A CV analyzed by AI travels further than you think
Many modern ATS tools send CVs to an AI API to extract information. That API is often in the US, sometimes without a signed DPA.
For more — see our payroll software security review.
The three questions to ask
What the regulator looks at
GDPR requires a legal basis, clear candidate notice, and a framed transfer if data leaves the EU. An ATS without precise answers here is taking real risk.
For HR & Payroll vendors
CleanIssue specializes in security reviews for HR, payroll, and recruiting software. If you're building an HRIS, payroll tool, or ATS and want an external review of your exposure before a client audit or security questionnaire, see our offer for HR & Payroll vendors.
Go further
Related articles
Three adjacent analyses to keep exploring the same attack surface.
Candidate onboarding and GDPR: common product mistakes
Candidate journeys often suffer from the same issues: excessive collection, weak attachment protection, and more visibility than intended.
GDPR and recruiting software: what the CNIL really looks at in 2026
The most concrete points for an ATS or recruiting software: candidate data, recruiter access, retention, and visible security posture.
ATS and GDPR: the points many vendors miss
The most frequent misses in recruiting software: retention, recruiter access, attachments, and candidate-data circulation.
Sources
Editorial analysis based on official vendor, project, and regulator documentation.
Related services
If this topic maps to a real risk in your stack, these are the most relevant CleanIssue audits.