Nova — AI Act & Data Protection Note

Version: v2025-10 • Owner: CTO • Contact: andreas@dweet.com
Pairs with: Nova DPA (v2025-10).

1) Scope & Classification

Purpose: Nova provides decision-support for recruitment (candidate scoring, interview prompts, rediscovery).
Integration boundary: ATS-only. Personal data originates from the Controller’s ATS (API/webhooks) and user inputs in Nova. No HRIS, email, file storage, payroll integration or any other customer systems.
EU AI Act: High-risk (Annex III §4(a): employment). Nova does not make fully automated decisions; humans decide.

Controller: Customer (ATS owner). Processor: DWEET LTD (Nova).
Data subjects: job candidates; Controller users.
Categories (summary): CV/application data; Nova assessments/explanations; job data (non-personal); user account data.
Special categories: may appear in CV free-text; Controller is responsible for any Art. 9 basis.
Full details: DPA Annex I.

OpenAI (API): Customer data not used to train OpenAI models. OpenAI may retain inputs/outputs up to 30 days for abuse monitoring unless Zero Data Retention (ZDR) is enabled.
Google Cloud Vertex AI (Gemini): ZDR configured; no training on customer data.
Modal.com (PDF→Markdown): used without persistent volumes; Nova does not configure long-term storage.

Legal mechanisms for any non-EEA/UK processing are covered by SCCs (+ UK IDTA where applicable).
Transfer map (at a glance):

Flow	Purpose	Region(s)	Safeguards	Retention/Training
EU/UK → OpenAI (API)	prompts/excerpts, explanations	Primarily US	SCCs (+ IDTA)	No training; ≤30 days unless ZDR
EU/UK → Vertex (Gemini)	prompts/excerpts, embeddings	EU/US (per config)	SCCs (+ IDTA)	ZDR configured; no training
EU/UK → Modal	PDF→Markdown	US/EU	SCCs (provider)	No persistent volumes
EU/UK → OpenCage (opt-in)	geocoding	EU/adequacy	SCCs/adequacy	Provider policy
EU/UK → Proxycurl (opt-in)	LinkedIn enrichment	US/adequacy	SCCs/adequacy	Provider policy

TIA assistance: Nova provides provider posture, regions, safeguards, and configuration screenshots on request.
Full legal text: DPA §6 + Annex IV; Sub-processors page (15-day change notice).

Outputs are explanations + scores with resume citations; users can override/ignore.
No automated stage moves by default; any auto-action must be explicitly configured by the Controller and is reversible and logged.
Controllers remain responsible for lawful use and notices to candidates.

Risk management: ticketed register; inputs from incidents/changes/vendor onboarding/feedback; severity & SLA.
Data governance: ATS-only; minimal data; retention = delete-only within 56 days post-termination; backups (RDS 35d / OpenSearch 14d by default).
Record-keeping: explanations/assessment metadata, access logs, sub-processor notices.
Security/TOMs: encryption in transit/at rest; least privilege; presigned S3; OpenSearch policy; PII scrubbing; incident response.
Post-market monitoring: see §7.
Conformity approach: internal-control documentation (this note + DPA + evidence); update on material changes.
Sources for all of the above: DPA Annex II (TOMs) + evidence pack.

Signals: model I/O health (errors/timeouts/cost), explainability spot-checks, drift, quarterly bias deltas (where lawful), user feedback.
Triggers: accuracy/consistency drop beyond thresholds; material bias delta; privacy/security incident; provider setting regression (e.g., ZDR off).
Actions: triage ticket → contain/rollback/rotate; customer advisory for material risks; 48h breach notices where applicable; post-mortem ≤5 business days.