Trust

Security & data protection at Merit2Hire

How we protect candidate and Customer data, what the AI is allowed to do, and what we deliberately do not build.

What Merit2Hire deliberately does not do

The single most important thing to know about Merit2Hire's evaluation engine is what it is not allowed to do:

  • No facial recognition — we do not identify candidates from video frames.
  • No facial analysis — we do not infer attributes from facial features.
  • No emotion detection — we do not score candidates on inferred emotional state.
  • No tone, pace, or paralinguistic scoring — we do not evaluate how a candidate sounds, only what they say against role-relevant rubrics.
  • No biometric templates — we do not generate biometric identifiers from recordings.
  • No special-category data collection — we do not knowingly collect Article 9 GDPR data (health, biometric, genetic).
  • No sale of personal data — ever, to anyone, for any purpose.

Technical & organizational measures

Encryption
TLS in transit. Encryption at rest for all stored personal data, including recordings and transcripts.
Tenant isolation
Strict per-Customer data isolation. One Customer's data is never accessible to another Customer.
Access control
Role-based access controls scoped to job duty. Production access is logged and reviewed.
Audit logging
Immutable audit logs of significant actions, including every AI score, every recruiter score override, and every consent change.
Application security
Web-app controls aligned with OWASP Top 10 mitigations. Secure SDLC practices and staff confidentiality obligations.
Payment data
Handled by a PCI-DSS compliant processor. Merit2Hire does not store full card details — only card type and last 4 digits for reference.
International transfers
EU-US Data Privacy Framework adequacy decision, or Standard Contractual Clauses where adequacy does not apply.
Retention
Interview recordings and transcripts retained for the period configured by the Customer (Controller), then permanently deleted. Queued AI processing data retained up to 90 days. Consent and audit records are immutable.

Human oversight of AI decisions

Merit2Hire AI assessments are decision-support tools. Hiring decisions are made by recruiters, not by the platform. Under Article 22 GDPR, candidates have the right not to be subject to a decision based solely on automated processing that produces legal or similarly significant effects. Every AI score can be reviewed, adjusted, or overridden by a human reviewer; every override is logged.

Hiring fairness

Merit2Hire's AI is designed to exclude protected attributes (such as gender, age, race, ethnicity, disability) from consideration. Every candidate receives the same structured interview, scored against the same role-specific rubrics. The audit trail is EEOC-ready.

Reporting a security issue

If you believe you have discovered a security vulnerability in Merit2Hire, please contact us at info@pressatto-ai.com. We acknowledge reports within 3 business days.

Security FAQ

Does Merit2Hire perform facial recognition or emotion detection?

No. Merit2Hire does not perform facial recognition, facial analysis, emotion detection, or analysis of tone, pace, or other non-verbal physical characteristics. We do not use interview recordings to create biometric identifiers or templates. Candidates are evaluated based on the content of their spoken answers against role-relevant criteria.

Is candidate data isolated between Customers?

Yes. Merit2Hire enforces strict tenant isolation. One Customer's data is never accessible to another Customer. Each Customer operates an isolated account (a "Tenant").

How is data encrypted?

Personal data is encrypted in transit using TLS and at rest. Production access is gated by role-based access controls, and significant actions are recorded in immutable audit logs.

Who can override an AI assessment?

Recruiters can review transcripts, adjust scores, and add their own assessment. Every score override is logged with the reviewer's identity and a timestamp, producing a defensible audit trail.

Does Merit2Hire sell or share Personal Data?

No. We do not sell, rent, trade, or otherwise monetize Personal Data. Disclosure is limited to sub-processors under Article 28 GDPR agreements, recruiters where you have consented (Talent Pool or job applications), and authorities when required by law.

What happens to interview recordings over time?

Where Merit2Hire is a Processor, retention periods are configured by the Customer. Interview recordings and transcripts are retained for the configured period and then permanently deleted. Interviews queued for AI analysis are retained up to 90 days pending processing.

How do you handle international data transfers?

For data transferred outside the European Economic Area, Merit2Hire relies on an adequacy decision (such as the EU-US Data Privacy Framework) or implements Standard Contractual Clauses adopted by the European Commission, with additional safeguards where necessary.

For the full data-protection commitments, read the Privacy Policy and the Terms of Use.