EU AI Act Compliance Statement

1. Introduction & Scope

NOESIS HIRING LTD ("NoesisHiring", "NH") is a provider of an AI system within the meaning of Article 3(3) of Regulation (EU) 2024/1689 ("AI Act"). The AI system deployed by the Platform is the CVs' AI Assessment — CV parsing, semantic comprehension, and evaluation of Knowledge, Skill, Competence, and Experience (KSCE), supported by AI-assisted candidate communications.

Tenant Companies (employer organisations using the Platform) are deployers within the meaning of Article 3(4).

Other Platform assessments — COB (Conscientiousness-Openness Balance), EQ (Emotional Intelligence), LAA (Learning Agility Assessment) known as TRIO™ aggregation — are deterministic and do not involve AI sub-processors at the assessment stage. TRIAGE™ responses are stored for direct Employer use; NoesisHiring does not currently perform AI analysis on TRIAGE™ responses.

For a flow-by-flow map of which personal data categories are processed by AI sub-processors and which remain within EU infrastructure, see the Data Flow Diagram Appendix to the Data Processing Agreement.

Geographic scope. The AI Act applies to NoesisHiring's Platform where it is placed on the EU market or where its output is used in the European Union (Article 2(1)). NoesisHiring commits to AI Act compliance on a global basis for consistency across all Tenant Companies.

2. Risk Classification

Annex III §4 of the AI Act classifies as high-risk AI systems intended to be used for the recruitment or selection of natural persons — in particular, for filtering applications or evaluating candidates. The NoesisHiring Platform falls within this classification.

As the provider of a high-risk AI system, NoesisHiring is subject to the obligations set out in Articles 8 to 17 of the AI Act, addressed in Sections 3 to 9 of this statement, together with conformity assessment (Article 43), post-market monitoring (Article 72), and serious incident reporting (Article 73).

Tenant Companies, as deployers of a high-risk AI system within the meaning of Article 3(4), are subject to the obligations in Article 26 — see Section 13.

3. Risk Management System (Article 9)

NoesisHiring operates a continuous risk management system in accordance with Article 9. The system is documented, periodically reviewed (at minimum quarterly), and integrated into the Platform's software development lifecycle.

3.1 Identified Risks

• Bias against protected characteristics — AI-generated assessments could systematically disadvantage Applicants belonging to groups protected under EU and Member State equality law.
• Inaccuracy — assessment outputs could be insufficiently accurate, producing false negatives (qualified candidates filtered out) or false positives.
• Fabrication — AI-generated content could include unsupported claims about an Applicant's profile.
• Silent failure — the system could appear to produce valid outputs while underlying processing is degraded or incorrect.
• Misuse by deployers — Tenant Companies could use outputs for purposes the system is not designed for, including reliance on assessment outputs without meaningful human review.
• Data quality failure — poor or non-anonymised input data could produce systematically degraded outputs.
• Transparency failure — deployers or Applicants could be misled about what the system does or how its outputs should be used.

3.2 Risk-Control Measures

For each identified risk, NoesisHiring maintains documented mitigations including: fabrication detection on AI-generated content; compensatory reasoning to prevent inferred gaps becoming final negatives without human review; never-automated action categories; mandatory Hiring Manager approval for AI-composed communications; tenant isolation and default-deny access controls; pre-deployment configuration parity checks; explicit-failure design (no silent fallback to incorrect outputs); and a CV anonymisation recommendation communicated to Applicants. Full risk-management documentation is maintained internally and available to supervisory authorities and qualified auditors under NDA.

3.3 Post-Market Signal Feedback

Identified risks are continuously re-evaluated in light of post-market monitoring data (see Section 11) and serious-incident reporting (see Section 12). Material findings trigger updates to the risk-management documentation.

4. Data and Data Governance (Article 10)

4.1 Foundation Models — Sub-Processor Responsibility

The Platform's AI inference is performed by third-party AI sub-processors — Anthropic (Claude API) and Google (Gemini API). The foundation models used by these sub-processors are trained on data and under data-governance regimes that are the responsibility of the respective providers under their own AI Act obligations.

4.2 NoesisHiring's Data Governance Scope

NoesisHiring's Article 10 obligations relate to: (a) prompt engineering and system prompts NoesisHiring builds on top of the foundation models; (b) validation and testing datasets used to evaluate Platform output quality; and (c) the assessment methodology embodied in the Platform's prompt templates and the KSCE evaluation rubric. NoesisHiring does not fine-tune the foundation models and does not use Applicant Data as in-context training examples.

4.3 No Training on Applicant Data

NoesisHiring confirms that:

• NoesisHiring does not use Applicant Data to train, improve, or develop the foundation models or the CVs' AI Assessment methodology;
• NoesisHiring's AI sub-processors operate under commercial API agreements that prohibit use of processed data for AI model training;
• Applicant Data is not aggregated or used across different Tenant Companies (tenant isolation enforced at the data layer).

See DPA §6.1 for the binding warranty.

4.4 Special-Category Data (Article 10(5))

The Platform is not designed to process special-category data within the meaning of Article 9 GDPR for AI assessment purposes. Applicants are encouraged to anonymise their CVs by removing names, photos, dates of birth, and other identifying information. Where special-category data is inadvertently included in CV content, it is processed only as necessary to store and display the CV to the Tenant Company. NoesisHiring does not rely on the Article 10(5) exception for bias-correction processing.

5. Technical Documentation (Article 11 + Annex IV)

NoesisHiring maintains the technical documentation required by Article 11 and Annex IV of the AI Act, including:

• A general description of the AI system (intended purpose, provider identity, version history);
• A description of system elements and the development process;
• Information on monitoring, functioning, and control of the system;
• Performance metrics and validation results;
• The risk management system documentation (see Section 3);
• Records of relevant changes through the system lifecycle;
• The list of harmonised standards applied (see Section 10);
• The EU Declaration of Conformity (see Section 10);
• The post-market monitoring plan (see Section 11).

The technical documentation is maintained internally and made available to supervisory authorities upon lawful request, and to qualified auditors and Tenant Company DPOs under NDA. It is updated continuously as the Platform evolves, in accordance with Article 11(2).

6. Record-Keeping & Logging (Article 12)

NoesisHiring captures automatically generated logs on every AI processing event throughout the Platform's lifecycle, in accordance with Article 12. Log fields include:

• AI sub-processor (provider) identifier;
• Model identifier and version;
• Processing latency and token counts;
• Parse-success status of the output;
• Timestamp of the event;
• Tenant Company identifier (for traceability and tenant isolation);
• Reference to the input data category processed (without storing the input data itself in the log payload).

Logs are retained for the lifetime of the application record (consistent with the 24-month Applicant Data retention in DPA Schedule 1 §6) for the purposes of traceability of system functioning, post-market monitoring under Article 72, and identification of situations under Article 79(1). Logs are stored on EU infrastructure (Cloud Firestore, europe-west4) and access is restricted to authorised NoesisHiring personnel under documented access-control procedures. A policy of not storing Applicant personal data in operational logs is enforced.

7. Transparency & Information to Deployers (Article 13)

NoesisHiring provides Tenant Companies (deployers) with the information necessary to use the Platform in accordance with the AI Act and to fulfil their obligations under Article 26.

7.1 Provider Identity

NOESIS HIRING LTD, 167-169 Great Portland Street, London W1W 5PF, United Kingdom. Contact: privacy@noesishiring.ai. DPO: Antonio Specchia.

7.2 Intended Purpose and Reasonably Foreseeable Misuse

The Platform is intended to support recruitment and selection processes by providing AI-assisted analysis of applicant CVs, AI-assisted candidate communications (subject to Hiring Manager approval), and interview-preparation synthesis for shortlisted candidates. The Platform is not intended for, and must not be used for, final hiring decisions without meaningful human review by the deployer. The principal misuse risk is over-reliance on AI-generated assessments without human review.

7.3 Performance Characteristics

The Platform's CVs' AI Assessment is probabilistic, not deterministic. Quantitative performance metrics (precision, recall, false-positive rate, parse-success rate, by-cohort fairness measures) are provided to Tenant Companies under NDA on request. Qualitative characterisation: the assessment is designed as a decision-support tool, not a decision-maker, and Tenant Companies should expect — and design their workflows around — the need for human review of all consequential outputs.

7.4 Human Oversight Measures

See Section 8.

7.5 Cybersecurity

Authentication, tenant isolation, default-deny access controls, pre-deployment configuration parity checks, encryption in transit (TLS) and at rest, and a policy against PII in operational logs. See Section 9.

7.6 Computational and Hardware Resources

The Platform is delivered as a hosted SaaS service; deployers do not provide infrastructure. Network access and a modern browser are sufficient.

7.7 Expected Lifetime and Maintenance

The Platform is actively maintained. Material changes that affect performance characteristics or risk profile are notified to Tenant Companies at least 30 days in advance in accordance with DPA §9.2.

7.8 Logging and Traceability for Deployers

Tenant Companies have access to their Tenant-scoped activity logs through the Platform's administrative interface (Tenant Console).

8. Human Oversight (Article 14)

The Platform is designed to support effective human oversight by Tenant Company users (Hiring Managers) in accordance with Article 14. The platform provides improved data gathering aimed to support enhanced human decision.

8.1 Design Principle

AI-generated outputs are decision-support. Consequential decisions are made by human Hiring Managers.

8.2 Decision Making Processes into the Platform

• Human Hiring Managers is the signle agent of any decisions.
• AI-generated fabrication and anomaly flags route applicants to manual review by a Hiring Manager.
• The platform never filter out applicants, there are no workflows to override as AI is never in charge for decisions.
• Compensatory reasoning ensures full comprehension of a candidate's profile enhancing human accountability.
• All AI-composed candidate communications require Hiring Manager intent input and are Hiring Manager's verifiable at sending.
• Designated never-automated action categories — including rejection communications, employment offers, salary negotiation, contract dispatch, and background-check initiation — are always human-driven.

8.3 Tools to Interpret Outputs and Mitigate Automation Bias

The Platform surfaces assessment scores together with the reasoning underlying the assessment (within the limits of the underlying foundation models' explainability), and surfaces fabrication and anomaly flags prominently. The Platform's UX is designed to support deliberate human review rather than passive acceptance of AI outputs.

8.4 Override and Intervention

Hiring Managers must use AI-generated output, to perform deeper and more comprehensive overall assessment to intervene at decision-making stages of the workflow.

9. Accuracy, Robustness, Cybersecurity (Article 15)

9.1 Accuracy

NoesisHiring's accuracy measures include continuous model evaluation against validation datasets, telemetry of model outputs (provider, model, version, latency, tokens, parse-success), and parse-success monitoring for AI-generated content. Quantitative metrics are declared to Tenant Companies under NDA per Section 7.3.

9.2 Robustness

The Platform is designed to fail explicitly rather than silently. Robustness measures include timeout handling on all external AI sub-processor calls, explicit-failure surfacing of degraded outputs, no silent fallback to incorrect outputs, and graceful degradation when sub-processors are unavailable.

9.3 Cybersecurity

• Authentication of all Platform users with role-based access controls (SuperAdmin, Admin, Hiring Manager, Recruiter, Viewer, Consultant, Partner);
• Logical tenant isolation, with default-deny access between tenants enforced at the Firestore rules layer;
• Pre-deployment configuration parity checks to prevent misconfiguration;
• A policy against storing Applicant personal data in operational logs;
• Encryption of personal data in transit (TLS) and at rest, as set out in DPA §3.3;
• Incident-response and business-continuity procedures (see Sections 11 and 12).

10. Conformity Assessment & CE Marking

As a provider of high-risk AI under Annex III §4, NoesisHiring is conducting the conformity assessment procedure based on internal control under Annex VI of the AI Act. The procedure is documented in NoesisHiring's internal technical documentation (see Section 5).

Timeline. NoesisHiring commits to completing the conformity assessment, issuing the EU Declaration of Conformity (Article 47), applying CE marking (Article 48 — electronic CE marking, given the digital nature of the system), and registering the system in the EU database for high-risk AI systems (Article 49) on or before 2 August 2026, in line with the AI Act's transitional provisions.

Harmonised standards. NoesisHiring is monitoring the development of harmonised standards under CEN-CENELEC JTC 21 and adopting them where finalised. Current standards adopted: ISO/IEC 42001 (AI management systems) — implementation in progress.

11. Post-Market Monitoring (Article 72)

NoesisHiring operates a post-market monitoring system in accordance with Article 72. The system is documented in a separate Post-Market Monitoring Plan held internally and made available to supervisory authorities upon request.

11.1 Activities

• Continuous performance evaluation of the Platform against accuracy and robustness criteria;
• Anomaly tracking and triage, drawing on the telemetry collected under Article 12;
• Incident-report corpus capturing reported anomalies, near-misses, and customer-reported issues;
• Quarterly review of technical documentation against system changes;
• A canary/stable release cascade for controlled rollout of changes that affect AI processing.

11.2 Feedback into Risk Management

Post-market monitoring data is fed back into the risk-management system (see Section 3) on a continuous basis.

11.3 Tenant Company Reporting Channel

Tenant Companies can report performance concerns, incidents, or suspected anomalies via privacy@noesishiring.ai or through the in-Platform support channel.

12. Serious Incident Reporting (Article 73)

NoesisHiring has established a serious-incident reporting procedure in accordance with Article 73.

12.1 Definition

A serious incident is defined in Article 3(49) as an incident or malfunction that directly or indirectly leads to: death or serious damage to health; serious and irreversible disruption of critical infrastructure; infringement of fundamental rights obligations under EU law; or serious damage to property or environment. For a recruitment-AI platform, the most relevant category is infringement of fundamental rights obligations — including systematic discriminatory outcomes against protected groups.

12.2 Detection

Serious incidents may be detected through internal monitoring (post-market monitoring under Section 11), Tenant Company reports, Applicant complaints, or supervisory-authority notifications.

12.3 Reporting Timeline

Upon establishing a causal link (or the reasonable likelihood of one) between an incident and the Platform, NoesisHiring will report the incident to the relevant national market-surveillance authority immediately, and in any event no later than 15 days after the date of awareness, in accordance with Article 73(2). For events involving widespread infringement or serious and irreversible disruption, the reporting timeline is shortened in line with Article 73(3).

12.4 Cooperation

NoesisHiring cooperates with investigating authorities, provides relevant technical documentation under the conditions of Article 78, and supports any corrective measures necessary.

12.5 Tenant Company Notification

Where a serious incident affects Tenant Company data, the Tenant Company is also notified in accordance with the personal data breach procedure in DPA §4, to the extent applicable.

13. Deployer Obligations (Article 26)

Tenant Companies, as deployers of a high-risk AI system, are responsible for the following obligations under Article 26.

• Use in accordance with instructions (Art. 26(1)). Use the Platform in accordance with NoesisHiring's instructions for use and the intended purpose described in Section 7.2.
• Human oversight (Art. 26(2)). Assign human oversight to natural persons who have the necessary competence, training, authority, and support to exercise oversight effectively — the Hiring Manager role.
• Input data (Art. 26(4)). Ensure that input data is relevant and sufficiently representative for the intended purpose. Encourage Applicants to submit accurate and reasonably comprehensive CVs.
• Monitoring (Art. 26(5)). Monitor the operation of the Platform on the basis of the instructions for use. Where there are reasons to consider that the system poses a risk under Article 79(1), inform NoesisHiring without undue delay.
• Logging (Art. 26(6)). Keep automatically generated logs to the extent under the deployer's control, for a period appropriate to the intended purpose and at least 6 months unless the deployer is a microenterprise or otherwise provided by national law.
• Worker information (Art. 26(7)). Before deploying the Platform in their workplace, inform workers and their representatives that they will be subject to the use of a high-risk AI system. This information must be provided in accordance with applicable national or Union rules on worker information and consultation.
• DPIA cooperation (Art. 26(9)). Where the deployer is required to conduct a Data Protection Impact Assessment under Article 35 GDPR, cooperate with NoesisHiring and use the information in this statement and in the DPA to inform the assessment.
• Supervisory cooperation (Art. 26(12)). Cooperate with national competent authorities on the implementation of the AI Act.

14. Fundamental Rights Impact Assessment (Article 27)

Under Article 27(1), the following deployers are required to conduct a Fundamental Rights Impact Assessment (FRIA) prior to deploying the Platform: bodies governed by public law; private entities providing public services; deployers using high-risk AI systems referred to in Annex III §5(b) or §5(c) (creditworthiness, life and health insurance — not applicable to the NoesisHiring use case).

For most NoesisHiring Tenant Companies — private-sector employers — the FRIA is not strictly required by Article 27. NoesisHiring nevertheless recommends that all Tenant Companies consider conducting a FRIA-equivalent assessment as a matter of best practice, particularly where the Platform will materially affect access to employment.

Content of the FRIA (where required). The assessment shall describe: (a) the deployer's processes in which the high-risk AI system will be used; (b) the period of time and frequency of use; (c) the categories of natural persons and groups likely to be affected; (d) the specific risks of harm; (e) the implementation of human oversight measures per the instructions for use; (f) the measures to be taken in the case of materialisation of those risks, including governance and complaint mechanisms.

Tenant Companies should use this AI Act compliance statement, the DPA, and the Data Flow Diagram Appendix as primary inputs to a FRIA. The result must be notified to the market-surveillance authority in accordance with Article 27(3), using the template adopted by the AI Office under Article 27(5).

15. Updates to this Statement

NoesisHiring may update this statement to reflect changes in applicable EU AI Act provisions, harmonised standards, sub-processors, or platform features.

Material changes — including any change to the risk classification, the addition of a new AI system component, a change in conformity-assessment route, a change to human-oversight measures, or a change in sub-processors — will be notified to Tenant Company Super Admins at least thirty (30) days before taking effect and will require re-attestation via the Account Settings page.

Non-material changes (typographical corrections, clarifications, updated cross-references) will be reflected in the version history without re-attestation.