GDPR Compliance

How HireFace meets UK and EU GDPR requirements — article by article, covering recruiters, candidates, and hiring managers. Updated May 2026.

Overview

HireFace is used by UK-based recruiting consultants to collect video interviews from candidates. This means personal data — including video recordings, names, and contact details — is processed on behalf of UK and EU data subjects. Both the UK GDPR (retained post-Brexit) and EU GDPR apply depending on where the candidate is located.

Three parties, different GDPR roles:
Recruiter — Data Controller. Determines why and how candidate data is collected.
Candidate — Data Subject. The person whose data is being processed.
Hiring Manager / Client — Data Recipient. Receives access to video via a time-limited share link. Not a processor or controller within the HireFace system.

HireFace acts as a Data Processor — processing candidate data only on the recruiter's instructions, to deliver the video interview service. This relationship is formalised in the Data Processing Agreement published in our policies.

GDPR is principles-based — it does not mandate specific encryption algorithms or storage architectures. It requires measures appropriate to the risk and that you can demonstrate compliance. Both UK GDPR (retained post-Brexit under the Data Protection Act 2018) and EU GDPR apply to HireFace — UK GDPR governs processing of UK residents' data, EU GDPR governs EU residents' data. The obligations are substantively the same.

Applicable Articles

Applies
Article 5 — Data Processing Principles
Lawfulness · Fairness · Transparency · Purpose limitation · Data minimisation · Storage limitation · Integrity & confidentiality · Accountability

All six principles must be met for every processing activity. Here is how HireFace satisfies each:

  • Lawfulness, fairness, transparency: Candidates see a clear consent screen naming purpose, recipients, and retention before recording begins.
  • Purpose limitation: Video is collected for candidate evaluation only — never used for advertising, training AI models, or sold to third parties.
  • Data minimisation: Camera is active only while the candidate is answering a question. Resume content (Personalised mode) is processed transiently and never stored.
  • Storage limitation: Videos are automatically purged after 30 days (trial accounts) or 90 days (paid accounts). Recruiters can delete earlier on request.
  • Integrity and confidentiality: TLS in transit, AES-256 at rest (Cloudflare R2), no download option, access controls per recruiter account.
  • Accountability: DPA published, sub-processors named, breach response plan documented. Recruiters can contact HireFace via live chat for any data-related queries.
Recruiter
Responsible as Controller for ensuring their use of HireFace meets all six principles. The DPA in policies defines these obligations formally.
Candidate
Protected by all six principles. Their data is used only for the role they applied for, stored for up to 90 days, and is technically protected from download.
Hiring Manager
Receives access via a 7-day share link only. Cannot download, screen-record (policy restriction), or retain the video beyond what the recruiter authorises.
Applies
Article 6 — Lawful Basis for Processing
Requires one of six bases: consent, contract, legal obligation, vital interests, public task, legitimate interests

Candidates: Lawful basis is explicit consent (Article 6(1)(a)). Candidates must actively check a consent box naming the purpose, recipients, and 90-day retention before any recording begins. Consent can be withdrawn by closing the page before Submit.

Recruiters: Lawful basis is contract (Article 6(1)(b)) — processing their name and email is necessary to deliver the service they signed up for.

Recruiter
Has a contract-based lawful basis. By creating an account, they enter an agreement under which their contact data is processed to deliver the platform.
Candidate
Processing only begins after explicit, informed consent. No recording occurs before the checkbox is ticked. Consent is recorded at the session level.
Hiring Manager
Receives a share link from the recruiter. The recruiter's legitimate interest in sharing shortlisted candidates with their client covers this — no separate consent from the hiring manager is needed.
Applies
Article 7 — Conditions for Consent
Must be freely given, specific, informed, unambiguous, and withdrawable

The candidate consent screen names: the purpose (video screening for a specific role), the recipient (the recruiting agency and their client), the retention period (up to 90 days), and the right to withdraw before submitting. Consent is a separate checkbox — not bundled into terms of service. Candidates can withdraw at any time before clicking Submit by closing the page.

Post-submission withdrawal: Candidates are informed on the thank-you page that they can request early deletion by replying to the invitation email. The recruiter can execute this deletion from their dashboard immediately.

Applies
Articles 13 & 14 — Transparency & Privacy Notice
Candidates must be informed at the point of data collection

Transparency is delivered at three points:

  • Consent screen — before recording begins: purpose, recipients, retention period, right to withdraw.
  • Thank-you page — after submission: Video retention notice, no download, early deletion process.
  • Policies page — full candidate consent and privacy section at hireface.in/policies.html#candidate.

Recruiters are informed via the Recruiting Agency Agreement and DPA at sign-up.

Applies
Articles 15–22 — Data Subject Rights
Access · Rectification · Erasure · Restriction · Portability · Objection

Candidates exercise their rights by contacting the Data Controller — the recruiting agency that sent them the interview link. HireFace is the Processor; we provide recruiters with the tools to fulfil requests, but the legal obligation to respond within one month sits with the recruiter. Candidates should reply to their invitation email, which contains the recruiter's contact details.

RightCandidate contactsRecruiter fulfils viaStatus
Access (Art. 15)Reply to interview invitation emailCandidate Data Requests → search by email → Copy Data Summary (plain-text record of all data held — paste into reply email)✓ Met
Rectification (Art. 16)Reply to interview invitation emailCandidate Data Requests → search → Edit Name / Email (updates across all records)✓ Met
Erasure (Art. 17)Reply to interview invitation emailCandidate Data Requests → search → Delete Personal Data (removes name, contact, deletes video across all records). Auto-purge runs at 30 days (trial) or 90 days (paid) regardless.✓ Met
Restriction (Art. 18)Reply to interview invitation emailRecruiter can hide the candidate from active view. Full processing freeze is a manual arrangement between candidate and recruiter — no automated lock exists.⚠ Partial
Portability (Art. 20)Reply to interview invitation emailCandidate Data RequestsCopy Data Summary provides structured plain-text data. Videos are stream-only — portability does not extend to recordings under Art. 20(3).✓ Met
Objection (Art. 21)Reply to interview invitation emailCandidate Data RequestsDelete Personal Data. Pre-submission: candidate can withdraw consent by closing the page at any time before clicking Submit.✓ Met
All candidate rights requests go to the recruiter — not to HireFace. Candidates should reply to their interview invitation email, which contains the recruiter's contact details. The recruiter (Data Controller) is legally responsible for responding within one month. HireFace (Processor) provides the tooling above to enable recruiters to fulfil requests.
Applies
Article 25 — Privacy by Design & Default
Data protection built into the system architecture, not added on top

Privacy-by-design decisions embedded in the platform:

  • Camera access requested only during the recording window — not on page load.
  • Resume content (Personalised mode) processed transiently in-flight; never written to storage.
  • Videos stream via a Worker proxy — no direct R2 URL is ever exposed to the browser.
  • Share links are time-limited (7 days) by design — hiring managers cannot hold permanent access.
  • No download option on the video player — enforced both technically (no download attribute, no direct URL) and by policy.
  • Auto-purge runs as a scheduled daily job (30 days for trial accounts, 90 days for paid accounts) — no human action required for deletion.
  • Candidate contact details obfuscated as internal identifiers for group link participants who haven't provided an email.
Applies
Article 28 — Controller–Processor Contract (DPA)
Requires a written contract between Controller (recruiter) and Processor (HireFace)

A full Data Processing Agreement is published at policies.html#dpa. At sign-up, recruiters must check a mandatory confirmation box stating they agree to the DPA and acknowledge their role as Data Controller before the Google sign-in button becomes active. This constitutes a written agreement for the purposes of Article 28.

Recruiter
Explicitly agrees to the DPA and acknowledges their Data Controller role via a mandatory checkbox at account creation — before any access is granted. This satisfies the written contract requirement under UK/EU GDPR Art. 28.
Candidate
Protected by the DPA obligations HireFace owes to the recruiter — including security, breach notification, and deletion guarantees.
Hiring Manager
Not party to the DPA. The recruiter is responsible for ensuring their client handles any data received (e.g., notes taken while watching) in line with applicable law.
Applies
Article 32 — Security of Processing
Appropriate technical and organisational measures — encryption, pseudonymisation, resilience, testing

Article 32 does not mandate specific encryption standards (that is HIPAA's approach). It requires measures appropriate to the risk. HireFace exceeds the implicit standard:

MeasureImplementation
Encryption in transitHTTPS/TLS enforced on all endpoints via Cloudflare. No plain HTTP.
Encryption at restCloudflare R2 encrypts all stored objects with AES-256. D1 (SQLite) and KV also encrypted at rest by default.
Access controlEach recruiter accesses only their own data. No cross-account data leakage by design. Authentication via Google OAuth only — no passwords stored by HireFace.
No direct storage URLsVideos are never served directly from R2. All access goes through an authenticated Worker proxy — preventing URL guessing or hotlinking.
Time-limited tokensUpload tokens expire in 1 hour. Share links expire in 7 days. Both enforced via KV TTL.
Data minimisationOnly data required to deliver the service is collected. No tracking pixels, no behavioural profiling of candidates.
ResilienceCloudflare global infrastructure with regional data residency. R2 EU jurisdiction ensures video data stays in the EU.
Article 32(1)(a) lists encryption as an example appropriate measure — it does not mandate a specific cipher. HireFace uses AES-256 at rest (Cloudflare R2 and D1 default) and TLS in transit on all endpoints. Video is never served via a direct storage URL — all access is proxied through an authenticated Worker. These measures satisfy the "appropriate to the risk" standard for the type of data processed (video interviews, names, contact details).
Applies
Articles 33 & 34 — Data Breach Notification
72-hour notification to supervisory authority (ICO for UK) · Notification to affected individuals if high risk

Article 33 requires the processor (HireFace) to notify the controller (recruiter) without undue delay after becoming aware of a breach. The recruiter must then notify the ICO within 72 hours if the breach poses a risk to individuals.

Article 34 requires notification to affected data subjects (candidates) if the breach is likely to result in high risk to their rights.

HireFace has a documented breach response plan. The DPA formally commits HireFace to notifying recruiters without undue delay after discovering a breach.

Recruiter
Notified by HireFace immediately upon breach discovery. As Controller, you are then responsible for notifying the ICO within 72 hours if the risk threshold is met, and notifying affected candidates if high risk.
Candidate
Under Art. 34, the Data Controller (recruiter) is responsible for notifying affected candidates of high-risk breaches. HireFace will provide the recruiter with all information needed to do so.
Hiring Manager
Not directly in the notification chain. The recruiter is responsible for informing their client if the breach affects data the client received.
Applies
Articles 44–49 — International Data Transfers
Transfers outside UK/EEA require adequate safeguards (adequacy decision, SCCs, BCRs)
Sub-processorData transferredSafeguard
Cloudflare R2 (EU jurisdiction)Candidate videos, metadataStored within EU — no transfer outside EEA/UK
Cloudflare D1 / KV / WorkersAccount data, tokens, interview recordsStandard Contractual Clauses (SCCs)
Google LLCRecruiter authentication (OAuth)SCCs · EU-US Data Privacy Framework
Crisp IM SARLRecruiter support chat (recruiter-facing only)SCCs · EU-based company (France)
Dodo PaymentsPayment processingNo candidate data transferred

Candidate video recordings and personal data are stored in Cloudflare's EU jurisdiction R2 bucket — they do not leave the EEA. Other processing (authentication, support) uses SCCs as the transfer mechanism.

Not Applicable — and Why

These GDPR articles do not apply to HireFace's current processing activities. Where the reason is a deliberate design decision, that is noted.

Not Applicable
Article 9 — Special Category Data (Biometric Processing)
Applies only when data is processed to uniquely identify a natural person using biometric means

Video recordings are personal data, but they only become biometric data under Article 9 when processed for the purpose of uniquely identifying a person using technical means — e.g., facial recognition, voiceprint matching, or gait analysis.

HireFace does not perform any biometric analysis on video recordings. Videos are stored and streamed for human review only. No AI processing of the video content takes place. Therefore Article 9 does not apply.

Important: If HireFace were to add any feature that analyses the video content (e.g., emotion detection, speaking pace scoring, facial expression analysis), Article 9 would immediately apply and require an explicit legal basis from Article 9(2) — most likely explicit consent or substantial public interest.

Not Applicable
Article 10 — Criminal Conviction Data
Applies only to processing of data relating to criminal convictions and offences

HireFace does not collect, process, or store any data relating to criminal convictions or offences. No DBS check or background screening data passes through the platform. Not applicable.

Not Applicable
Article 22 — Automated Decision-Making & Profiling
Applies when decisions with legal or similarly significant effects are made solely by automated means

Article 22 applies only when automated processing produces a decision that significantly affects a person with no human in the loop.

HireFace's AI generates interview questions and (in Personalised mode) assesses whether a resume matches a role. However:

  • The AI question generation does not affect the candidate — it only determines what questions they are asked, not whether they proceed.
  • The resume no-match outcome (Personalised mode) does terminate the session, but this is clearly disclosed in advance and the candidate can choose not to submit — it is not a hiring decision.
  • All actual hiring decisions are made by the recruiter and hiring manager — humans reviewing the video and choosing to shortlist or reject.

Therefore Article 22 does not apply. If a future feature scored candidates automatically and excluded them based on that score without human review, Article 22 would apply.

Under Review
Article 27 — EU/UK Representative
Required for non-EU/UK organisations processing EU/UK resident data, unless processing is occasional and low-risk

HireFace is based in India and processes data of UK/EU residents (candidates). Article 27 requires a named representative in the UK or EU unless the processing is occasional and does not include large-scale processing of special category data or data likely to result in risk to individuals' rights.

During beta with a small number of UK recruiters, the occasional processing exception likely applies. Before scaling beyond beta or onboarding enterprise clients, a formal EU/UK representative should be appointed. This can be done via services like GDPR-Rep.eu for approximately €200/year.

Current status: Article 27 compliance is a pre-launch action item to be addressed before scaling beyond beta.

Technical & Security Measures

GDPR does not require ISO 27001 certification, penetration testing, or specific encryption cipher suites. It requires measures appropriate to the risk and the ability to demonstrate them. The measures below satisfy Article 32 and are documented here for that purpose.

Access & Authentication

Video Storage & Access

Token & Link Security

Candidate Data Minimisation

Deletion & Purge

Data Storage & Residency

Data TypeStorage LayerLocationRetentionEncrypted at Rest
Candidate video recordings Cloudflare R2 (EU jurisdiction) European Union 30 days (trial) / 90 days (paid), then auto-purged Yes — AES-256
Candidate name, contact, submission status Cloudflare D1 (SQLite) Global (SCCs apply) Until account deleted or purge cycle (30/90 days) Yes — Cloudflare default
Resume content (Personalised mode) Not stored Session only (transient) N/A — never persisted
Upload & share tokens Cloudflare KV Global (SCCs apply) 1 hour (upload) / 7 days (share) — auto-deleted Yes — Cloudflare default
Recruiter account data (name, email) Cloudflare D1 Global (SCCs apply) Until account deleted Yes — Cloudflare default
Company logo Cloudflare R2 Global Until account deleted or replaced Yes — AES-256
IP addresses (rate limiting) Cloudflare KV Global (SCCs apply) Short-lived (hours) Yes — Cloudflare default
Why not store everything in EU? R2's EU jurisdiction option applies specifically to video recordings — the highest-sensitivity data. General account metadata (names, emails) in D1 and KV does not have an EU-only option in Cloudflare's current offering, but is covered by Standard Contractual Clauses. For the data that matters most (the video), EU residency is enforced.

Stakeholder Summary

Recruiter (Data Controller)

Candidate (Data Subject)

Hiring Manager / Client (Data Recipient)

Compliance Scorecard

UK & EU GDPR compliance checklist. Beta status — May 2026.

Step 1
Lawful Basis
✓ Done — explicit consent (candidates), contract (recruiters)
Step 2
Data Categorisation
✓ Done — all data types mapped with retention, location, sensitivity
Step 3
DPO Appointment
✓ Not required — no large-scale systematic processing or special category data (no biometric analysis, no user tracking)
Step 4
Cybersecurity Measures
✓ Done — TLS, AES-256 at rest, OAuth, proxy access, token TTLs
Step 5
Record of Processing (RoPA)
✓ Done — internal RoPA document covers all 7 processing activities
Step 6
DPIA
✓ Not required — DPIA triggered only by high-risk large-scale processing. Current scale and no automated profiling or biometric analysis means threshold is not met.
Step 7
Privacy Policy
✓ Done — published at hireface.in/policies.html with candidate and recruiter sections
Step 8
Breach Response Plan
✓ Done — 72h ICO obligation acknowledged, templates prepared
Step 9
Third-Party Risk
✓ Done — DPA agreed via mandatory checkbox at sign-up; sub-processors named, SCCs in place. View DPA →