SOC 2-ready / ISO 27001-aligned
Security readiness
Role-based access, audit logs, least-privilege service access, encrypted transport, retention jobs, and administrator review flows are implemented as product controls.
TRUST & COMPLIANCE
Trust Center
Last updated: 2026-04-18
Intrvio is designed for structured AI-assisted interviews where humans remain accountable for hiring decisions. This page describes the controls available today and the compliance posture we use in sales materials. We do not claim SOC 2, ISO 27001, or ISO 42001 certification unless a signed third-party report or certificate is available.
Security and privacy contact: hello@intrvio.com
Intrvio by FORLYZE LTD
Current readiness posture
GDPR / UK GDPR / KVKK supporting
Privacy workflows
Candidate notices, DPA support, data deletion requests, retention settings, privacy contact fields, and sub-processor transparency are available for customer review.
ISO 42001 / EU AI Act readiness
AI governance
GAIA outputs are advisory. Employer reviewers see transcripts, score rationale, and human review controls before making any hiring decision.
NYC LL144 / EEOC-oriented export support
Fairness evidence
Bias audit exports and review logs support independent auditors when a customer or jurisdiction requires external validation.
Compliance artifacts
How to read our claims
- • Certified means a current external report or certificate exists.
- • Ready or aligned means the product and internal controls are designed around that framework, but external certification is not being claimed.
- • Compliant is only used for customer-configurable workflows where the employer remains responsible for its own legal use.
- • Hiring decisions must remain with the employer's human reviewers, not with GAIA.
Current sub-processors
| Vendor | Purpose | Region | DPA | Status |
|---|---|---|---|---|
| Affinda2026-04-27 | Candidate CV parsing and document extraction | US/EU/AU | View | Inactive |
| ElevenLabs2026-04-27 | AI voice interview agent, speech processing, and interview conversation handling | US/EU | View | Active |
| Meta Platforms Ireland Ltd2026-05-01 | WhatsApp Business Platform message routing and delivery | EU/Global | View | Active |
| OpenRouter2026-04-27 | CV parsing and optional model routing for AI analysis | US | View | Active |
| Resend2026-04-27 | Transactional email delivery | US | View | Active |
| Supabase2026-04-27 | Database, authentication, storage, and application backend infrastructure | US/EU | View | Active |
| Twilio2026-05-01 | SMS, phone verification, and WhatsApp Business Platform messaging delivery | US/EU | View | Active |
| Twilio2026-04-27 | SMS and phone verification delivery | US/EU | View | Inactive |
| Vercel2026-04-27 | Application hosting, edge middleware, and deployment infrastructure | US/EU | View | Active |
Compliance posture
What we currently do, and what we are working on — surfaced for buyers evaluating us against EU AI Act, GDPR, SOC 2, and NYC LL144 expectations. No marketing fluff.
In production
EU AI Act
Article 26 employer obligations supported: audit log, transparency notice, region tagging, decision-record export.
AI Act page →In production
GDPR
Data minimization, right to erasure, retention controls, EU residency option. DPA ready to sign.
DPA →In progress
SOC 2 Type I
Target Q4 2026 — internal controls being prepared for independent attestation. Forward-looking.
Roadmap
ISO 27001
On the 2027 roadmap. Scope: Information Security Management System.
Ready
NYC LL144
Bias-audit-ready exports; independent audit pipeline documented for the four-fifths rule.
Practical guide →Technical
Security
TLS 1.3, AES-256, MFA, SAML SSO, Cloudflare WAF, Supabase RLS, immutable audit logs.
Security page →Data handling
Interview data flow: candidate audio is captured over an encrypted transport, encrypted at rest, transcript stored encrypted, scoring is run inline. Customer content is not used to train our own models, and is not sent to a model provider for training.
Retention: candidate audio and transcript default to 365 days, configurable down to shorter windows. Early deletion is one click and is visible in the audit log.
Active sub-processors: ElevenLabs, Meta Platforms Ireland Ltd, OpenRouter, Resend, Supabase, Twilio, Vercel. See the table below or the dedicated sub-processors page for the full list and change notifications.
Access controls
- • SAML 2.0 SSO (Scale tier)
- • SCIM user provisioning (Scale tier)
- • TOTP MFA — enforceable workspace-wide
- • Role-based access: employer, recruiter, admin
- • Tenant isolation via Supabase RLS in Postgres
Auditing
Every interview action — start, model output, recruiter override, export, deletion — is recorded in an append-only audit log keyed by session. Logs retained for a 6-month minimum (AI Act Art. 26(6)); 12 months configurable on request.
Reporting a vulnerability
Report security issues to security@intrvio.com. 90-day responsible disclosure window. Good-faith security research is welcome and protected.
How we notify of changes
We provide 30 days advance notice before adding or replacing any sub-processor. Notifications are sent via email to billing/admin contacts on the account and published via RSS. Customers may object to a new sub-processor in writing within the notice period; where the objection cannot be resolved, customers may terminate the affected services.
Subscribe to changes
To receive sub-processor change notifications, subscribe by email. We only use this list for sub-processor announcements.
Subscribe via emailIntrvio by FORLYZE LTD · Company number 16937650 · Registered in England and Wales