RFP Checklist for Recruiting: 75 Questions for AI CV Screening

Picking recruiting software under high-volume pressure is a consequential bet. Miss on scalability or compliance and you slow hiring, frustrate teams, and invite risk. Start with a focused, buyer-ready RFP that centers on measurable outcomes. If you rely on AI CV screening for automated shortlisting, your RFP must prove throughput, explainability, and GDPR compliance while fitting cleanly into your stack.

Use the 75 questions below to compare resume screening software on facts, not demos. They help you defend choices to legal, security, and finance with evidence.

Scope and success criteria

Define where the tool fits, how it will be judged, and what “good” looks like before vendor calls.

1. Which workflows will the software support end to end (intake, deduplication, explainable scoring, shortlist approval, and ATS handoff)? Avoids costly custom build.
2. Can it process 10,000+ resumes per day with P95 scoring latency under 5 seconds? Confirms real peak capacity.
3. Does it support automated shortlisting using must-have rules, nice-to-have weights, and hard cutoffs? Aligns with your selection logic.
4. Can recruiters tune weights and thresholds per role without engineering help? Prevents rigid scoring.
5. Is AI CV screening optional and configurable per job or business unit? Allows manual flows for sensitive or regulated roles.
6. Can you A/B test criteria sets and compare outcomes side by side? Speeds calibration and reduces debate.
7. Does it generate an explainable shortlist with specific reasons (e.g., skill match, tenure, certification) per candidate? Builds trust with reviewers.
8. Is the handoff to your ATS (e.g., Greenhouse, Workday, Lever) automated and field-mapped? Prevents duplicate entry and errors.
9. Does it support UK-specific postings, Right to Work statements, and compliance notes? Closes regional gaps.
10. How are hiring manager views tailored with role-based access controls? Minimizes clutter and data leakage.
11. Can you search and filter across historical pipelines by skill, location, seniority, and source with fast response times? Improves re-engagement.
12. Is there native support for multiple brands or business units with separate settings and reporting? Fits complex orgs.
13. Are candidate communications (receipt, next steps, rejections) templated, tokenized, and tracked by stage? Ensures consistency.
14. Will the vendor co-create a success plan with KPIs (e.g., time-to-shortlist -40%, reviewer agreement +20 pts, recruiter NPS +10)? Aligns accountability.
15. What is the typical implementation timeline for a company your size, with milestones for SSO, ATS integration, and first live role? Sets a realistic go-live.

Capture crisp decisions during demos and stakeholder reviews. A guide to meeting transcription software for action-oriented meeting notes can help you document vendor comparisons, decisions, and follow-ups so multi-vendor evaluations stay structured.

Security and GDPR

For UK and EU hiring, require GDPR by design. Validate where data lives, how it is protected, and how you will prove compliance later.

16. Will you sign a Data Processing Agreement and disclose subprocessors with purposes and locations? Clarifies roles and oversight.
17. Where is data stored, and can UK/EU residency be guaranteed at the region level? Supports data sovereignty.
18. Is the product built for GDPR-compliant CV screening (data minimization, purpose limitation, privacy by default)? Reduces compliance effort.
19. Which lawful bases for processing are supported (e.g., Art. 6(1)(b) contract, 6(1)(f) legitimate interests)? Prevents legal exposure.
20. How can candidates exercise access, rectification, and deletion, and what are your response SLAs? Upholds data subject rights.
21. What are default retention periods, and can role-based policies and auto-deletion be configured? Limits unnecessary storage.
22. Are immutable audit logs recorded for access, scoring, overrides, and exports (user, timestamp, IP, before/after)? Enables traceability.
23. Is data encrypted in transit (TLS 1.2+) and at rest (AES‑256) with managed keys? Protects PII.
24. Do you support SSO via SAML or OIDC, MFA, and granular role-based access? Reduces credential risk.
25. Are annual third-party penetration tests and regular vulnerability scans performed, with summaries shared? Confirms proactive security.
26. Is breach notification timing contractual and aligned with GDPR 72-hour requirements? Sets incident expectations.
27. Can you logically or physically segregate customer data (separate schemas or keys) across tenants? Minimizes cross-tenant risk.
28. Do you provide DPIA guidance or templates tailored to AI screening scenarios? Speeds internal reviews.
29. Are model inputs, outputs, and human overrides logged and exportable for audits? Supports explainability checks.
30. Can tenant data be excluded from cross-customer model training with a configurable control? Preserves confidentiality.

AI explainability and bias

Ask how recommendations are generated, reviewed, and governed. You should be able to explain, replicate, and challenge any score.

31. How is the explainable shortlist produced for each role, and what evidence accompanies each recommendation? Ensures transparency.
32. Can reviewers see feature-level reasons or SHAP-like attributions behind resume scores? Enables human oversight.
33. Is there a required human-in-the-loop step before final decisions? Reduces automation risk.
34. What technical and process controls prevent use of protected attributes (sex, race, age, disability)? Mitigates discrimination.
35. Can the AI exclude proxy signals (names, pronouns, precise addresses, graduation year) that encode bias? Lowers disparate impact.
36. Do you share bias testing results by stage and demographic with metrics like selection rate and adverse impact ratio? Shows fairness evidence.
37. Can we run our own fairness checks in a sandbox on sample or historical data? Builds independent assurance.
38. Are model updates versioned with release notes and a tested rollback path? Supports control and auditability.
39. Can models and criteria be frozen during active campaigns to avoid drift? Prevents moving targets.
40. Do you support custom job-specific rules (must-have licenses, legal disqualifiers) alongside AI? Blends policy and prediction.
41. Are explanations written in plain language suitable for non-technical reviewers? Improves adoption and trust.
42. Can explanations and decision trails be exported with candidate files (JSON/CSV) for audits? Simplifies evidence packs.
43. Do you detect and flag low-confidence scores with calibrated probabilities and thresholds? Helps humans focus review.
44. Is there throttling or minimum candidate safeguards to avoid over-filtering small pools? Preserves fairness and options.
45. Can we simulate criteria changes to preview shortlist impact before applying them? Aids scenario planning.

Integrations and APIs

Favor standard, well-documented connections that protect data quality and speed deployment.

46. Do you have native integrations with major ATS platforms, kept current with vendor APIs? Cuts manual steps.
47. Is there a documented REST API (OpenAPI/Swagger) with clear rate limits and examples? Enables custom flows.
48. Do webhooks fire on shortlist ready, status changes, and errors with retries and signature verification? Keeps systems in sync.
49. Can you import resumes via CSV, SFTP, or API at scale with virus scanning? Simplifies migration and spikes.
50. Is single sign-on and SCIM 2.0 user provisioning supported? Streamlines user lifecycle.
51. Do you integrate with HRIS or data warehouses for downstream analytics? Supports full-funnel reporting.
52. Can we map custom fields between systems in a UI with validation and test runs? Reduces brittle workarounds.
53. Is there a sandbox environment with non-production data and sample payloads? De-risks deployment.
54. How do you handle API versioning and deprecations, and what notice window is guaranteed? Protects against breakage.
55. Can you push structured reasons and scores to the ATS to preserve explainability end to end? Maintains transparency.
56. Do you support UK date (dd/mm/yyyy), phone, and address formats in imports and exports? Avoids data errors.
57. Is built-in deduplication available using email, name, and fuzzy match rules? Keeps records clean.
58. Can recruiters trigger rescoring and refresh from within the ATS with idempotent calls? Improves usability.
59. Do you support on-premise or private networking (private link, IP allowlists) where required? Addresses strict IT policies.
60. Is there an integration partner program or certified connectors with documented support SLAs? Signals maturity.

Support, SLAs, pricing, and legal

Close operational and commercial gaps before signing so the rollout does not stall.

61. What onboarding services and role-based training are included, and who owns each milestone? Speeds time to value.
62. Are support hours and contact channels by severity documented (chat, email, phone)? Clarifies expectations.
63. What are response and resolution SLAs (e.g., Sev1 response <1 hour, workaround <4 hours), and are they contractual with credits? Protects continuity.
64. Do you provide a named customer success manager with QBRs? Improves accountability.
65. Is self-serve documentation comprehensive, versioned, and paired with a public status page? Reduces tickets.
66. What is the pricing model for resume screening at scale (per resume, per job, per user), and are volume tiers available? Helps forecast cost.
67. Are overage, storage, training, or integration fees itemized with examples? Avoids surprise charges.
68. Do you offer discounts for annual or multi-year terms tied to usage commitments? Lowers total cost.
69. What are contract length, renewal terms, and notice windows? Prevents auto-renew surprises.
70. Can we run a paid pilot with defined success criteria and conversion credits? Proves value before rollout.
71. What data export formats are available at termination, and will you provide deletion attestations? Ensures a clean exit.
72. Do you carry cyber liability and professional indemnity insurance with stated limits? Covers worst-case events.
73. Will you complete security questionnaires (e.g., SIG Lite, CAIQ) and audits on request? Confirms diligence.
74. What is your subprocessor change notification policy (advance notice and opt-out path)? Keeps compliance current.
75. How are feature deprecations and end-of-life handled, and what notice period is guaranteed? Avoids sudden disruption.

Key takeaways

• Anchor your RFP on measurable outcomes, then validate security, privacy, and explainability.
• Require audit trails, exportable reasons, and human oversight for every shortlist decision.
• Choose integrations that preserve data quality, reduce manual work, and scale with you.
• Lock in SLAs, transparent pricing, and exit rights before you sign.

If you are evaluating an AI CV screening shortlist tool such as Marxel, use this checklist to run a crisp RFP. It keeps stakeholders aligned on explainability, GDPR, auditability, and integrations so you can buy with confidence.