Live Workflow

Active hiring cycle — Senior Product Designer

Hiring Sequence — Active
Running autonomously
• AI executing step 6 of 10
Role described
JD generated
Posted & launched
Internal sourcing
Outreach sent
06
AI Calls
07
AI Interviews
08
Scored
09
Your review
10
Compliance
AI Call in progress — Candidate 14 of 47 — sub 800ms latency
02:34
47
Candidates contacted
13
Calls completed
8
Advancing
3 matched
Internal rediscovery
4h 22m
Time elapsed
0
Manual steps
European Union Framework 01 GDPR compliant recruiting software

General Data Protection Regulation.
European Union.

The General Data Protection Regulation applies to every organisation that processes personal data belonging to individuals located in the European Union — regardless of where that organisation is based. A company hiring candidates in Germany or France must comply with GDPR whether the company is headquartered in Bangalore, Austin, or Berlin.

For recruiting, GDPR means every piece of candidate data collected has a legal basis, is stored only as long as necessary, and can be accessed, corrected, or erased on the candidate's request. These are not optional obligations. Cumulative GDPR fines surpassed 5.88 billion euros by mid-2025 and enforcement activity has grown sharply year on year.

For recruiting, GDPR means every piece of candidate data collected has a legal basis, is stored only as long as necessary, and can be accessed, corrected, or erased on the candidate's request. These are not optional obligations. Cumulative GDPR fines surpassed 5.88 billion euros by mid-2025 and enforcement activity has grown sharply year on year.

Lawful basis for processing established and documented at first contact
Transparent privacy notice attached to every candidate communication
Right to access, rectification, and erasure supported automatically
Data retention periods enforced — candidate data deleted when the period expires
Processing log maintained throughout every hiring cycle for audit readiness
All GDPR obligations above are handled automatically by Excruit — no manual tracking required
No dedicated compliance team needed to operate the EU market
GDPR compliant recruiting software GDPR compliant recruiting software consent management recruiting data retention recruiting
GDPR — Consent and Data Lifecycle
Automated candidate data lifecycle
Privacy notice delivered on first outreach
Legally verified · attached automatically
Consent captured and logged with timestamp
Verified consent record stored
Candidate progressing through pipeline
Processing log updating automatically
Retention period expires — auto deletion
Scheduled · no manual action required
Erasure request received today
Candidate data locatedAutomatic
All records deletedExecuted — 0m 43s
Audit log entry createdDone
Audit log entry createdDone
European Union Framework 02 DPDP compliant HR tool

Digital Personal Data Protection Act.
India.

The Digital Personal Data Protection Act is India's comprehensive data privacy framework, applicable to all digital personal data processed within India and to organisations outside India that offer goods or services to Indian data principals. For hiring teams sourcing candidates through Naukri, Foundit, or any other Indian platform, DPDP compliance is not optional.

The Digital Personal Data Protection Act is India's comprehensive data privacy framework, applicable to all digital personal data processed within India and to organisations outside India that offer goods or services to Indian data principals. For hiring teams sourcing candidates through Naukri, Foundit, or any other Indian platform, DPDP compliance is not optional.

The Digital Personal Data Protection Act is India's comprehensive data privacy framework, applicable to all digital personal data processed within India and to organisations outside India that offer goods or services to Indian data principals. For hiring teams sourcing candidates through Naukri, Foundit, or any other Indian platform, DPDP compliance is not optional.

Notice provided in clear, plain language before any data is processed
Consent obtained and recorded for every Indian market candidate
Purpose limitation enforced — data used only for the role it was collected for
Data principal rights (access, correction, erasure, grievance) supported automatically
Reasonable security safeguards applied to all candidate data at rest and in transit
All GDPR obligations above are handled automatically by Excruit — no manual tracking required
All GDPR obligations above are handled automatically by Excruit — no manual tracking required
GDPR compliant recruiting software GDPR compliant recruiting software consent management recruiting data retention recruiting
DPDP — India Market Compliance Status
Data principal rights — this quarter
Report
Right to Access
14 requests · all fulfilled automatically
edit
Right to Correction
<3 requests · updated in platform
trash
Right to Erasure
6 requests · all actioned within 24h
trash
Grievance Redressal
Automated acknowledgement within 1 hour
Consent status — Indian market candidates
Total candidates processed1,847
Consented and logged1,847 (100%)
Purpose-limited recordsEnforced by platform
European Union Framework 03 CCPA recruiting software

California Consumer Privacy Act.
United States.

The California Consumer Privacy Act grants California residents significant rights over the personal information businesses collect about them. Amended and strengthened by the California Privacy Rights Act in 2023, CCPA now applies broadly to businesses processing California residents' personal data — including candidates applying for roles regardless of where the hiring company is located.

For recruiting, CCPA means candidates have the right to know what personal information was collected about them, the right to delete it, and the right to opt out of the sale or sharing of their personal information. Businesses must respond to verified requests within 45 days and must not discriminate against consumers who exercise their rights.

Excruit handles CCPA obligations automatically for every candidate processed in the US market. Disclosure obligations are met at first contact. Candidate data subject requests are processed through automated workflows. Opt-out mechanisms are built into the candidate-facing experience. No manual compliance management required for US-based hiring.

Right to know — disclosure of data categories collected, provided at first contact
Right to delete — candidate data erasure requests actioned within 45 days by default
Right to opt out — built into candidate-facing outreach and application flow
Non-discrimination — verified by platform architecture, rights exercise does not affect processing
Data minimisation — only information required for recruitment collected from US candidates
CCPA disclosures attached automatically to all US market outreach and application workflows
Request fulfilment within 45-day window enforced automatically by the platform
CCPA recruiting software CCPA recruiting software consent management recruiting multi framework HR compliance
CCPA — US Market Compliance View
Consumer rights requests — this month
Right to Know requests9 fulfilled automatically
Right to Delete requests4 actioned within 24h
Opt-out registrations12 logged and honoured
45-day response SLA0 breaches
Disclosure compliance
Privacy notice delivered at application
All US candidates · 100% coverage
pt-out link included in every outreach
Email and WhatsApp channels · automatic
pt-out link included in every outreach
Email and WhatsApp channels · automatic
European Union Framework 04 — Phase 3 LGPD HR software

Lei Geral de Proteção de Dados.
Brazil. Coming in Phase 3.

Brazil's General Data Protection Law is one of the most comprehensive data privacy frameworks in the Americas, closely modelled on the GDPR structure but adapted to the Brazilian legal context. It applies to any processing of personal data of individuals located in Brazil, regardless of where the processing organisation is headquartered.

For recruiting teams hiring in the Brazilian market through platforms such as Catho and InfoJobs, LGPD means obtaining valid consent before processing candidate data, limiting collection to what is necessary for the hiring purpose, and honouring data subject rights including access, correction, deletion, and portability.

Excruit's LGPD compliance module arrives in Phase 3 alongside the Catho and InfoJobs integrations and Portuguese language AI Call support. The compliance architecture for LGPD is being built to the same standard as GDPR and DPDP — automated, built into the platform, and requiring no manual operation from the HR team. Teams operating in Brazil will not need to build a separate compliance layer or manage LGPD obligations independently of their existing workflow.

Consent obtained before processing — in plain language, purpose-specific
Data subject rights: access, correction, deletion, anonymisation, portability
Data minimisation — only what is strictly necessary for recruitment
Incident notification obligations if a breach involves candidate data
Phase 3 availability
LGPD compliance and the Catho and InfoJobs integrations are scheduled for Phase 3, which activates at 30 to 50 Crore ARR. Teams planning expansion into the Brazilian market can note this in their demo session and Excruit will confirm timeline on request
LGPD HR software LGPD HR software Brazil recruiting software compliance privacy by design HR software
LGPD — Phase 3 Readiness
Capabilities landing in Phase 3
LGPD compliance dashboard active
Consent, rights, retention · fully automated
Catho and InfoJobs integrations live
Brazil market sourcing — LGPD compliant from day one
Portuguese language AI Calls
Brazilian Portuguese · same latency and quality as English
Data portability and incident notification workflows
LGPD-specific obligations · automate
European Union Framework 05 — Phase 3 Australian Privacy Act HR tool

Australian Privacy Act.
Australia. Coming in Phase 3.

The Privacy Act 1988, together with the Australian Privacy Principles it established, governs how organisations collect, hold, use, and disclose personal information in Australia. It applies to most private sector organisations with an annual turnover above $3 million, and to all organisations in specified sectors regardless of turnover — which includes most companies doing professional hiring in the Australian market.

For recruiting teams sourcing candidates through SEEK, the Australian Privacy Act means candidates must be notified of why their information is being collected and how it will be used, have the right to access and correct their personal information, and be protected from having their data disclosed to parties they have not consented to.

Excruit's Australian Privacy Act compliance module arrives in Phase 3 alongside the SEEK integration. The same Privacy by Design architecture that handles GDPR and DPDP is applied to Australian candidate data from the first interaction. Consent, retention, and rights management are automated. Hiring teams in Australia operate through the same compliance dashboard interface as those in the EU or India.

Collection notice provided at point of data collection — purpose, use, and disclosure explained
Right to access personal information — fulfilled within reasonable timeframe
Right to correction of inaccurate or outdated information
Security safeguards applied to all personal information held
Cross-border transfer restrictions honoured where applicable
Phase 3 availability
Australian Privacy Act compliance and the SEEK integration are scheduled for Phase 3. Australian teams can enquire about timeline in their demo session
Australian Privacy Act HR tool Australian Privacy Act HR tool privacy by design HR software data retention recruiting
Australian Privacy Act — Phase 3
Arriving in Phase 3 alongside SEEK
SEEK integration live
Australia's primary job board · fully integrated
Collection notice automation
Australian Privacy Principle 5 · built into outreach
Access and correction workflows
Self-serve for candidates · automated for HR team
English (AU) AI Calls
Australian accent · already in Phase 2 English support
Ethical commitment candidate right to explanation AI

Every candidate deserves to know
how they were evaluated.

When Excruit completes an AI Interview with a candidate, it generates a Right to Explanation report. The report is sent to every candidate who completes the process — whether they advance to the next stage or not. It explains which criteria were evaluated, how the candidate performed against each one, and what the outcome was.

This is not a legal requirement. No jurisdiction currently mandates that automated hiring systems explain their decisions to candidates in this way. It is an ethical commitment built into the platform architecture because using AI to evaluate a person's career prospects and then providing no visibility into that evaluation is not a standard worth accepting.

The Right to Explanation report serves a practical function too. Candidates who receive clear, specific feedback — even when the outcome is not what they hoped for — are far more likely to speak positively about the hiring company and the process. Candidate experience at this stage is a meaningful part of employer brand whether or not the organisation is tracking it.

Every report is generated automatically. No recruiter time is required to produce it, review it, or send it. It is part of what happens at the end of every AI Interview, for every candidate, on every role.

Generated automatically for every AI Interview completion — no recruiter action required
Sent regardless of outcome — advancing and not-advancing candidates receive it equally
Covers evaluation criteria, performance signals, and outcome — not a boilerplate rejection
candidate right to explanation AI candidate right to explanation AI privacy by design HR software automated candidate interview
Right to Explanation — Candidate Report
icon
Your Interview Evaluation — Senior Backend Engineer
Automatically generated · sent within 10 minutes of completion
You were evaluated against 4 criteria drawn from the role requirements: Node.js proficiency, system design depth, API architecture, and communication quality.
Your strongest signals were in API architecture (Score: 91) and communication quality (Score: 88). The system probed deepest on distributed system failure modes.
The area where your responses were less developed was system design at scale — specifically the trade-offs between consistency and availability under load.
Overall score: 84 of 100. You have been added to the shortlist for human review by the hiring team.
Excruit COMMITMENT
Every candidate who completes an AI Interview receives this report. Selected or not. No exceptions.
Architecture principle

Why Privacy by Design
matters more than
Privacy by Compliance.

Most software is built first and audited for compliance afterward. A legal team reviews the product. GDPR features are added to satisfy regulators. A compliance dashboard is bolted onto a platform that was not designed with one in mind. The result is a product that is technically compliant but structurally fragile — one where compliance obligations are met through features you activate rather than principles the architecture enforces.

Excruit was built the other way. Every data interaction in the platform was designed with the question — is this the minimum necessary, is it consented, and is it auditable? — built into the decision. The five compliance frameworks are not features. They are the outcome of building an architecture where the right thing to do with candidate data is also the default thing the platform does.

Principle 01
Proactive, not reactive
Compliance obligations are anticipated and addressed in the platform design — not identified after a regulatory review and patched onto an existing system. Every jurisdiction Excruit operates in was considered before the first line of code for that market was written.
Principle 02
Privacy as the default
Data minimisation, consent collection, and retention limits are the default behaviour of the platform — not settings you have to activate. A recruiter who has never read a GDPR article runs a GDPR-compliant process by default because the system will not allow anything else.
Principle 03
Full transparency
Every candidate knows exactly how their data is being processed and why. Every data subject rights request is logged and auditable. Every compliance obligation is visible in the dashboard in real time. There are no hidden data flows and no manual tracking of obligations that may or may not have been completed.
Markets and compliance

Which framework applies
in which market.

Excruit applies the correct compliance framework to each candidate automatically, based on their jurisdiction. An HR team hiring simultaneously in India, the EU, and the United States does not need to manually track which obligations apply to which candidate. The platform handles it.

Excruit applies the correct compliance framework to each candidate automatically, based on their jurisdiction. An HR team hiring simultaneously in India, the EU, and the United States does not need to manually track which obligations apply to which candidate. The platform handles it.

India
India
DPDP · Naukri RMS API · Foundit · English and Hindi
Active
US
United States
CCPA · Indeed · LinkedIActiven · English (US)
Active
US
European Union
GDPR · LinkedIn · local job boards · English (UK)
Active
Australia
Australia
Australian Privacy Act · SEEK · English (AU)
Phase 3
brazil
Brazil
LGPD · Catho · InfoJobs · Portuguese
Phase 3
Compliance coverage comparison

What other platforms cover.
What Excruit covers.

Honest assessment of compliance coverage across the platforms most commonly compared with Excruit. No claims that are not supported by each platform's published documentation.

Compliance capability Workable Recruitee HireBound Excruit
GDPR compliance right icon Partial right icon
CCPA compliance right icon Partial right icon
DPDP compliance (India) right icon Partial right icon
LGPD compliance (Brazil) right icon right icon Phase 3
Australian Privacy Act right icon right icon Phase 3
Automatic consent collection right icon Partial right icon
Right to erasure workflow right icon right icon right icon
Data minimisation enforcement Manual right icon ✓ Automatic
Automated processing logs right icon right icon right icon
Multi-framework single dashboard right icon right icon right icon
Right to Explanation for AI decisions right icon right icon ✓ Every candidate
Privacy by Design architecture right icon right icon ✓ Built in
Assessment based on published documentation and product pages for each platform as of early 2025. Partial indicates documented capability in one jurisdiction only or compliance features available only on specific pricing tiers. Excruit Phase 3 capabilities are scheduled and not yet live.

Why five frameworks matter more than
one done well.

The instinct when building compliance into a recruiting platform is to solve the most immediate regulatory problem first. For a European-founded company, that usually means GDPR. For a US company, CCPA. The problem with building jurisdiction-by-jurisdiction is that you end up with a compliance patchwork rather than a compliance architecture — different standards applied inconsistently across markets, different levels of automation in different regions, and a growing cost of maintenance as each new framework requires retrofitting.

Excruit was built for global operation from the first version. The five frameworks — GDPR for the EU, DPDP for India, CCPA for the United States, LGPD for Brazil, and the Australian Privacy Act — were all considered in the architectural decisions made before any candidate data flowed through the platform. Consent collection, data minimisation, retention enforcement, and rights management are standard behaviours of the system applied to every candidate in every market. The compliance dashboard shows the state of all active frameworks in one view because the underlying architecture treats them as one unified concern, not five separate problems.

This matters practically for teams hiring across borders. A company with offices in Mumbai, London, and San Francisco is subject to DPDP, GDPR, and CCPA simultaneously when sourcing candidates. Managing those obligations separately — different tools, different manual processes, different people responsible for each — is not only expensive but inherently unreliable. One missed consent collection in the wrong jurisdiction carries real regulatory and reputational risk.

The Right to Explanation commitment adds a dimension no other recruiting platform has attempted. When an AI system influences a hiring decision, the affected person has a reasonable expectation of understanding how. The GDPR's Article 22 provisions on automated decision-making gesture toward this obligation for EU candidates, but Excruit extends it to every candidate in every market regardless of whether the local law requires it. The report is not a legal minimum. It is the standard the platform was designed to meet.

What does Privacy by Design mean in practice for an HR team using Excruit?
It means you do not have to configure compliance. The platform's default behaviour is already compliant. Consent is collected before any candidate data is processed. Data minimisation is enforced by what fields the platform collects. Retention periods trigger automatic deletion. A recruiter who has never heard of GDPR runs a GDPR-compliant process because the platform does not allow anything else.
Does Excruit require a dedicated compliance team to operate?
No. The Compliance Dashboard is designed to be operated by an HR manager without legal or compliance expertise. Every obligation across the five frameworks runs automatically. The dashboard shows the current state of compliance across all active markets in real time. It surfaces anything that requires human attention. Most of the time, there is nothing to action because the platform has already actioned it
How does Excruit know which compliance framework to apply to a specific candidate?
The platform determines jurisdiction from the candidate's location at the point of data collection. A candidate applying from Germany triggers GDPR handling. A candidate applying from California triggers CCPA handling. A candidate applying from India triggers DPDP handling. Where candidates apply from multiple locations across a single role, each candidate's data is governed by the framework appropriate to their jurisdiction — not a single framework applied to all.
What exactly does the Right to Explanation report contain?
It contains four things. The criteria the candidate was evaluated against, drawn directly from the Role Context Graph built for that specific role. Their performance against each criterion, based on signals from the AI Call and AI Interview. The areas where their responses were strongest and the areas where they were less developed. And the outcome — whether they are advancing to human review or not. It is a specific, honest account of how the evaluation was conducted, not a boilerplate message.
What happens when a candidate submits a right to erasure request?
The workflow runs automatically. The platform locates all data associated with that candidate across all systems, executes the deletion, creates an audit log entry, and sends a confirmation to the candidate — all without requiring any manual action from the HR team. For GDPR the workflow completes within the legally required timeframe. The same standard applies across DPDP and CCPA requests regardless of framework-specific timelines.
When will LGPD and Australian Privacy Act support be available?
Both frameworks are scheduled for Phase 3, which activates at the 30 to 50 Crore ARR milestone. Phase 3 also brings the SEEK integration for Australia and the Catho and InfoJobs integrations for Brazil, alongside Portuguese language AI Call support for the Brazilian market. Teams planning expansion into those markets can raise it in their demo session for a current timeline estimate.
Built for global hiring from day one

Five frameworks.
One conversation to start.

See how Excruit manages compliance across every market your team hires in — automatically, from a single dashboard.

Book a Demo Get Early Access