What is RecruitSecure AI?

RecruitSecure AI is an enterprise-grade CV search engine that uses 100% local AI processing for semantic search. It runs entirely on your infrastructure with zero external API calls, ensuring complete data privacy.

Yes. All CV data is encrypted at rest with AES-256-GCM, processed locally without external API calls, and stored in your own database. RecruitSecure AI is fully GDPR-compliant with data export and deletion capabilities.

Do I need external AI APIs?

No. RecruitSecure AI uses Transformers.js with the all-MiniLM-L6-v2 model to generate embeddings locally. There are zero external API calls, which means no per-query costs and no data leaving your infrastructure.

How much does it cost?

RecruitSecure AI offers a free tier for small teams, Starter at €9/month, Pro at €19/month with advanced features like pipeline kanban and analytics, and Enterprise from €49/month with SSO, API access, and unlimited usage.

Is there a free trial?

Yes. All paid plans include a 14-day free trial with no credit card required. You can also use promo codes for extended trial periods of up to 30 days.

What CV formats are supported?

RecruitSecure AI supports PDF, DOCX, and TXT file formats. Files up to 10MB are accepted, and you can upload multiple CVs simultaneously with batch processing.

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between the Customer and RecruitSecure AI for the provision of the Service, in accordance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Last Updated: February 2026

1. Definitions

The following terms shall have the meanings set out below for the purposes of this DPA:

"Controller" means the Customer, who determines the purposes and means of the processing of Personal Data.
"Processor" means RecruitSecure AI, which processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to assist in the processing of Personal Data.
"Personal Data" means any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, phone numbers, and CV content uploaded to the Service.
"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, indexing, searching, analysis, and deletion.

2. Scope and Purpose

This DPA applies to the processing of Personal Data by the Processor on behalf of the Controller in connection with the provision of the RecruitSecure AI service.

The purpose of processing is to provide CV data management and candidate information processing for recruitment purposes. This includes:

Uploading, parsing, and extracting text from CV files (PDF, DOCX, TXT).
Generating vector embeddings from CV content for semantic search capabilities.
Storing and indexing candidate information, including names, contact details, and professional experience.
Performing semantic search queries against stored candidate data to return ranked results.

3. Controller Obligations

The Controller shall be responsible for:

Ensuring that a lawful basis exists for the processing of Personal Data under Article 6 of the GDPR, including obtaining any necessary consent from data subjects.
Adhering to data minimization principles by only uploading Personal Data that is necessary and relevant for recruitment purposes.
Providing documented instructions to the Processor regarding the processing of Personal Data.
Informing data subjects about the processing of their Personal Data in accordance with Articles 13 and 14 of the GDPR.
Ensuring that any data shared with the Processor is accurate, complete, and up to date.

4. Processor Obligations

The Processor shall:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
Ensure that all personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Section 7 of this DPA.
Assist the Controller in responding to Data Subject Access Requests (DSARs) and other requests from individuals exercising their rights under the GDPR.
Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach.
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for audits and inspections.

5. Sub-processors

The Processor engages the following sub-processors for the delivery of the Service. Each sub-processor is bound by data processing obligations no less protective than those set out in this DPA:

Supabase: Database hosting and authentication (PostgreSQL with Row-Level Security). Data regions: EU and US, configurable per customer preference.
Vercel: Application hosting and content delivery network. Operates on a global edge network, processing requests in the region closest to the end user.
Stripe: Payment processing. Operates globally under PCI-DSS Level 1 certification. Handles all payment card data directly; no card data is stored on RecruitSecure AI servers.

The Controller will be notified in advance of any intended changes to the list of sub-processors, including additions or replacements. The Controller shall have the right to object to such changes within 30 days of notification.

6. Data Transfers

Where Personal Data is transferred outside the European Economic Area (EEA), the Processor shall ensure that appropriate safeguards are in place in accordance with Chapter V of the GDPR. These safeguards include:

Standard Contractual Clauses (SCCs): The Processor and its sub-processors have executed the European Commission's Standard Contractual Clauses for transfers of Personal Data to third countries.
EU Region Availability: Supabase offers EU-region data hosting, allowing Controllers to keep all database storage within the EEA.
Supplementary Measures: Additional technical measures, including encryption in transit and at rest, are applied to all transferred data to ensure an equivalent level of protection.

7. Security Measures

The Processor implements the following technical and organizational security measures to protect Personal Data:

Encryption at Rest: All stored data is encrypted using AES-256-GCM encryption.
Encryption in Transit: All data transmitted between clients and servers is protected using TLS 1.3.
Tenant Isolation: Row-Level Security (RLS) policies enforce strict data isolation between tenants, ensuring that each Controller can only access their own data.
Audit Logging: All access to and modifications of Personal Data are recorded in audit logs for accountability and compliance monitoring.
Access Controls: Role-based access controls (RBAC) limit access to Personal Data to authorized personnel only. Administrative access requires multi-factor authentication.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach. The notification shall include:

A description of the nature of the breach, including, where possible, the categories and approximate number of data subjects and records affected.
The categories of Personal Data involved in the breach (e.g., names, contact details, CV content).
A description of the likely consequences of the breach for the affected data subjects.
A description of the corrective measures taken or proposed to address the breach and mitigate its effects.
Contact details of the Processor's Data Protection Officer for further information.

9. Duration and Termination

This DPA shall be effective for the duration of the Service agreement between the Controller and the Processor. Upon termination of the Service:

The Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days of termination.
The Processor shall delete all existing copies of Personal Data unless applicable law requires further storage.
The Processor shall provide written confirmation of data deletion upon request.

Obligations under this DPA that by their nature should survive termination, including confidentiality and liability provisions, shall remain in effect after termination.

10. Contact

For questions regarding this Data Processing Agreement or to exercise any rights under this DPA, contact our Data Protection Officer at dpo@recruitsecure.ai.

← Back to home Privacy Policy →Terms of Service →