Compliant hiring across borders.
Hiring across the EU, UK and US means navigating GDPR, the EU AI Act and EEOC requirements simultaneously. One misstep can mean seven-figure fines or months of legal remediation. Treegarden was built compliance-first — so every regulation is handled natively, not patched in as an afterthought.
The compliance risks hiding in your recruitment process
These are not hypothetical scenarios. They are the daily reality for HR teams recruiting across multiple jurisdictions without purpose-built compliance tooling.
GDPR fines up to 4% of global revenue
Storing candidate CVs indefinitely, failing to process erasure requests within 30 days, or lacking a lawful basis for processing recruitment data can trigger enforcement action. In 2025, EU data protection authorities issued over 2.1 billion euros in GDPR fines — and recruitment data processing is an increasingly common target.
EU AI Act uncertainty for automated screening
AI-assisted candidate screening is classified as high-risk under the EU AI Act. If your ATS uses AI to rank, filter or score candidates without mandatory human oversight, explainable scoring and bias monitoring, you face compliance exposure that most vendors have not yet addressed.
US EEOC reporting requirements
Companies with 100+ employees must file annual EEO-1 reports with demographic hiring data. Collecting this data compliantly — voluntarily, separately from the application, with proper disclosures — requires purpose-built forms that most ATS platforms do not provide natively.
Candidate data scattered without audit trail
CVs in email inboxes, notes in spreadsheets, interview feedback in Slack threads, reference checks in shared drives. When a DPA or regulatory body asks who accessed what data and when, most HR teams cannot answer — because the data trail does not exist in any single system.
Compliance built into the architecture, not layered on top.
Six compliance capabilities that turn regulatory requirements from a manual burden into automated, auditable workflows.
GDPR native
Every candidate record tracks lawful basis, consent status and retention period. Article 21 opt-out requests are processed automatically. Article 22 human review queues ensure no automated decision is made without recruiter oversight. Right-to-erasure workflows anonymise or delete data within configurable timeframes. Automatic CV deletion runs on schedule — no manual intervention required.
EU AI Act compliance
Treegarden treats AI-assisted screening as a high-risk use case. Bias detection dashboards monitor scoring patterns across protected characteristics. Human oversight queues require a recruiter to review every AI recommendation before action is taken. Explainable scoring shows per-criterion breakdowns. Incident reporting workflows flag and log any anomalous AI behaviour for regulatory review.
EEOC data collection and reporting
Compliant voluntary self-identification forms are presented separately from the application to prevent screening bias. Disposition data is tracked by protected category. EEO-1 Component 1 reports are generated automatically. All collection follows EEOC guidelines for voluntary disclosure with proper notice language.
FCRA-compliant background checks
Integrated background check workflows follow the Fair Credit Reporting Act requirements: pre-adverse action notice, candidate dispute period, adverse action notification and proper document retention. All steps are logged with timestamps and linked to the candidate record for audit purposes.
ADA accommodation tracking
Track accommodation requests from the application stage through onboarding. Document interactive process conversations, record accommodation decisions with rationale, and maintain a confidential audit trail that is stored separately from the candidate's general application data to prevent bias in hiring decisions.
Complete audit trail, 2FA and geo-restrictions
Every action in the system is logged with timestamp, user identity, IP address and action type. Two-factor authentication is enforced for all users. Geo-restriction policies limit data access by location. Role-based permissions ensure only authorised personnel can access sensitive candidate data. The full audit log is immutable and exportable for regulatory review.
Every compliance feature your legal team will ask for.
Fourteen compliance capabilities included as standard — no add-on modules, no premium tiers, no extra cost.
What compliance leaders say
We were using three different tools to handle GDPR compliance for recruitment — a spreadsheet for consent tracking, a calendar reminder for deletion deadlines, and manual email workflows for subject access requests. With Treegarden, all of that is automated. When our DPO ran the annual audit, we could export the full audit trail in minutes instead of spending a week reconstructing it from email records.
No compliance add-on. No premium tier.
Every compliance feature — GDPR workflows, AI Act safeguards, EEOC reporting, audit trail, 2FA — is included in every Treegarden plan. Compliance is not an upsell. It is the foundation the entire platform is built on.
Book a demoCommon questions about compliance and data privacy
Everything you need to know before your legal team signs off.
How does Treegarden handle GDPR compliance for recruitment data?
Treegarden is GDPR-native. Every candidate record includes lawful basis tracking, automatic consent expiry, Article 21 opt-out processing, Article 22 human review queues for AI-assisted decisions, right-to-erasure workflows and configurable data retention policies with automatic CV deletion. All processing activities are logged in an immutable audit trail.
Is Treegarden compliant with the EU AI Act for recruitment screening?
Yes. Treegarden treats AI-assisted candidate screening as a high-risk use case under the EU AI Act. The platform includes bias detection dashboards, mandatory human oversight queues where a recruiter must review every AI recommendation before action is taken, explainable scoring with per-criterion breakdowns, and incident reporting workflows for flagged decisions.
Does Treegarden support EEOC reporting requirements?
Yes. Treegarden collects voluntary EEO self-identification data through compliant application forms, tracks disposition data by protected category, and generates EEO-1 Component 1 reports. The data collection forms follow EEOC guidelines for voluntary disclosure and are presented separately from the application to prevent bias in the screening process.
What does Treegarden's audit trail cover?
Every action in Treegarden is logged with timestamp, user identity, IP address and action type. This includes candidate stage moves, AI score generation and review decisions, data access events, consent changes, deletion requests, email communications and document uploads. The audit trail is immutable and exportable for regulatory review.
How does automatic data retention work in Treegarden?
Treegarden lets you configure data retention policies per job, per department or globally. When a retention period expires, candidate CVs and personal data are automatically anonymised or deleted according to your policy. Candidates receive advance notification before deletion. You can set different retention periods for hired candidates versus rejected candidates, and override retention on a per-candidate basis when legally required.
Can candidates exercise their data rights through Treegarden?
Yes. Treegarden provides a candidate self-service portal where applicants can view their stored data, download a full data export (Article 15 subject access request), update or correct their information, withdraw consent, request erasure and opt out of automated processing. All requests are logged and tracked through to completion with SLA monitoring.
Compliance is not a feature you add later. It is the foundation you build on.
Treegarden gives HR and compliance leaders the infrastructure to recruit across jurisdictions without regulatory risk — GDPR, EU AI Act, EEOC and FCRA compliance built into every workflow, every decision and every audit trail.