Built for European recruiting teams. Audited, residency-locked, explainable.
TrueCalling is the AI sourcing platform designed for the regulatory reality of EU talent acquisition. Candidate data stays in Frankfurt. Outreach requires consent. Every TrueFit 360 score is explainable line-by-line so the recruiter — and any auditor — can see why a candidate was ranked the way they were.
The fact sheet
- Data residency
- EU-region only — Frankfurt (eu-central-1).
- Data transfers outside EEA
- Zero. Customer data does not leave the EEA.
- Encryption at rest
- AES-256 on managed Postgres + object storage.
- Encryption in transit
- TLS 1.2+ enforced site-wide via HSTS preload.
- Sub-processors
- EU-region only where possible; full list available under NDA.
- Records of processing (RPA / Article 30)
- Maintained per requisition type; provided on request.
- DPA
- EU SCCs-backed DPA available before signature.
- Right to be forgotten (Art. 17)
- Honoured in ≤30 days; propagates to all connected ATS.
- Third-party LLM training on your data
- Not permitted. Contractual no-training clause.
- EU AI Act classification
- Recruiting systems are high-risk (Annex III §4). TrueCalling is designed against the high-risk obligations.
EU data residency — Frankfurt, zero transfer outside the EEA
For EU customers, all production data is processed in Frankfurt (eu-central-1): managed Postgres, object storage, model inference, outreach gateways and the EMILY copilot runtime. There is no transfer of customer data outside the European Economic Area.
Sub-processors are selected, where possible, with the same EU-residency constraint. The full sub-processor list — covering cloud, identity, outreach gateways and observability — is available to prospective customers and their DPOs under NDA.
The DPA is built on the post-2021 EU Standard Contractual Clauses and signed before production access. GDPR Article 30 records of processing are maintained per processing purpose and shared on request.
Explainable scoring — designed against the EU AI Act
Recruiting and candidate-evaluation systems are classified as high-risk under Annex III §4 of the EU AI Act. High-risk systems must be transparent, auditable, and subject to human oversight — an opaque "match score" does not meet those obligations.
TrueFit 360 — TrueCalling's scoring methodology — decomposes every candidate score into four explicit axes (hard skills, contextual experience, soft skills, engagement) and cites the source evidence used to compute each sub-score. The recruiter can override any axis; the override is logged with the model version, timestamp and operator identity for audit.
The same explainability layer mitigates bias: because the reasoning per criterion is visible, the recruiter and the compliance officer can spot when a sub-score is loading disproportionately on a proxy attribute and recalibrate before the decision is made — not after.
For a longer write-up of the methodology, see the glossary entry for Explainable Talent Intelligence and TrueFit 360.
Candidate consent, retention & right to be forgotten
Outbound outreach via WhatsApp, email or phone requires the candidate to opt in on first contact. Consent is timestamped, source-attributed, and synchronised to the customer's ATS so the record of consent travels with the candidate.
Right-to-be-forgotten requests (GDPR Article 17) are honoured in ≤30 days. Deletion cascades across the candidate profile, outreach history, scoring artefacts, and propagates to the connected ATS (Workday, Greenhouse, SAP SuccessFactors, Lever) via the integration's deletion endpoint.
FAQ — Trust & compliance
Where is my candidate data stored when I use TrueCalling in the EU?
All EU customer data — candidate profiles, conversation history, scoring artefacts — is processed and stored exclusively in EU-region infrastructure (Frankfurt, eu-central-1). There is no transfer of customer data outside the EEA.
Does TrueCalling train external LLMs on my proprietary outreach data?
No. The Master Services Agreement contains an explicit no-training clause: TrueCalling does not send customer outreach, candidate profiles or ATS data to third-party LLM vendors for training. Inference happens against frozen model versions.
How does TrueCalling address the EU AI Act for recruiting systems?
Recruiting and candidate-evaluation systems are classified as high-risk under Annex III §4 of the EU AI Act. TrueCalling is designed around the high-risk obligations: explainable scoring (TrueFit 360 produces line-by-line reasoning per criterion), human oversight (recruiter approval required on every outreach), logged decisions (every score and override is auditable), and documented data governance (records of processing, sub-processor list, DPA).
How is candidate consent captured before outreach?
Outreach via WhatsApp, email or phone requires the candidate to opt in via a one-tap consent flow on first contact. Consent is timestamped, source-attributed, and propagated to the connected ATS (Workday, Greenhouse, SAP SuccessFactors, Lever). Withdrawal of consent stops outreach immediately and triggers downstream deletion.
Can I get a copy of the GDPR Article 30 records of processing?
Yes. We maintain a Record of Processing Activities (RPA) covering candidate sourcing, outreach, scoring, and ATS sync. It is available to customers and their DPOs under NDA, in advance of contract signature.
Is TrueCalling fit for French / German works-council review?
Yes. The integrations with SAP SuccessFactors, Workday and Lever are documented with the data flows, retention rules and consent capture that works councils typically require. We provide the documentation pack as part of the EU onboarding.
Need the DPA, sub-processor list, or works-council pack?
We share the compliance documentation under NDA before contract signature. One email to start the review.