Skip to main content

Security & compliance

Built for GDPR-conscious hiring.

Screening CVs means handling candidates' personal data. Here is how Marxel keeps that controlled, explainable, and in your hands — with the documents your team needs for due diligence.

We don't train AI on your data

We do not use your data to train any Marxel-owned AI models. Via the OpenAI API, your data is not used to train OpenAI's models by default.

Humans make the hiring call

AI scores and buckets are tools to assist people. All hiring decisions remain with your organisation, and candidates can request human review of any assessment.

UK GDPR-aligned, with a full DPA

Built around the UK GDPR, EU GDPR, and the Data Protection Act 2018. A complete Data Processing Agreement is available, including SCCs and the UK IDTA.

Encrypted and access-controlled

Data is encrypted in transit (TLS 1.2+) and at rest, with role-based access, authentication, regular security reviews, and documented incident response.

How we handle data and AI

Your CVs are not used to train AI

We do not use your data to train any Marxel-owned AI models. AI parsing and evaluation run through the OpenAI API, where, under OpenAI's API usage policies, submitted data is not used to train OpenAI's models by default. OpenAI is a sub-processor bound by data processing terms.

Decisions stay with people

AI-generated scores and screening buckets assist human decision-making — they don't replace it. All hiring decisions remain with the organisation using Marxel, and candidates have the right to request human review of any automated assessment.

Retention & data location

Candidate data
Kept until you delete it or close the account (plus up to ~30 days of backups)
Cached AI processing results
Up to 7 days, and purged immediately when a candidate is deleted
Customer account data
Duration of the account plus 2 years
Billing records
7 years (legal requirement)

Data may be processed outside the UK and EEA, including in the United States, by our infrastructure and AI providers. Those transfers are covered by Standard Contractual Clauses, the UK International Data Transfer Agreement, or adequacy decisions where they apply.

Security measures

  • Encryption in transit (TLS 1.2+) and at rest
  • Role-based access controls and authentication
  • Regular security reviews
  • Employee confidentiality obligations, access on a need-to-know basis
  • Documented incident-response procedures

We use a small set of vetted sub-processors for hosting, AI processing, email, and payments, and give at least 14 days' notice before engaging a new one.

Documents for your records

Everything your legal or procurement team needs, in one place.

Privacy NoticeWhat we collect, why, lawful bases, and your rights.Data Processing AgreementFull contractual DPA with SCCs and the UK IDTA.Sub-processorsThe vetted providers we use, with a 14-day change notice.Terms of ServiceThe terms governing use of Marxel.

Questions about data or compliance?

We're happy to walk your security or procurement team through how Marxel handles candidate data.

Talk to usReview the DPA