Compliance, privacy, and AI safety at Scorafy

00

How we process your data

Scorafy processes two kinds of personal data on behalf of our customers (assessment owners): (1) the customer's own account and billing data, and (2) the personal data of respondents who complete an assessment. The customer is the data controller for respondent data; Scorafy is the data processor under Article 28 GDPR and an equivalent processor under the Australian Privacy Principles.

Lawful basis (Art 6 GDPR)

• Contract. Processing necessary to provide the Scorafy service to the customer under the Terms of Service. Account, billing, support, and platform operation rely on this basis (Art 6(1)(b)).
• Legitimate interests.Service operation, security, fraud prevention, internal analytics, and product improvement, balanced against the data subject's rights and freedoms (Art 6(1)(f)).
• Consent. Optional cookies (analytics) and any future opt-in feature where the customer or respondent actively grants permission (Art 6(1)(a)). Consent can be withdrawn at any time.

Purposes

• Delivering assessments and AI-generated reports to the customer.
• Transcribing audio and video answers to enable AI scoring.
• Billing the customer for subscription tiers and usage.
• Sending transactional email (account, reports, security).
• Operating, securing, and improving the platform.

We do not sell personal data and we do not use customer or respondent data to train AI models. Our subprocessor agreements with Anthropic, Deepgram, and other AI vendors prohibit training on customer-supplied data.

01

Data minimisation

The highest-leverage privacy control on Scorafy is the per-assessment option to delete the original recording immediately after a respondent submits, retaining only the transcript and the AI analysis that runs on it.

• Opt-in per assessment. The assessment owner turns this on at the assessment level. It is not a hidden default and it is not buried in account settings.
• Transcript-success precondition. The original media file is only deleted once the transcript has been successfully generated and stored. If transcription fails, the original is retained so the work can be recovered.
• Irreversible delete. Once the original recording is removed it cannot be restored, by us or by the customer. The transcript becomes the canonical record of the response.
• Less stored, less risk. Most assessment workflows only need the words. Removing the recording removes the voice biometric and the on-camera image from your retained dataset.

02

Human-in-the-loop

Every AI score on Scorafy is decision-support, not decision-making. A human reviewer is always in the loop before a result is treated as final.

• AI suggests, humans decide.For every scored question the AI proposes a score based on the respondent's answer and your criteria. Reviewers can override the AI-calculated total on any scored question, with the override applied on save.
• Audit trail preserved. When a reviewer overrides an AI score, the original AI value is preserved on the response alongside the human-final number. Per-criterion rubric reasoning produced by the model is also retained on the AI report. You always have the record of what the model said and what the human did.
• Not a black box.Each AI-suggested score is produced against the rubric criteria you defined, with the respondent's answer as the evidence the model is reasoning over.
• Designed for EU AI Act readiness. Assessment-style AI is treated as a high-risk use case under the EU AI Act, with substantive obligations applying from August 2026. Scorafy is designed so the operator can demonstrate meaningful human oversight on every individual outcome, not just at the policy level. Conformity assessment and external certification are buyer-side activities; we provide the technical and procedural building blocks.

03

AI transparency & informed consent

Respondents are told clearly that AI is used to analyse their responses before they start, and have a route to request a human alternative.

• Custom AI transparency notice. Assessment owners can publish a custom AI notice on the candidate landing page, explaining how AI is used, what the alternative is, and how to request it.
• Direct route to a human. Respondents who decline AI can request an alternative assessment method directly from their instructor or assessor, without having to start the assessment first.
• Owned by the customer.The wording belongs to the organisation running the assessment, so it can match the organisation's existing consent language, complaints process, and regulator context.

04

PII retention

Retention is set per assessment, not globally, so workflows with different legal obligations can live side by side in the same account.

• 1 to 3650 days, or indefinite. The assessment owner chooses the retention window when they configure the assessment.
• Owner-controlled lifecycle.When the window expires, respondent-identifying fields are removed from the response on Scorafy's schedule. Aggregate, non-identifying data may be retained for the assessment owner's analytics.
• Explicit by default.Retention is shown on the assessment configuration, not hidden in a separate compliance screen, so the answer to "how long do you keep this?" is always one click away.

05

Candidate choice on biometric data

Voice and on-camera image are biometric data under GDPR. Scorafy lets the assessment owner give respondents a lower-footprint option without losing assessment fidelity.

• Audio-only option. Owners can let respondents choose audio instead of video, reducing the biometric footprint to voice alone.
• Graded identically. Audio responses are transcribed and assessed against the same rubric and grading schema as video responses. The respondent is not penalised for choosing the lower-footprint option.
• Pairs with data minimisation. Combined with the immediate-delete-after-transcript toggle, an audio-only response can be reduced to a text transcript shortly after submission.

06

Subprocessors and international transfers

Scorafy uses the following subprocessors to deliver the platform. Each is contracted under its own data processing terms and handles only the data described.

The customer database and stored files reside in Supabase's Dublin, Ireland (eu-west-1) region. AI processing through Anthropic and transcription through Deepgram run in the United States; processing is transient and is not used to train third-party models under our agreements.

EU and UK transfer mechanism

Where personal data is transferred outside the European Economic Area or the United Kingdom (for example, to a US-based subprocessor named above), we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914) incorporated into each subprocessor's data processing agreement, together with the UK International Data Transfer Addendum where applicable. Each subprocessor publishes its current SCC-incorporated DPA, available on request.

Australian Privacy Principle 8 (cross-border disclosure)

Cognitiv Pty Ltd is an Australian entity. For Australian customers and respondents we rely on Australian Privacy Principle 8: we take reasonable steps to ensure each overseas subprocessor handles personal data consistently with the APPs, including by entering data processing agreements with material terms equivalent to the APPs. Customers requiring an alternative transfer arrangement should contact us before onboarding.

Adding or changing subprocessors

We will publish a material change to this list on this page before a new subprocessor begins processing customer data. Enterprise customers can request advance notification by email.

07

Security measures (Article 32 GDPR)

The platform implements the technical and organisational measures appropriate to the nature of the data processed:

• TLS in transit. All client connections to Scorafy use TLS 1.2 or higher. API and storage endpoints redirect any non-HTTPS request.
• Row-level isolation at rest. Postgres row-level security policies prevent cross-organisation reads and writes at the database level, not just the application layer. The lockdown policies are recorded in version-controlled migrations.
• Credential hygiene. API keys are hashed at rest; webhook payloads are HMAC-signed; service-role keys are held only on the server and rotate on incident.
• Storage scoping. Uploaded audio, video and document files are written to bucket paths namespaced by response id, with server-controlled paths preventing arbitrary writes. Signed URLs expire on a short window.
• Authentication. Account access uses email and password via Supabase Auth, with email verification and password reset; team members are added by secure invite link. Sessions are short-lived and refreshed via secure HTTP-only cookies.
• Rate limiting. Public submission, internal review, and AI report endpoints are individually rate-limited to prevent abuse and runaway cost.
• No model training on customer data. Our agreements with Anthropic (Claude), Deepgram, and other AI vendors prohibit using customer-supplied content for model training.
• Activity records. Authentication events are logged by Supabase Auth, billing and subscription events are recorded, and records carry creation and update timestamps with the acting user where applicable.

No certification has been claimed (we have not undergone an ISO 27001, SOC 2, or equivalent audit at our current stage). Customers can request the current Trust and Security overview by email.

08

Your data rights

Under the GDPR, the UK GDPR, and the Australian Privacy Principles, you can ask us to do any of the following with personal data we hold about you. Requests are handled directly. There is no ticket portal between the request and a human at Cognitiv.

• Right of access (Art 15 GDPR / APP 12). Confirmation of whether we process your data, and a copy of that data in a readable format.
• Right to rectification (Art 16 GDPR / APP 13). Correction of inaccurate or incomplete data.
• Right to erasure (Art 17 GDPR). Deletion of your data where the lawful basis no longer applies, subject to any legal hold (for example, ongoing tax records).
• Right to restriction (Art 18 GDPR). Restriction of processing while a question (accuracy, lawfulness, deletion) is resolved.
• Right to portability (Art 20 GDPR). Your data in a structured, machine-readable format.
• Right to object (Art 21 GDPR). Objection to processing based on legitimate interests, including direct marketing.
• Right to withdraw consent (Art 7(3) GDPR). Where processing relies on consent (analytics cookies, opt-in features), withdrawal applies going forward and does not affect lawfulness of processing already carried out.
• Right to not be subject to a solely automated decision (Art 22 GDPR). Scorafy is designed so that AI-suggested scores remain decision-support, not decision-making: a human reviewer is always in the loop and can override any AI score. See the Human-in-the-loop section above.
• Right to complain to a supervisory authority (Art 77 GDPR). You can lodge a complaint with the data protection authority in your member state (find yours at edpb.europa.eu), the UK Information Commissioner's Office (ico.org.uk), or the Office of the Australian Information Commissioner (oaic.gov.au).

How to make a request

Email privacy@scorafy.com (or adam@scorafy.com; both reach the same person). Include enough information for us to verify the request, ideally the email address used on your account or the assessment.

We aim to respond within one month, consistent with Article 12(3) GDPR. Where a request is complex or numerous, we may extend by up to a further two months and will tell you within the first month if so. We do not charge for reasonable requests.

Operator vs controller

When you run assessments on Scorafy you are typically the data controller for the respondents you invite. Scorafy is the processor under Article 28 GDPR. Respondents who completed an assessment should contact the organisation that sent it to them first; if that organisation is not reachable, contact us.

09

Breach notification

If we become aware of a personal data breach that affects your data, we will:

• Notify our customer (the controller) without undue delay and in any event within 72 hours of becoming aware, consistent with Article 33(2) GDPR and the equivalent notification timeline under the Australian Notifiable Data Breaches scheme.
• Provide a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures we are taking to address and mitigate the breach.
• Assist the controllerin meeting the controller's own obligation to notify the supervisory authority and, where required, the affected data subjects.
• Maintain a record of the breach, our analysis, and remediation actions.

Where Scorafy is itself the controller (for example, account billing data), we will notify the relevant supervisory authority and affected individuals consistent with Articles 33 and 34 GDPR and equivalent obligations in our other operating jurisdictions.

10

Cookies and analytics

Scorafy uses two categories of cookies:

• Strictly necessary. Authentication, session, and security cookies. These are required for the site to function and cannot be turned off.
• Analytics (optional). Google Analytics 4 cookies for aggregate usage statistics. These load only after you accept analytics cookies in our consent banner. Declining analytics cookies does not affect site functionality.

We do not use advertising or cross-site tracking cookies. Our analytics provider (Google LLC) processes IP-derived behavioural data only when consent is granted, and is listed as a subprocessor above.

You can withdraw cookie consent at any time by clearing your site preferences or using your browser's cookie controls.

11

Privacy contact and governance

Privacy contact

Adam Broons, on behalf of Cognitiv Pty Ltd.
privacy@scorafy.com (forwards to adam@scorafy.com).

Data Protection Officer (Art 37 GDPR)

Cognitiv Pty Ltd does not meet the thresholds in Article 37 GDPR that mandate the formal designation of a Data Protection Officer (we are not a public authority, our core activities do not involve large-scale systematic monitoring of data subjects, and our core activities do not involve large-scale processing of special categories of data). Adam Broons serves as the named privacy contact for all data protection matters. We will re-evaluate as the business scales.

EU representative (Art 27 GDPR)

We monitor whether Article 27 obligations apply (Cognitiv is established in Australia; processing of EU data subjects may require the appointment of an EU representative). At our current scale and processing profile we believe the Article 27(2) derogations apply; we will revisit and appoint a representative if our processing changes.

Children's data

Scorafy is built for adult assessment use cases (vocational training, professional development, coaching, HR, education at tertiary and corporate level). We do not knowingly collect personal data from children under 16 in the EU/UK, or under the equivalent local age of consent under Article 8 GDPR. If you believe a child's data has been collected, contact us and we will delete it.

Updates to this page

This page is updated as our processing changes. Material changes (new subprocessor, new lawful basis, changed retention) are flagged here and notified by email to customer-account holders.