This document describes how Vetti handles candidate data, what technical and procedural safeguards are in place, and how the AI scoring system operates. It is intended for recruitment agencies, their clients, and any party conducting due diligence on Vetti's data practices.
Vetti is hosted on Railway.app, which operates on infrastructure provided by Google Cloud Platform (GCP). All data is stored and processed within the European Union.
Railway.app — infrastructure backed by GCP data centres in the EU region (Frankfurt / Belgium).
All database records, screening sessions, and candidate evaluations are stored exclusively within EU borders. No data is transferred to third-party servers outside the EU for storage.
PostgreSQL, managed via Supabase. User accounts and session metadata are stored with standard access controls — each user's data is accessible only to that user's authenticated session.
Database volumes are encrypted at rest by Railway's underlying infrastructure (GCP), which uses AES-256 by default.
All communication between users, the Vetti application, and third-party APIs is encrypted via HTTPS (TLS). Connections to the application are HTTPS-only; unencrypted HTTP is not accepted.
User authentication is managed by Supabase Auth, which handles password hashing, session tokens, and secure cookie management. Email-based login with session expiry is enforced.
Vetti processes candidate CV data on behalf of recruitment agencies (data processors). The following rights are implemented directly in the application interface.
A permanent deletion function is available in the application. When invoked, all records associated with a screening session — including CV content, AI evaluations, and scores — are permanently removed from the database. This action is irreversible.
Vetti enforces a 90-day automatic deletion policy on inactive screening sessions. Sessions not accessed within 90 days are purged from the database without manual intervention.
Recruiters can export screening results to Excel and download a full audit report (PDF/text) for each session. These exports contain the AI evaluations and decision log for that session and are intended to support subject access requests or client reporting.
Candidate CV data is used solely for the purpose of generating a structured evaluation score. Data is not shared with third parties for any secondary purpose, including advertising or model training.
AI-assisted recruitment screening is classified as a high-risk use case under the EU AI Act. Vetti is designed to meet the transparency and human oversight requirements that apply to high-risk AI systems.
Every candidate evaluation includes a score breakdown showing points awarded across five categories: CV structure & ATS compatibility, content quality, keywords & skills, presentation, and job relevance. The weighting for each category is disclosed to the recruiter. Scores are not a black box.
Vetti produces ranked shortlists and advisory scores only. No candidate is automatically rejected or progressed. All hiring decisions — including which candidates to interview, reject, or flag — require explicit action by a human recruiter. The AI is a decision-support tool, not a decision-maker.
Each screening session generates a downloadable audit report containing the scoring methodology, full candidate decision log, session statistics, and a sign-off section for the responsible recruiter. This report is designed to support regulatory review or client governance requirements.
The AI evaluates CV content only — structure, language quality, relevance to the job description, and keywords. It does not receive or evaluate candidate names, photographs, age, nationality, gender, or any other protected characteristic. Protected characteristics are not scoring inputs.
Vetti uses the following third-party services to deliver its functionality. Each sub-processor is selected for its EU compliance posture.
| Provider | Purpose | Data Shared | Compliance |
|---|---|---|---|
| Anthropic | AI inference (CV evaluation) | CV text content only, no personal identifiers required | SOC 2 Type II, zero data retention API* |
| Supabase | Authentication & database | User account data, session records | SOC 2, GDPR compliant, EU hosting available |
| Railway | Application hosting | Application runtime only | GCP infrastructure, EU region |
| SendGrid | Transactional email (Pro plan) | Recipient email addresses | SOC 2, GDPR compliant |
For data protection enquiries, subject access requests, or questions about this document, contact:
hello@vetti.app
Vetti — vetti.app
We aim to respond to all data protection enquiries within 5 business days.