始める
Security & Data Protection

Security & Data Protection

How ResReader protects your data

Last Updated: July 2026

ResReader is built for teams that hire across Europe, where protecting candidate data is a requirement, not an afterthought. This page summarises how we handle and protect data. For the full detail, see our Privacy Policy and Sub-processors list.

Where your data lives

Application data is hosted on Google Cloud Platform / Firebase. Some processing is performed by AI providers in the United States; where a provider offers EU data residency we prefer the EU region. All such transfers are covered by Standard Contractual Clauses (see “International transfers” below).

Encryption & access control

• Data is encrypted in transit (TLS) and at rest using our cloud providers’ managed encryption.

• Access to production data is restricted to authorised personnel on a need-to-know basis.

• Database and storage access is governed by security rules and role-based permissions.

Sub-processors

We use a short list of vetted third-party providers to run the service. Every one is bound by a Data Processing Agreement (DPA) with Standard Contractual Clauses, and none of our AI providers train their models on customer data. The current list, including what each provider receives and where it is located, is published at https://resreader.com/en/subprocessors

AI transparency & human oversight

Our AI produces match scores and summaries to support screening. These are decision-support tools — final hiring decisions are made by a human, and customers are instructed not to reject candidates automatically. Scores are accompanied by reasoning so reviewers can interpret and override them. We do not use biometric emotion recognition.

GDPR

When a customer uses ResReader to process candidate data, the customer is the data controller and ResReader is the processor. We make a Data Processing Agreement available to customers, maintain a record of processing, and support data-subject requests (access, correction, deletion, export, restriction, objection). Candidates and customers can contact us at support@resreader.com.

EU AI Act

AI used in recruitment is treated as “high-risk” under the EU AI Act. We are building toward its requirements — human oversight, transparency, logging and documentation — ahead of the high-risk obligations’ application date (2 December 2027 under the current timeline). We already avoid prohibited practices such as workplace emotion recognition.

International transfers

Because some providers are US-based, personal data may be transferred outside the EEA/UK. Each transfer relies on the EU Standard Contractual Clauses (and the EU–US Data Privacy Framework where applicable), together with appropriate technical and organisational safeguards.

Data retention & deletion

Users can delete their account and associated data at any time; deletion cascades to file storage and our search index. We retain personal data only as long as needed to provide the service or as required by law.

Request our DPA

Enterprise and EU customers can request our Data Processing Agreement and sub-processor notifications by emailing support@resreader.com. This page is provided for transparency and does not by itself constitute a contract.