AI Providers & Data Processing
QualiVally.ai uses external AI services to analyse candidate CVs and conduct interview conversations. This page explains which providers are used, where data is processed, and how GDPR compliance is ensured.
How AI processing works in QualiVally
When a candidate applies for a position, their CV and interview responses are sent to the AI provider selected by the recruiting company (the Data Controller). QualiVally.ai acts as a Data Processor on behalf of the recruiting company.
The recruiting company selects their preferred AI provider in their profile settings. The specific provider used for each interview is disclosed to the candidate in the consent screen before they begin.
Candidate data is not used to train AI models when accessed via the API by any of the providers listed below. All providers listed here offer a Data Processing Agreement (DPA) that includes Standard Contractual Clauses (SCCs) for lawful transfer of data outside the EU/EEA.
All candidate data is automatically and permanently deleted from QualiVally.ai's systems no later than 2 weeks after the job's application deadline.
Approved AI Providers
Google Gemini
Google LLC β Mountain View, California, USA
Google's Gemini API processes data on Google's infrastructure. As a US-based provider, data may be transferred outside the EU/EEA. Google's DPA includes Standard Contractual Clauses (SCCs) under GDPR Article 46 to ensure lawful transfer. API data is not used to train Google's models.
OpenAI (ChatGPT)
OpenAI, Inc. β San Francisco, California, USA
OpenAI processes data on its US-based infrastructure. Data may be transferred outside the EU/EEA under Standard Contractual Clauses. API data is not used to train OpenAI models by default. OpenAI is ISO 27001 certified and SOC 2 compliant.
Anthropic (Claude)
Anthropic, PBC β San Francisco, California, USA
Anthropic processes data on US-based infrastructure. Data may be transferred outside the EU/EEA under Standard Contractual Clauses, which are automatically incorporated into Anthropic's Commercial Terms of Service. API data is explicitly not used to train Claude models. Anthropic holds ISO 27001 and ISO 42001 certifications and is SOC 2 compliant. Default data retention via API is 7 days.
Mistral AI
Mistral AI SAS β Paris, France (EU)
Mistral AI is a French company headquartered in Paris, processing data within the European Union. No cross-border data transfer to third countries is required. As an EU-based provider, Mistral is directly subject to GDPR and is an excellent choice for organisations with strict data residency requirements. API data is not used for model training.
Aleph Alpha
Aleph Alpha GmbH β Heidelberg, Germany (EU)
Aleph Alpha is a German AI company processing all data within Germany and the EU. As a sovereign European AI provider, they offer the highest level of data sovereignty β no data leaves the EU, no US CLOUD Act exposure, and they are directly subject to GDPR under German law. Particularly suitable for organisations in regulated industries or government sectors.
Recommendation for GDPR-sensitive use
For organisations that process sensitive candidate data and want to minimise GDPR risk, we recommend choosing Mistral AI or Aleph Alpha as your AI provider in your QualiVally profile. Both are EU-based, process data exclusively within the EU/EEA, and are directly subject to GDPR β eliminating the need for Standard Contractual Clauses or third-country transfer assessments.
This recommendation does not constitute legal advice. Recruiting companies are responsible as Data Controllers for ensuring their chosen AI provider complies with applicable data protection law.