EU AI Act

We file a fundamental rights impact assessment per role-type. Human-in-the-loop is enforced at the dashboard layer: you decide who to interview, not the model. Conformity assessment ongoing. Article 50 transparency obligations met (candidates told they are interacting with AI, with the option to opt out).

NYC Local Law 144

NYC roles surface an LL144 banner to candidates with audit summary, the 4/5ths rule outcomes, and the opt-out path. The latest audit report (Holistic AI, Q1 2026) is one click away from every job listing.

GDPR / UK GDPR

We score and rank. A human makes the hire decision. Candidates can request human review of any score, deletion of any artefact, or a full data export at any time. We respond within 14 days; legally we have 30. See /trust/privacy.

Illinois AIVIA

Candidates in Illinois receive the AIVIA notice before recording. They consent or opt out. Recordings used only for evaluation; deleted on request or 30 days after role closes, whichever comes first.

EEOC · Title VII

Every assessment is monitored at the role level for adverse impact across protected categories declared by the candidate (voluntary, post-decision). If the 4/5ths ratio drops below 0.8, we surface it to you and pause syndication.

UK Equality Act 2010

Same monitoring framework as EEOC, applied to UK protected characteristics. Reasonable adjustments (extra time, dyslexia mode, screen-reader compatibility) available on candidate request, no flag against them.

California ADMT (proposed)

We are tracking the proposed California Automated Decision-Making Technology rule. Picked's existing posture (explainability, human-in-the-loop, candidate opt-out) is expected to satisfy the published draft. We will update when final.

SOC 2 Type II

Type II observation window Q3 to Q4 2026. Letter of attestation expected end of Q4 2026. Type I observation window completed Q2 2026. See /trust/security#soc-2.

United Kingdom.

UK GDPR (Article 22). UK Equality Act 2010. ICO registration 09910326623. Data residency in London.

European Union.

GDPR (Article 22). EU AI Act (high-risk). Country-specific employment law observed via customer-side controllers. Data residency in London under adequacy.

United States.

EEOC Title VII. NYC LL144 for NYC employers. Illinois AIVIA for Illinois employers. California ADMT tracking. ADA reasonable accommodation.

Rest of world.

Compliance via Stripe-supported regions. Data residency choice on enterprise contracts. Customer-side controller maps employment-law obligations.

Pre-filled vendor security questionnaire (SIG Lite), DPA, sub-processor list, SOC 2 letter, model card, latest bias audit. One zip. Reply within one business day.