Home / Compliance Wing / Sample report

Sample Compliance Score Report

52 automated checks across GDPR, EU AI Act Article 52, SOC 2 Trust Criteria, and ISO 27001 foundations.

● Sample report — illustrative data

54/ 100 score

vibehr.app · scanned 23 Jun 2026, 09:14 UTC

Compliance Status: Non-compliant — action required

GDPR48

EU AI Act38

SOC 261

ISO 2700172

3Critical (P0)

5High (P1)

8Medium (P2)

32Checks passed

52Total checks

⚠️

EU AI Act enforcement is now live — fines up to €35M

vibehr.app processes employee data using AI-assisted candidate scoring. Under EU AI Act Article 52, any AI system interacting with users or producing decisions about individuals must disclose its AI nature. This app does not. Enforcement by national supervisory authorities began August 2, 2026.

Framework breakdown

GDPR

48/100

16 checks · 8 passed · 5 failed · 3 warnings

Missing Privacy Policy, cookie consent, and Right to Erasure implementation. No DPA with sub-processors.

EU AI Act Article 52

38/100

12 checks · 5 passed · 7 failed

No transparency disclosure. AI decision-making not documented or auditable. Human oversight mechanism absent.

SOC 2 Trust Criteria

61/100

14 checks · 9 passed · 5 failed

No audit log for privileged actions. Incident response procedure not published. Vendor risk assessment absent.

ISO 27001 Foundations

72/100

10 checks · 7 passed · 3 failed

HTTPS and headers present. Missing: formal information security policy, asset register, access review procedure.

Critical & high findings

P0 Critical No Privacy Policy detected Art. 13 & 14

No Privacy Policy — immediate GDPR violation

vibehr.app collects name, email, CV data, and AI-generated candidate scores. Under GDPR Articles 13 and 14, you must provide data subjects with a privacy notice at the point of collection. No linked Privacy Policy was found on any page. This is the most commonly cited enforcement trigger by EU supervisory authorities.

Required actions

1. Draft a Privacy Policy covering: data categories collected, legal basis for each, retention periods, sub-processor list, data subject rights (access, erasure, portability, rectification), DPO contact or supervisory authority details.

// Add to every page footer and signup form:

<a href="/privacy">Privacy Policy</a> · <a href="/terms">Terms of Service</a>

// Legal basis options for HR AI: Art. 6(1)(b) contract, Art. 6(1)(f) legitimate interest (requires LIA), or Art. 6(1)(a) consent.

// Recommendation: seek legal review before publishing — incorrect legal basis is itself a violation.

P0 Critical EU AI Act AI outputs displayed without disclosure Art. 52(1)

No AI transparency disclosure — Art. 52 violation

The candidate scoring interface presents AI-generated fit scores as direct results, with no disclosure that outputs are AI-generated. EU AI Act Article 52(1) requires that any AI system designed to interact with users must inform them it is an AI — clearly, before interaction begins. This applies to your scoring UI, any chatbot features, and automated CV parsing results. Enforcement is live as of August 2, 2026.

Required disclosure (add to every AI-generated output)

// In your UI — before or alongside any AI-generated result:

"This score was generated by an AI system. It is advisory only.

Human review is required before any hiring decision."

// In your privacy policy — document the AI system:

- System name, provider, and version

- Input data categories used for scoring

- Accuracy limitations and known biases

- Human oversight mechanism

// High-risk AI note: AI used in employment decisions may be classified as high-risk under Annex III. If so, full conformity assessment required before deployment.

P0 Critical EU AI Act Cookies set before user consent ePrivacy · Art. 6

Analytics and tracking cookies fired before consent

Network inspection shows 4 third-party cookies (Google Analytics, Intercom, Hotjar, LinkedIn Insight) being set immediately on page load, before any consent interaction. The ePrivacy Directive requires prior, informed consent for non-essential cookies. GDPR Art. 6 requires a valid legal basis — consent for analytics is not implied by browsing. The current implementation violates both.

Required fix

// 1. Block all non-essential scripts until consent is given:

Use a CMP (Consent Management Platform) — Cookiebot, Osano, or Usercentrics.

// 2. Do NOT load analytics on page load. Load only on consent callback:

consentManager.on('accept', (categories) => {'{'}

if (categories.analytics) loadGoogleAnalytics();

{'}'});

// 3. Maintain a cookie audit register (name, provider, purpose, duration, legal basis) — required for demonstrating GDPR accountability.

P1 High No DPA with sub-processors identified Art. 28

No Data Processing Agreements with sub-processors

vibehr.app passes CV and personal data to OpenAI (for scoring) and Resend (for email delivery). GDPR Article 28 requires a signed Data Processing Agreement with every sub-processor before any personal data is transferred. Both OpenAI and Resend provide standard DPAs — they must be executed and documented in your records of processing activities (RoPA).

Action checklist

1. Sign OpenAI DPA: platform.openai.com/docs/guides/privacy

2. Sign Resend DPA: resend.com/legal/dpa

3. Document both in your sub-processor list (publish in Privacy Policy)

4. Create a RoPA entry for each processing activity (Art. 30)

// If OpenAI servers are in the US: also complete an International Data Transfer Assessment (IDTA) or rely on SCCs under Art. 46.

P1 High EU AI Act AI decision-making — no human oversight mechanism Art. 14 & Annex III

No human-in-the-loop for AI hiring decisions

The candidate scoring system produces rankings that influence hiring outcomes. AI systems used in employment and worker management are classified as high-risk under EU AI Act Annex III, Point 4. High-risk systems require human oversight mechanisms that allow qualified persons to understand, monitor, and override AI outputs. No such mechanism was found in the current UI.

Required implementation

1. Add an explicit "Override score" or "Reject recommendation" action on every AI scoring card — with mandatory reason capture.

2. Log all human review decisions (accepted / overridden / rejected) with timestamp and reviewer ID.

3. Include in documentation: how a human can interpret the score, known accuracy limits, and demographic bias testing results.

// Full Annex III conformity assessment required if you serve EU customers. Notified body review may be needed depending on deployment scale.

P1 High No erasure / right-to-be-forgotten endpoint Art. 17

No Right to Erasure mechanism for data subjects

GDPR Article 17 grants individuals the right to have their personal data erased without undue delay. vibehr.app stores candidate CVs, contact details, and AI-generated scores with no mechanism for candidates to request deletion. You must respond to erasure requests within 30 days and have a documented procedure for honoring them — including deletion from any sub-processors holding copies of the data.

Required actions

1. Add a "Delete my data" link in all candidate-facing emails and any account UI.

2. Implement a soft-delete + hard-delete pipeline — purge from DB and from any backups within 30 days of request.

3. Trigger erasure requests to OpenAI and Resend for any data forwarded to them.

// Minimal endpoint pattern:

POST /api/gdpr/erasure ← authenticated, logs request + timestamp

// Scheduled job: purge records where erasure_requested_at < NOW() - 30d

P1 High SOC 2 ISO 27001 No audit logging for privileged actions CC7.2 · A.12.4.1

Admin actions are not logged or tamper-evident

SOC 2 CC7.2 and ISO 27001 A.12.4.1 both require logging of privileged user actions — account creation, data exports, configuration changes — in a tamper-evident log. vibehr.app's admin panel performs all actions without generating an audit trail. This also constitutes a GDPR accountability failure (Article 5(2)).

Implementation pattern

// Add to every admin route handler:

await db.insert('audit_log', {'{'}

actor_id: req.user.id,

action: 'candidate.export',

target_id: candidateId,

ip: req.ip,

ts: new Date().toISOString()

{'}'});

// Retain logs ≥ 12 months. Use append-only storage — prevent deletion by app-level users. Alert on anomalies (bulk exports, off-hours access).

P1 High No data breach notification procedure Art. 33 & 34

No breach detection or 72-hour notification procedure

GDPR Articles 33 and 34 require notification to the supervisory authority within 72 hours of becoming aware of a personal data breach, and notification to affected individuals if the breach poses a high risk to their rights. vibehr.app has no documented breach detection, escalation path, or notification procedure. In the event of an incident, this gap can convert a manageable breach into a maximum fine scenario.

Minimum viable breach procedure

1. Define "personal data breach" for your team (unauthorized access, accidental exposure, ransomware, sub-processor incident).

2. Designate a breach response lead. Set up a dedicated escalation email (e.g. security@vibehr.app).

3. Document a 72-hour checklist: contain → assess scope → notify authority → notify individuals (if high risk) → post-incident review.

4. Register for your supervisory authority's breach portal in advance (UK: ICO; IE: DPC; DE: BSI varies by Lander).

// Failure to notify within 72 hours is itself a violation, independent of the breach severity. Document every decision with timestamps.

Medium findings (8)

Finding	Framework	Reference
P2Cookie banner missing granular purpose categories (analytics / marketing / functional)	GDPR	Art. 7 · Rec. 32
P2No Terms of Service / Acceptable Use Policy published	SOC 2	CC1.1
P2No DPIA completed for AI-based candidate screening (high-risk processing)	GDPR	Art. 35
P2No incident response runbook or on-call escalation path published	SOC 2	CC7.3
P2Data retention periods not defined — CV data stored indefinitely	GDPR	Art. 5(1)(e)
P2No formal information security policy document (internal or published)	ISO 27001	A.5.1.1
P2AI system training data sources not documented or disclosed	EU AI Act	Art. 10
P2No vendor risk assessment process for critical sub-processors	SOC 2 ISO 27001	CC9.2 · A.15.1

What passed (32 checks)

✓ HTTPS enforced ✓ HSTS header present ✓ X-Frame-Options: DENY ✓ CSP header present ✓ Cookies: Secure + HttpOnly ✓ No secrets in client JS ✓ Authentication required for data routes ✓ JWT expiry set (<24h) ✓ Contact email reachable ✓ No malware detected ✓ SSL cert valid (>60d) ✓ No open S3 buckets detected ✓ robots.txt present ✓ MFA available for admin login ✓ Password hashing: bcrypt ✓ SOC 2 — Availability: uptime monitoring present ✓ SOC 2 — Logical access: role-based permissions ✓ ISO 27001 — Patch management: deps updated <30d ✓ No known CVEs in detected dependencies ✓ Rate limiting on API (detected) ✓ Error tracking (Sentry) present ✓ Subresource integrity on CDN assets ✓ GDPR — Referrer-Policy: strict-origin ✓ GDPR — No third-party fonts with PII leakage ✓ Data encrypted at rest (Supabase AES-256) ✓ Data encrypted in transit (TLS 1.3) ✓ Account deletion: basic flow present ✓ SOC 2 — Backup: daily snapshots configured ✓ No iframe injection vectors detected ✓ CORS: restrictive origin policy ✓ ISO 27001 — Physical security: cloud-hosted, no on-prem ✓ EU AI Act — No prohibited use cases detected (biometrics, social scoring)

This is a sample

Get your real compliance score in 3 minutes.

Enter your app URL. 52 automated checks across GDPR, EU AI Act, SOC 2, and ISO 27001. The full paid report ($799) includes: AI policy analysis, template documents (Privacy Policy, DPA, Incident Response), prioritised fix roadmap with effort estimates, and Fractional CTO sign-off on every finding.

Check my compliance — free score