Every procurement question. Answered.

Yes. A Business Associate Agreement and a Data Processing Agreement are both mutually executable at contract signing. Our templates are GDPR and DPDP Act 2023 cross-compliant, meaning a single contract covers both Indian and EU/UK customers without a sub-processor renegotiation.

Redlines are welcomed. Our average turnaround on customer-side redlines is 5 business days; complex mutual-indemnity clauses may take longer. Signing-day BAA is available on request for customers on the Scale or Global pack.

Indian VPS only. All verification records, candidate PII, recruiter activity logs and audit events are stored on data centres physically located in India. No cross-border replication by default, and no backup copy leaves the subcontinent.

Customers requiring separate single-tenant data residency can elect the dedicated residency add-on, which provisions a physically isolated compute and storage tenant shared with no other customer. Residency attestations are issued annually on request.

SOC 2 Type II engagement is scheduled for Q3 2026. Auditor name, scope and the observation-period start date will be published on engagement start. We do not pre-announce Type I without a committed Type II follow-through, and we do not market a “SOC 2 compliant” label without an issued report.

In the interim, our ISO 27001-style internal controls are documented and shareable under NDA. Customers requiring a Type II letter before contract can request the engagement letter as interim evidence. We disclose the gap honestly rather than claim coverage we have not earned.

There is no refit. ProveIQ was architected DPDP-native from schema v1. Consent versioning, retention-clock fields, deletion hooks and minor-handling rules are native to the data model, not patched in a compliance sprint.

A DPIA template is available for your legal team to run against your own recruiter workflows. The DPDP Act is already in force; the data-fiduciary compliance deadline is 2027-05-13. Customers already in production do not need a change window for DPDP compliance on the ProveIQ side.

7-day deletion SLA per DPDP §13. Every DSR is logged with a customer-facing audit entry showing the receiving team, the deletion window and the completion timestamp. Audit log exports are downloadable from the customer admin console without filing a ticket.

Consent versioning is pinned to every candidate interaction, so any DSR request is answered with the exact consent record that authorised data processing. This means a defensible chain-of-custody if a request escalates to a regulator.

72-hour customer notification plus CERT-In co-notification per DPDP §8(6). The 72-hour clock starts when ProveIQ security engineering confirms scope, not when a tip-off is first received. Customer incident contacts on file are notified in parallel with CERT-In.

A public breach log lives on /trust/breach, and every incident is disclosed there within 7 days of root-cause analysis completion. We do not suppress breaches that affect only one customer or one data type — the log is comprehensive.

Yes, customer-observed pen-test windows are included in the Scale and Global packs. Rules-of-engagement are mutually agreed before the window opens; scope typically covers the recruiter application, the ATS bridge webhooks and the candidate-facing verification flow.

The customer's security team observes the engagement in real time via shared channel. The final report is shared mutually under NDA. Critical and high findings receive a documented remediation plan within 30 days, shared back to the customer.

Phase 1 (Q3 2026) covers Greenhouse, Lever, Workday, Freshteam, Keka Hire, Zoho Recruit and TurboHire. Each bridge pushes the verified candidate record with the full verification payload attached, so your recruiter sees the same artefact in their existing ATS that they would see in ProveIQ.

Custom bridges (SAP SuccessFactors, Oracle Taleo, bespoke internal ATS) are evaluated quarterly against Global-pack customer demand. A custom bridge is scoped with the customer's integration team and typically ships within 60-90 days of signing.

An AI-resume-flood detector ships Q2 2026 to flag machine-generated or pattern-stuffed applicant material. This is a detector, not a ranker — the output is a signal surfaced to the recruiter, never a silent reject.

Public methodology and false-positive rate are disclosed per CO-021. We never surface a candidate to the recruiter without the AI-assisted flag if the detector fired. Recruiter judgement is preserved; the signal is transparent.

The rubric used to score any candidate is customer-defined. ProveIQ does not auto- generate bias-relevant attributes (age, gender, caste, regional markers, institutional tier) into the scoring pipeline. Every candidate evaluation is auditable field-by-field.

The agreement-rate dashboard at /agreement-rate publishes recruiter-vs-ProveIQ agreement scores by cohort. If a systemic divergence appears in any demographic slice, CO-016 obligates us to publish it with the methodology. This is constitutional, not a marketing choice.

Starter GCC pack is monthly-cancellable after the minimum 90-day commitment. Scale and Global packs are annual contracts with quarterly pro-rata cancellation once minimum term is satisfied. No “contract hostage” friction — cancellation is a form, not a retention call.

Upon cancellation, all customer data is exported in a structured JSON + CSV bundle within 30 days and then fully deleted within 60 days, per DPDP retention norms. Deletion is auditable; we issue a deletion certificate on request.

The customer owns the recruitment artefacts. ProveIQ acts as a data processor under the DPA, not a data controller, for customer-initiated verifications. Ownership, reuse rights and export rights all sit with the customer per contract.

ProveIQ retains a 90-day processing window per DPDP §6(3) to fulfil deletion-request propagation and audit-log consistency after contract termination. Full contract language including the data-ownership clause is available on request before signing.