Legal
DPIA Support Pack for Controllers
Nova acts as Processor. The Controller conducts the DPIA. This pack provides Controller ready input.
1. Description of processing
- Purpose: decision support for recruitment
- Operations: parsing resumes, producing explanations and scores, search and rediscovery
- Data subjects: job candidates and Controller users
- Sources: Controller ATS via API or webhooks, limited inputs in Nova
2. Data categories
- Candidate CV and application content
- Nova generated assessments and explanations
- Job data from ATS
- User account data
3. Special categories
- Not intentionally collected
- May appear in resume free text
- Controller must establish Article 9 basis if present
4. Necessity and proportionality
- ATS only boundary
- Minimal required fields for scoring and explainability
- Human in the loop at all decision points
- No fully automated decisions
5. Risks identified
- Unintended bias in model outputs
- Unauthorized access to candidate data
- Cross border transfer exposure
- Provider retention exposure at AI inference layer
6. Mitigations
- Explainability with resume citations
- Quarterly bias deltas where lawful
- Access controls and audit logs
- Encryption in transit and at rest
- Sub-processor SCCs and UK IDTA
- Zero Data Retention configured for Vertex AI
- Option to enable Zero Data Retention with OpenAI
7. Residual risk and monitoring
- Residual risk rated low for intended use
- Post market monitoring covers model health, accuracy thresholds, bias deltas, and user feedback
- Incident response includes 48-hour customer notice upon becoming aware of a Personal Data Breach
8. Transfers
- Primary hosting in AWS eu-west-2 London
- AI inference providers as listed in the Sub-Processors page
- Transfer mechanisms in DPA Annex IV
9. Deletion and backups
- Export window 30 days after termination
- Deletion within 56 days after termination
- Backups: RDS 35 days, OpenSearch 14 days by default