monitoring. Candidate content is excluded from product analytics and Sentry Session Replay is disabled. The subprocessor register identifies the complete current service chain, legal entities, purposes, locations, and privacy information.
Responsibility matrix
| Activity | Customer | Evalgist BV | Subprocessor | Candidate or user |
|---|---|---|---|---|
| Shared account, authentication, product security, support, and direct billing administration | Supplies authorised-user details and manages who may act for it | Controller for Evalgist's direct account, security, support, and billing purposes | Processes as contracted by Evalgist | User is the data subject for account data |
| Recruitment purpose, vacancy, criteria, lawful basis, notice, and final decision | Controller and decision owner | Processes configured product inputs on customer instructions; does not choose the vacancy purpose or final decision | Processes only in the service chain | Candidate is the data subject; authorised users act for customer |
| Resume upload, parsing, OCR, analysis, evidence, ranking, notes, and result export | Controller; determines which documents and criteria enter the service | Processor for customer-provided candidate data | Subprocessor to Evalgist for the stated purpose | Candidate is data subject; reviewer is authorised user |
| Product analytics and error monitoring | Receives the published product configuration | Controller for minimal service-operation telemetry; keeps candidate content out of analytics | PostHog and Sentry process the bounded telemetry | User may be data subject for account or workflow metadata |
| Candidate access, correction, objection, restriction, erasure, and explanation requests | Primary rights-request and response owner | Assists the customer for Shortlist-held data and does not answer for the customer's decision | Assists through Evalgist where required | Candidate sends request to customer unless directed otherwise |
| Security incident affecting customer candidate data | Assesses controller notifications to authority and data subjects | Investigates as processor, preserves facts, notifies customer without undue delay, and supplies available updates | Notifies or assists Evalgist under its contract | Candidate notification is the customer's decision unless law assigns otherwise |
| Shortlist deletion and end of service | Chooses deletion or return timing subject to law and policy | Executes product deletion and preserves only separately controlled financial, security, legal, or dispute records under an approved schedule | Deletes or expires data under its contract | Candidate rights remain exercisable through customer |
Retention schedule
The table states normal service periods. A documented legal dispute or security incident may require a separately controlled hold. Customer exports leave Evalgist's environment and follow the customer's policy.
| Record | Normal period and trigger | Control or qualification |
|---|---|---|
| Extracted resume text | Removed after terminal analysis | Interrupted processing may retain text only until processing is completed, retried, or deleted. |
| Original uploaded resume files | Up to 14 days after upload | Available for recovery and support; customer deletion can remove them earlier. The daily purge reconciles orphaned storage objects. |
| Results, scores, quoted evidence, reviewer notes, and result metadata | Until the customer deletes the shortlist, candidate, or product data | Customers should document and apply a period that covers their recruitment and appeal process without keeping records longer than needed. |
| Generated exports | Generated on request; no separate server-side export file is retained | A downloaded copy follows the customer's retention policy. |
| Vacancy AI cache | 30 days from creation | Contains vacancy-derived criteria output only. Candidate or resume content is not cached. Daily bounded purge. |
| Rate-limit attempts | 24 hours | Daily cleanup. |
| Shortlist error logs | 90 days | Bounded daily purge; a separate incident record may be held for an open matter. Candidate content is excluded by logging rules. |
| OCR request audit | 180 days | Contains routing, status, timing, identifiers, and bounded error information, not extracted document text. |
| Admin audit log | 24 months | Bounded daily purge. Evidence required for an open security or legal matter is copied to a restricted record before ordinary expiry. |
| Refund reconciliation | Pending or retrying until resolved; resolved or abandoned rows for 7 years after resolution | Contains billing identifiers and retry information, not resume text or model output. |
| Credit ledger, Stripe events, invoices, tax records, and Silvasoft mappings | 7 years after the applicable accounting period | Kept separately for accounting, payment integrity, fraud handling, and legal obligations; not removed by ordinary product deletion. |
| Supabase database backups | 7 days under the current Shortlist and billing project plan | Daily backups; point-in-time recovery is not enabled. Database backups do not include Supabase Storage objects. Deleted database data expires as the oldest restorable backup ages out. |
| Vercel runtime logs | 1 day under the current Pro project configuration | Deployment and build artifacts follow separate project lifecycle settings and do not contain uploaded candidate documents by design. |
| Sentry events | 30 days under the current Evalgist plan | EU-region ingest; Session Replay disabled. |
| Clerk account and session data | Configured service lifecycle and account-deletion process | Shared Evalgist account data is separate from Shortlist product data. Under Clerk's DPA, remaining customer personal data is deleted within 90 days after termination of the Clerk service, subject to stated exceptions. |
| Support and privacy correspondence | 24 months after closure | Longer only for a documented legal dispute or a financial record. |
Vendor-period sources: Supabase database backups, Vercel runtime logs, Sentry event retention, and the Clerk DPA.
Candidate notice template
This is an adaptable operational template, not a complete notice for every customer or jurisdiction. The customer must complete every bracketed field and align the notice with its actual workflow.
Use of AI-assisted application review
[Customer legal name] uses Evalgist Shortlist to support the review of applications for [position or selection]. Shortlist compares the documents we provide with criteria defined by us and returns scores, summaries, and quoted evidence for our reviewers. It does not make or communicate the hiring or selection decision. Our authorised reviewers inspect the application and remain responsible for the decision. They can disregard or override any output.
We process [categories of application data] for [purposes] on the basis of [legal basis]. We obtained the data from [source]. [Customer legal name] is the controller. Evalgist BV processes the application documents for us, using Anthropic models for analysis and, for scanned PDFs, Mistral OCR. Both are routed through OpenRouter with zero-data-retention routing enabled. The current service-provider list is available at https://evalgist.ai/subprocessors.
Original files held in Shortlist are available for up to 14 days for recovery and are then deleted automatically. Extracted document text is deleted after analysis. We keep the evaluation results, quoted evidence, reviewer notes, and any copies we export for [customer retention period or criteria].
You may contact [customer privacy contact] about access, correction, objection, restriction, erasure, an explanation of our review process, or another data-protection question. You may also complain to [competent supervisory authority]. [Add any customer-specific information about automated decision-making, consequences, appeals, collective agreements, or public-sector duties.]
Required customer fields are the legal name, role and contact, position, data categories, purposes, legal basis, source, result and export retention, rights route, supervisory authority, local appeal route, and any automated-decision facts outside Shortlist.
DPA execution and review
The Data Processing Agreement is incorporated into the Shortlist Terms. Acceptance records the user, current Terms version, and time; the user affirms authority to accept for the customer. A material DPA change requires a new Terms version and renewed acceptance. Institutional customers may request a countersigned copy or discuss a written amendment through privacy@evalgist.ai.
Questions? Email privacy@evalgist.ai.
Last updated 2026-07-19