onductusBook a demo
Trust Center

Compliance isn’t a checkbox we bolted on. It’s how the product is built.

Konductus is an AI voice-screening tool for in-house Talent Acquisition teams in the EU. This page is for the people who have to sign off on it — your DPO, legal, procurement and works council. Everything below is grounded in what the product actually does, and we’re explicit about what exists today versus what’s in preparation.

Last updated · 19 June 2026
The line that matters most

Konductus scores from the words in the transcript — never from vocal or acoustic features. It does not infer emotional states or sensitive characteristics from the voice.

Authenticity, liveness / anti-impersonation, language (CEFR), soft skills and CV-consistency are all assessed from transcript content — permitted high-risk use, not a prohibited practice. Emotion recognition and biometric categorisation in the workplace are banned outright under Art 5(1)(f)/(g) of the EU AI Act (in force since 2 February 2025, the €35M / 7%-of-turnover tier). Drawing that boundary in software, not just in a policy, is the single most important thing we do — so we put it first.

AI Act Art 5(1)(f)/(g) · transcript-only, by design
EU data residency
Application data stored in the EU (Supabase, eu-west-2).
A human signs every decision
No advance or rejection is final without explicit recruiter confirmation.
Scored from transcript text
Never from vocal/acoustic features — no emotion or sensitive-trait inference.
Append-only audit trail
Every score, decision and human sign-off is logged and exportable for your DPO.

Where Konductus sits under the AI Act

We don't dispute the obvious: a tool that scores and ranks candidates is high-risk under the EU AI Act. What matters is which obligations bite, and when.

Classification

High-risk under Annex III, point 4(a) — AI used to evaluate candidates and filter applications. We treat this as settled, not arguable.

In force now (since 2 Feb 2025)

The Art 5 prohibitions — including workplace emotion recognition and biometric categorisation. This is the boundary our transcript-only design is built around.

High-risk obligations · 2 Dec 2027

The full high-risk stack (technical documentation, conformity assessment, CE marking, registration) applies on 2 December 2027 — delayed 16 months by the Digital Omnibus.

An honest caveat:the 2 Dec 2027 date comes from the Digital Omnibus, which at the time of writing is a provisional political agreement pending European Parliament adoption and Official Journal publication (expected ~July 2026). We plan to the calendar dates and track adoption — and we’d rather tell you that than imply more certainty than the law currently provides.

A human signs every decision

GDPR Art 22 limits decisions made solely by automated means. Konductus is designed so a human is always in the loop, with real authority.

Decision support, not a verdict

The Konductus Score is an input. The recruiter reviews it and decides; nothing advances or rejects on the model’s say-so alone.

A staged human gate

Every advance or rejection is held “staged” until a named recruiter explicitly confirms it — that confirmation is what gets logged.

Contestation & human review

Candidates can ask for human review, express their view, and contest an outcome — the rights GDPR Art 22 requires.

Data protection & residency

Application data is stored in the EU. We process only what the screening needs, on a clear legal basis, and share it only with vetted subprocessors.

SupabaseDatabase & storage — hosted in the EU (eu-west-2).
ElevenLabsVoice conversation.
Anthropic (Claude)CV parsing & scoring. Not used to train their models.
VercelApplication hosting.
ResendTransactional email.
StripeBilling (recruiters only).

We do not sell personal data. Audio recordings and transcripts are kept only as long as the screening and any agreed retention window need, then deleted; consent records are kept as an audit trail. Candidates can access, correct, delete, port, restrict or object to processing, and withdraw consent. Full detail is in the Privacy Policy.

Provider evidence

The evidence Konductus produces as the AI provider. We label each item honestly: live today, in preparation (available on request), or on the roadmap to the 2 Dec 2027 obligation date.

Feature-provenance attestationAvailable now
Written confirmation that every score dimension derives from transcript text — no acoustic/prosodic emotion features, no voice-based sensitive-trait inference.
Art 5(1)(f)/(g) prohibition · in force since 2 Feb 2025
Human-oversight design specAvailable now
How Konductus avoids Art 22 "solely automated" decisions: the score is decision support, a recruiter confirms every outcome, with a contestation/appeal path.
GDPR Art 22 · AI Act Art 14
Liveness / anti-impersonation memoAvailable now
Frames voice authenticity as security & integrity (is this a real, live person?) — explicitly not emotion or trait inference.
Art 5 · Art 3(39)
Privacy policy & candidate disclosureAvailable now
Public, GDPR-aligned, with the AI-use and human-review disclosure candidates see before they start.
GDPR Arts 13–14
DPA + subprocessor list + SCCsIn preparation
Signable Data Processing Agreement with documented-instructions, 24–48h breach notice, subprocessor list and EU SCCs for any non-EEA transfer.
GDPR Arts 28, 44–49 · available on request
Model / DPIA-support packIn preparation
Art 13-style system information so your team can complete its GDPR DPIA quickly.
AI Act Art 13 · GDPR Art 35 · available on request
Bias / accuracy / robustness testing reportIn preparation
Methodology, datasets, results and monitoring cadence for the scoring model.
Arts 10, 15 · legally due 2 Dec 2027
Technical documentation (Annex IV) & risk-management dossierRoadmap · 2 Dec 2027
The full high-risk technical file and Art 9 risk-management system, being drafted ahead of the obligation date.
Arts 9, 11, 18
Conformity assessment, EU Declaration & CE markingRoadmap · 2 Dec 2027
Internal-control conformity assessment (Annex VI), EU Declaration of Conformity, CE marking and EU-database registration.
Arts 43, 47, 48, 49
SOC 2 Type II / ISO 27001 (and ISO 42001)In preparation
Security certification path under evaluation; security controls (encryption in transit & at rest, least-privilege access) are in place today.
Buyer requirement

For your DPO & works council

So your side of the compliance work is fast, Konductus hands your team a turnkey pack. These are in preparation and available on request as we onboard design partners.

DPIA starter pack
Pre-filled Art 13 information so your DPO completes the GDPR Art 35 assessment quickly.
Human-oversight playbook
Exactly what a "meaningful" reviewer must do (authority to overturn, full-data review, access to score drivers) to stay outside Art 22 — plus a contestation/appeal SOP.
Candidate privacy-notice & AI-disclosure templates
Multilingual, ready to drop into your careers flow.
Works-council information packs
For 🇩🇪 BetrVG §87/§90/§95, 🇫🇷 CSE (L.2312-8/-38), 🇪🇸 Art 64.4.d ET, 🇳🇱 WOR Art 27 — system description, data processed, retention, who sees outputs, human review, redress.
Logging & retention guidance
How to meet the Art 26(6) ≥6-month logging-retention expectation.
Worker/candidate information template
For the Art 26(7) information duty.
Works councils matter early. In Germany and France especially, a deployer generally cannot switch on an AI hiring tool until the works council (Betriebsrat / CSE) has been informed and consulted — before signing. Our onboarding gives your team the documentation to run that process quickly.

Need the full evidence pack?

Send your DPO’s questionnaire our way, or book a call. We’ll walk your legal team through the transcript-only boundary, the human-oversight design, and the documents above.

Book a compliance callprivacy@konductus.com