Is GetPruf a background check?

No. GetPruf screens resume content - employers, claims, consistency, and AI detection. It does not verify identity, criminal history, or credit. Background checks are a separate post-offer step.

Do you store resumes?

Resumes are processed in memory and deleted after analysis. Only the screening results (scores, flags, recommendations) are stored in your account, scoped to your organization.

Is GetPruf GDPR compliant?

Yes. We process data as a data processor under GDPR. Resume data is not used for AI model training. You can request data deletion at any time.

How accurate is the scoring?

Our scoring uses six weighted dimensions with deterministic calculations - no LLM judgment in the final score. We run regular bias audits using the EEOC four-fifths rule.

What file formats are supported?

PDF, DOCX, and DOC files. We recommend PDF for the most accurate metadata analysis.

Can I cancel anytime?

Yes. All plans are month-to-month with no long-term commitment. Cancel anytime from your account settings.

Legal

Data Processing Agreement

The DPA between GetPruf and the customer organization. Covers scope of processing, sub-processors, security, and data subject rights under GDPR.

Last updated: April 15, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between GetPruf ("Processor") and the customer organization ("Controller") for the provision of resume screening services.

1. Parties

Data Processor: GetPruf, operating as a resume screening service provider. GetPruf processes personal data solely on behalf of the Controller and in accordance with documented instructions.

Data Controller: The customer organization that uploads candidate resumes for screening. The Controller determines the purposes and means of processing candidate personal data and is responsible for ensuring a lawful basis for processing.

2. Scope of Processing

GetPruf processes resume documents uploaded by the Controller for the purpose of automated fraud risk analysis. Processing activities include:

Text extraction from PDF, DOCX, DOC, and image files
AI-based analysis of resume content (employment history, skills, claims, metadata)
Web verification of employer and institution existence using public sources
Report generation with risk scoring and recommendations

Categories of personal data processed: candidate names, employment history, education history, professional skills, contact information (if present in resume), and document metadata.

3. Sub-processors

GetPruf uses the following sub-processors to deliver the screening service:

Enterprise LLM inference provider - AI model inference for resume analysis, web grounding, and entity extraction. United States regions. Resume text is sent via API and is not retained by the provider beyond the API call duration; data is not used for model training.
Independent LLM review provider - Optional second-opinion review. Only aggregated analysis results (no raw resume text) are sent for independent review. Data is not retained for model training.
Web search providers - Search API providers for employer verification. Only company and institution names are queried, not candidate personal data.

A complete list of sub-processors, including commercial names and jurisdictions, is available to the Controller upon request under the signed DPA. The Controller will be notified of any changes to sub-processors with 30 days advance notice.

4. Data Retention

Screening reports are retained for the duration configured by the Controller, with a default retention period of 90 days. Resume files are processed in memory and deleted after analysis - only the structured screening results (scores, flags, recommendations) are stored.

Cached web verification results are retained for 7 days to ensure scoring consistency for the same resume.

5. Data Deletion

The Controller may request deletion of all associated data at any time by contacting dpo@getpruf.ai. Upon account closure, all data including screening reports, user accounts, cached search results, and audit logs is permanently deleted within 30 days.

Individual report deletion is available through the application settings. Deleted data is purged from all backups within 90 days.

6. Security Measures

GetPruf implements the following technical and organizational measures:

Encryption: TLS 1.3 for data in transit. AES-256 for data at rest.
Access control: Role-based access (viewer, analyst, admin, owner). Server-side sessions with Redis.
Tenant isolation: Every database query is scoped by tenant_id. No cross-tenant data access is possible.
Authentication: bcrypt password hashing (cost factor 12). Rate-limited login attempts.
Infrastructure: Hosted on dedicated cloud infrastructure with network-level isolation.

7. Data Subject Rights

GetPruf assists the Controller in responding to data subject requests including access, rectification, erasure, restriction of processing, data portability, and objection. Requests are processed within 30 days.

8. Breach Notification

GetPruf will notify the Controller of any personal data breach without undue delay, and in any event within 72 hours of becoming aware of the breach. Notification will include:

Nature and scope of the breach
Categories and approximate number of data subjects affected
Likely consequences of the breach
Measures taken or proposed to address the breach

9. International Transfers

Data may be processed in the United States and other regions where sub-processors operate. GetPruf relies on Standard Contractual Clauses (SCCs) and the sub-processors' own compliance mechanisms for international data transfers in accordance with GDPR Chapter V.

10. Data Processor Obligations

GetPruf processes personal data only on documented instructions from the Controller. GetPruf does not sell, share, or use personal data for purposes other than providing the screening service. Resume data is never used for AI model training.

Contact

For DPA inquiries and data deletion requests: dpo@getpruf.ai