EU AI Act Compliance
The EU AI Act is already in force — prohibited practices since February 2025, GPAI obligations since August 2025. High-risk obligations for recruitment AI under Annex III apply from 2 December 2027. SafeHire AI was built to meet them from day one.
Recruitment AI is classified as high-risk
Under EU AI Act Annex III, Point 4, AI systems used for recruitment or selection of candidates are explicitly classified as high-risk. This applies to every AI tool used in screening, filtering, or evaluating job applicants — whether cloud-based or on-premise.
SafeHire AI is a high-risk AI system. We are transparent about this classification because it defines the compliance obligations we meet. The difference between SafeHire and cloud-based alternatives is how those obligations are satisfied.
SafeHire vs. cloud-based recruitment AI
How each EU AI Act obligation is met
| Obligation | SafeHire AI | Cloud AI vendor |
|---|---|---|
| Risk management (Art. 9) | Documentation provided | Must be created and maintained |
| Data governance (Art. 10) | Data never leaves your hardware | Data processed on vendor infrastructure |
| Technical documentation (Art. 11) | Available on request | Varies — often limited |
| Record-keeping (Art. 12) | Automatic audit log per analysis | Depends on vendor implementation |
| Transparency (Art. 13) | Bias analysis included per analysis | Varies — often opaque |
| Human oversight (Art. 14) | Enforced by design — AI advises, human decides | Must be technically enforced, not just policy |
| Accuracy & robustness (Art. 15) | Four local AI models, no external dependency | Dependent on vendor API availability |
| GDPR Art. 28 DPA | Not required — no processor relationship | Required — vendor is data processor |
| Cross-border transfer | None — data stays on-premise | Likely — cloud infrastructure |
| DPIA support | Documentation provided | Customer's responsibility |
For data protection officers
If you are evaluating AI tools for recruitment, SafeHire eliminates the most complex procurement hurdles:
- 1 No data processor relationship. SafeHire runs on your hardware. Your organisation remains the sole data controller. No Article 28 GDPR Data Processing Agreement is required.
- 2 No cross-border transfer. GDPR Chapter V restrictions do not apply. No Schrems II assessment needed. Candidate data stays within your infrastructure.
- 3 DPIA support included. We provide technical documentation to support your Data Protection Impact Assessment, as required for high-risk AI under GDPR Article 35.
- 4 Technical documentation available. Architecture descriptions, model documentation, intended use specifications, and known limitations — all available on request for procurement review.
The rules that already apply
Prohibited AI practices and GPAI obligations are already enforceable. High-risk obligations for recruitment AI follow on 2 December 2027 — and the harmonised standards procurement teams will rely on are not yet finalised. SafeHire AI meets EU AI Act high-risk obligations by design, not by retrofit. The technical documentation is ready now.