Skip to content
Evalgist
Evalgist

Compliance

Procurement and AI Governance Pack

This pack gives procurement, privacy, security, and recruitment reviewers a consolidated description of Evalgist Shortlist. It supplements the Data Processing Agreement, Privacy Policy, Shortlist Terms, security information, and subprocessor register. Those documents control where their terms apply.

Shortlist is a private-pilot, AI-assisted document-evaluation service. It compares application documents with customer-defined criteria and presents scores, summaries, and literal quoted evidence for a human reviewer. It is not an applicant-tracking system and does not make or communicate a hiring, selection, or rejection decision.

GDPR Article 22

Evalgist Shortlist is designed for human-reviewed decision support. It compares application documents with customer-defined criteria and presents scores, summaries, and quoted evidence. It does not make or communicate hiring, selection, or rejection decisions. Customers must not use a Shortlist output as the sole basis for a decision that legally or similarly significantly affects a person. The customer remains responsible for its decision workflow, lawful basis, notices, and any assessment required under Article 22 GDPR.

Meaningful human oversight

A reviewer must be able to inspect the source document and quoted evidence, understand the stated criteria and the role of the output, identify obvious errors or missing context, disregard or override any score or recommendation, record a different assessment, and remain responsible for the final decision. A nominal click-through or routine acceptance of the output is not the intended workflow.

EU AI Act position

The EU AI Act lists AI systems used to analyse or filter job applications or evaluate candidates among the employment use cases that may be high-risk. Evalgist prepares Shortlist on that baseline. Evalgist develops and supplies the system; the customer selects the recruitment context and uses the system in its decision process. Final role and classification questions depend on the intended use and the applicable legal framework. Evalgist does not describe Shortlist or a customer's use as compliant by default.

A public-sector or public-service deployer may have additional assessment, registration, notice, logging, monitoring, and human-oversight duties when the relevant high-risk rules apply. The customer must evaluate those duties for its own use before deployment. Because the implementation timetable and guidance may change, customers should consult the European Commission's current AI Act implementation materials rather than rely on a fixed date in this document.

Processing and provider chain

Analysis uses Anthropic models, and scanned PDFs may use Mistral OCR. Both are routed through OpenRouter with zero-data-retention routing enabled. Shortlist stores product data in a dedicated Supabase project in Ireland and runs on Vercel. Clerk provides the shared Evalgist identity layer. PostHog provides bounded product analytics and Sentry provides error monitoring. Candidate content is excluded from product analytics and Sentry Session Replay is disabled. The subprocessor register identifies the complete current service chain, legal entities, purposes, locations, and privacy information.

Responsibility matrix

ActivityCustomerEvalgist BVSubprocessorCandidate or user
Shared account, authentication, product security, support, and direct billing administrationSupplies authorised-user details and manages who may act for itController for Evalgist's direct account, security, support, and billing purposesProcesses as contracted by EvalgistUser is the data subject for account data
Recruitment purpose, vacancy, criteria, lawful basis, notice, and final decisionController and decision ownerProcesses configured product inputs on customer instructions; does not choose the vacancy purpose or final decisionProcesses only in the service chainCandidate is the data subject; authorised users act for customer
Resume upload, parsing, OCR, analysis, evidence, ranking, notes, and result exportController; determines which documents and criteria enter the serviceProcessor for customer-provided candidate dataSubprocessor to Evalgist for the stated purposeCandidate is data subject; reviewer is authorised user
Product analytics and error monitoringReceives the published product configurationController for minimal service-operation telemetry; keeps candidate content out of analyticsPostHog and Sentry process the bounded telemetryUser may be data subject for account or workflow metadata
Candidate access, correction, objection, restriction, erasure, and explanation requestsPrimary rights-request and response ownerAssists the customer for Shortlist-held data and does not answer for the customer's decisionAssists through Evalgist where requiredCandidate sends request to customer unless directed otherwise
Security incident affecting customer candidate dataAssesses controller notifications to authority and data subjectsInvestigates as processor, preserves facts, notifies customer without undue delay, and supplies available updatesNotifies or assists Evalgist under its contractCandidate notification is the customer's decision unless law assigns otherwise
Shortlist deletion and end of serviceChooses deletion or return timing subject to law and policyExecutes product deletion and preserves only separately controlled financial, security, legal, or dispute records under an approved scheduleDeletes or expires data under its contractCandidate rights remain exercisable through customer

Retention schedule

The table states normal service periods. A documented legal dispute or security incident may require a separately controlled hold. Customer exports leave Evalgist's environment and follow the customer's policy.

RecordNormal period and triggerControl or qualification
Extracted resume textRemoved after terminal analysisInterrupted processing may retain text only until processing is completed, retried, or deleted.
Original uploaded resume filesUp to 14 days after uploadAvailable for recovery and support; customer deletion can remove them earlier. The daily purge reconciles orphaned storage objects.
Results, scores, quoted evidence, reviewer notes, and result metadataUntil the customer deletes the shortlist, candidate, or product dataCustomers should document and apply a period that covers their recruitment and appeal process without keeping records longer than needed.
Generated exportsGenerated on request; no separate server-side export file is retainedA downloaded copy follows the customer's retention policy.
Vacancy AI cache30 days from creationContains vacancy-derived criteria output only. Candidate or resume content is not cached. Daily bounded purge.
Rate-limit attempts24 hoursDaily cleanup.
Shortlist error logs90 daysBounded daily purge; a separate incident record may be held for an open matter. Candidate content is excluded by logging rules.
OCR request audit180 daysContains routing, status, timing, identifiers, and bounded error information, not extracted document text.
Admin audit log24 monthsBounded daily purge. Evidence required for an open security or legal matter is copied to a restricted record before ordinary expiry.
Refund reconciliationPending or retrying until resolved; resolved or abandoned rows for 7 years after resolutionContains billing identifiers and retry information, not resume text or model output.
Credit ledger, Stripe events, invoices, tax records, and Silvasoft mappings7 years after the applicable accounting periodKept separately for accounting, payment integrity, fraud handling, and legal obligations; not removed by ordinary product deletion.
Supabase database backups7 days under the current Shortlist and billing project planDaily backups; point-in-time recovery is not enabled. Database backups do not include Supabase Storage objects. Deleted database data expires as the oldest restorable backup ages out.
Vercel runtime logs1 day under the current Pro project configurationDeployment and build artifacts follow separate project lifecycle settings and do not contain uploaded candidate documents by design.
Sentry events30 days under the current Evalgist planEU-region ingest; Session Replay disabled.
Clerk account and session dataConfigured service lifecycle and account-deletion processShared Evalgist account data is separate from Shortlist product data. Under Clerk's DPA, remaining customer personal data is deleted within 90 days after termination of the Clerk service, subject to stated exceptions.
Support and privacy correspondence24 months after closureLonger only for a documented legal dispute or a financial record.

Vendor-period sources: Supabase database backups, Vercel runtime logs, Sentry event retention, and the Clerk DPA.

Candidate notice template

This is an adaptable operational template, not a complete notice for every customer or jurisdiction. The customer must complete every bracketed field and align the notice with its actual workflow.

Use of AI-assisted application review

[Customer legal name] uses Evalgist Shortlist to support the review of applications for [position or selection]. Shortlist compares the documents we provide with criteria defined by us and returns scores, summaries, and quoted evidence for our reviewers. It does not make or communicate the hiring or selection decision. Our authorised reviewers inspect the application and remain responsible for the decision. They can disregard or override any output.

We process [categories of application data] for [purposes] on the basis of [legal basis]. We obtained the data from [source]. [Customer legal name] is the controller. Evalgist BV processes the application documents for us, using Anthropic models for analysis and, for scanned PDFs, Mistral OCR. Both are routed through OpenRouter with zero-data-retention routing enabled. The current service-provider list is available at https://evalgist.ai/subprocessors.

Original files held in Shortlist are available for up to 14 days for recovery and are then deleted automatically. Extracted document text is deleted after analysis. We keep the evaluation results, quoted evidence, reviewer notes, and any copies we export for [customer retention period or criteria].

You may contact [customer privacy contact] about access, correction, objection, restriction, erasure, an explanation of our review process, or another data-protection question. You may also complain to [competent supervisory authority]. [Add any customer-specific information about automated decision-making, consequences, appeals, collective agreements, or public-sector duties.]

Required customer fields are the legal name, role and contact, position, data categories, purposes, legal basis, source, result and export retention, rights route, supervisory authority, local appeal route, and any automated-decision facts outside Shortlist.

DPA execution and review

The Data Processing Agreement is incorporated into the Shortlist Terms. Acceptance records the user, current Terms version, and time; the user affirms authority to accept for the customer. A material DPA change requires a new Terms version and renewed acceptance. Institutional customers may request a countersigned copy or discuss a written amendment through privacy@evalgist.ai.

Questions? Email privacy@evalgist.ai.

Last updated 2026-07-19