AI compliance

The law, quoted

“AI systems intended to be used for the recruitment or selection of natural persons, in particular to place targeted job advertisements, to analyse and filter job applications, and to evaluate candidates.”

Annex III(4)(a)

Stori's design response

Stori acknowledges that candidate evaluation falls within the scope of AI-hiring regulation, and that organizing and surfacing information can influence a decision even when it does not make one. We therefore design for transparency, auditability, human review, and explainability regardless of whether a final employment decision is made by the system — and make no claim to identify the best candidate, predict future performance, or determine the hiring outcome. Selection remains the employer's.

The law, quoted

“an AI system referred to in Annex III shall always be considered to be high-risk where the AI system performs profiling of natural persons.”

Art 6(3)

Stori's design response

Stori designs to the high-risk standard rather than relying on an exemption. Whether or not a deployment is treated as profiling, the same safeguards apply: source-linked evidence, human oversight, and an explainable, inspectable record.

The law, quoted

“examination in view of possible biases that are likely to … lead to discrimination prohibited under Union law … [providers] may exceptionally process special categories of personal data … for the purpose of ensuring bias detection and correction.”

Art 10(2)(f)–(5)

Stori's design response

Stori orders only role-relevant, checkable evidence and monitors its outputs for bias on verified — not inferred — demographic data. Any special-category data is processed solely to detect and correct bias, never as a scoring input.

The law, quoted

“designed and developed in such a way as to ensure that their operation is sufficiently transparent to enable deployers to interpret a system's output and use it appropriately.”

Art 13(1)

Stori's design response

Stori states in plain language what its outputs are and are not, including their limitations, and never presents them as proven truth or a forecast of performance.

The law, quoted

“to decide, in any particular situation, not to use the high-risk AI system or to otherwise disregard, override or reverse the output of the high-risk AI system.”

Art 14(4)

Stori's design response

Every Stori output is reviewable and overridable by a human, and overrides are captured in the product. The machine is the index, not the authority.

The law, quoted

“shall be designed and developed in such a way that they achieve an appropriate level of accuracy, robustness, and cybersecurity, and that they perform consistently in those respects throughout their lifecycle.”

Art 15(1)

Stori's design response

Stori states the accuracy and limits of its outputs and abstains under thin evidence (“insufficient signal”) rather than fabricate a result to fill a grid. It is built to be inspected, not trusted on faith.

The law, quoted

“deployers of high-risk AI systems referred to in Annex III that make decisions or assist in making decisions related to natural persons shall inform the natural persons that they are subject to the use of the high-risk AI system.”

Art 26(11)

Stori's design response

Stori supports the candidate-facing notice an employer must give, with a plain-language account of how the system is used and a route to human review.

The law, quoted

“the right to obtain from the deployer clear and meaningful explanations of the role of the AI system in the decision-making procedure and the main elements of the decision taken.”

Art 86(1)

Stori's design response

Every signal Stori surfaces traces back to its source quote and context, so an employer can give a clear, source-linked explanation rather than point at a bare score. No candidate assessment is presented without the underlying evidence available for inspection.

The law, quoted

“The data subject shall have the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.”

Art 22(1)

Stori's design response

Stori keeps a human meaningfully in the loop and never auto-rejects a candidate, so its use need not be a decision “based solely on automated processing.”

The law, quoted

“the right to obtain human intervention on the part of the controller, to express his or her point of view and to contest the decision.”

Art 22(3)

Stori's design response

Override is built in and logged. Stori supports the candidate's right to human intervention, to express a view, and to contest — every output traces to inspectable evidence.

The law, quoted

“meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.”

Arts 13(2)(f) · 14(2)(g)

Stori's design response

Stori provides a plain-language account of the logic involved — what it reads, how it orders evidence by strength and checkability, and what it does not claim.

The law, quoted

“the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data.”

Art 35(1)

Stori's design response

Stori gives employers the artifacts to complete a DPIA: data inputs, the logic, accuracy and known limits, bias metrics, and retention.

The law, quoted

“a decision is based solely on automated processing if there is no meaningful human involvement in the taking of the decision.”

UK GDPR — Art 22A (DUAA 2025)

Stori's design response

Stori is designed so a human stays meaningfully involved: source-linked evidence, a genuine ability to override, and no automatic rejection of any candidate.

The law, quoted

“provide the data subject with information about [the] decisions … enable the data subject to make representations … to obtain human intervention on the part of the controller … [and] to contest such decisions.”

UK GDPR — Art 22C(2) (DUAA 2025)

Stori's design response

Stori supports all four safeguards — information, representations, human intervention, and the ability to contest — and logs overrides.

The law, quoted

“it puts, or would put, persons with whom B shares the characteristic at a particular disadvantage when compared with persons with whom B does not share it … and … A cannot show it to be a proportionate means of achieving a legitimate aim.”

Equality Act 2010 — s.19(2)

Stori's design response

Stori orders only role-relevant, checkable evidence — not protected characteristics or their proxies. Trait-assessment results are presented as candidate-owned context, never as exclusionary criteria, pass/fail thresholds, or automated ranking factors. Stori also gives employers the explainability and bias-monitoring artifacts that support a proportionality defence.

The law, quoted

“Information intentionally inferred in this way is still special category data. … Inferred or estimated data will not be adequate and accurate enough, and will therefore not comply with data protection law.”

ICO — AI in recruitment (2024) [guidance]

Stori's design response

Stori does not infer protected characteristics as scoring inputs, and any bias monitoring uses verified demographic data rather than inferred data — consistent with the ICO's position.

The law, quoted

“a particular employment practice that causes a disparate impact on the basis of race, color, religion, sex, or national origin and the respondent fails to demonstrate that the challenged practice is job related for the position in question and consistent with business necessity.”

Title VII — 42 U.S.C. §2000e-2(k)(1)(A)(i)

Stori's design response

Stori orders only role-relevant, job-related evidence — the business-necessity anchor — and gives employers the data to run disparate-impact analysis on their own selection process.

The law, quoted

“A selection rate for any race, sex, or ethnic group which is less than four-fifths (4/5) (or eighty percent) of the rate for the group with the highest rate will generally be regarded by the Federal enforcement agencies as evidence of adverse impact.”

Uniform Guidelines — 29 CFR §1607.4(D)

Stori's design response

Stori outputs structured, per-candidate data so an employer or auditor can compute selection rates and impact ratios across groups.

The law, quoted

“users may rely upon criterion-related validity studies, content validity studies or construct validity studies, in accordance with the standards set forth in the technical standards of these guidelines.”

Uniform Guidelines — 29 CFR §1607.5(A)

Stori's design response

Stori claims construct and convergent validity for what its method observes. It does not claim predictive validity for job performance — and says so plainly.

The law, quoted

“using qualification standards, employment tests or other selection criteria that screen out or tend to screen out an individual with a disability … unless … job-related for the position in question and … consistent with business necessity.”

ADA — 42 U.S.C. §12112(b)(6)

Stori's design response

Stori does not auto-screen or auto-reject, treats trait results as context rather than ability, and leaves reasonable-accommodation decisions with the employer.

The law, quoted

“to fail or refuse to hire or to discharge any individual … because of such individual's age.”

ADEA — 29 U.S.C. §623(a)

Stori's design response

Age and graduation year are not used as evaluation criteria.

The law, quoted

““Automated-Decision System.” A computational process that makes a decision or facilitates human decision making regarding an employment benefit.”

2 CCR §11008.1(a)

Stori's design response

Stori facilitates human decision-making and is built for that role — it surfaces and organizes evidence for review, and does not make the employment decision itself.

The law, quoted

“evidence, or the lack of evidence, of anti-bias testing or similar proactive efforts to avoid unlawful discrimination, including the quality, efficacy, recency, and scope of such effort, the results of such testing or other effort, and the response to the results.”

2 CCR §11009(f)

Stori's design response

Stori runs and documents anti-bias testing — its quality, recency, scope, results, and the response to those results — because California treats that evidence, or its absence, as relevant to any claim or defense.

The law, quoted

“shall be preserved by the employer or other covered entity for a period of four years … This includes all applications, personnel records, … selection criteria, automated-decision system data, and other records.”

2 CCR §11013(c)

Stori's design response

Stori keeps immutable run logs — model version, inputs, and outputs — and gives clients the automated-decision-system data they must retain for four years.

The law, quoted

“any technology that processes personal information and uses computation to replace human decisionmaking or substantially replace human decisionmaking.”

11 CCR §7001(e) (CCPA ADMT)

Stori's design response

Stori is designed so a human reviewer interprets its output, weighs other information, and holds the authority to decide — so it supports, rather than substantially replaces, human decision-making.

The law, quoted

“Information about the logic of the ADMT. Such information must enable a consumer to understand how the ADMT processed their personal information to generate an output with respect to them.”

11 CCR §7222(b)(2) (CCPA ADMT)

Stori's design response

Source-linked evidence and a plain-language account of how an output was reached support a candidate's right to access the logic of automated processing.

The law, quoted

““High-risk artificial intelligence system” means any artificial intelligence system that, when deployed, makes, or is a substantial factor in making, a consequential decision.”

§ 6-1-1701(9)(a)

Stori's design response

Stori is designed to support information review and evidence inspection, not to autonomously determine employment outcomes. It gives deployers the disclosures, adverse-decision explanations, and correction workflows their duties call for.

The law, quoted

““Substantial factor” means a factor that … assists in making a consequential decision; … is capable of altering the outcome of a consequential decision; and … is generated by an artificial intelligence system.”

§ 6-1-1701(11)

Stori's design response

Even where Stori's output is one factor among several, it is designed to be inspected and overruled — never to silently alter an outcome. The decision, and its ownership, stay with the human.

The law, quoted

“a general statement describing the reasonably foreseeable uses and known harmful or inappropriate uses … documentation disclosing … known or reasonably foreseeable limitations … including … risks of algorithmic discrimination.”

§ 6-1-1702(2)

Stori's design response

As the developer, Stori provides deployers the documentation their duties require: intended and inappropriate uses, known limitations and discrimination risks, a summary of training data, how the system was evaluated, and how it should be used and monitored.

The law, quoted

“a description of the categories of data the high-risk artificial intelligence system processes as inputs and the outputs the high-risk artificial intelligence system produces … [and] any metrics used to evaluate the performance and known limitations.”

§ 6-1-1703(3)(b)

Stori's design response

Stori gives deployers what they need to complete an impact assessment — the categories of input data, the outputs produced, performance metrics and known limitations, and the transparency and monitoring measures in place.

The law, quoted

“a statement disclosing the principal reason or reasons for the consequential decision … an opportunity to correct any incorrect personal data … [and] an opportunity to appeal … which appeal must, if technically feasible, allow for human review.”

§ 6-1-1703(4)(b)

Stori's design response

Stori supports the employer's adverse-decision duties: a principal-reasons explanation drawn from source-linked evidence, a route to correct inaccurate personal data, and an appeal that allows human review.

The law, quoted

“for an employer to use artificial intelligence that has the effect of subjecting employees to discrimination on the basis of protected classes … or to use zip codes as a proxy for protected classes.”

Human Rights Act — 775 ILCS 5/2-102(L)

Stori's design response

Stori does not use ZIP code, neighborhood, race, sex, age, or other protected characteristics as evaluation criteria. Location is used only as a job-relevant signal — proximity to a role's stated work location — never as a proxy for a protected class. Stori supports the applicant AI-use notice employers must give, and employers remain responsible for ensuring their selection practices comply with applicable anti-discrimination law.

The law, quoted

“Notify each applicant before the interview that artificial intelligence may be used … Provide each applicant with information … explaining how the artificial intelligence works and what general types of characteristics it uses to evaluate applicants … [and] Obtain, before the interview, consent.”

AI Video Interview Act — 820 ILCS 42/5

Stori's design response

Stori supports the pre-interview notice, the plain-language explanation of how its analysis works and what it looks at, and the consent an employer must obtain before any AI analysis.

The law, quoted

“Upon request from the applicant, employers, within 30 days after receipt of the request, must delete an applicant's interviews and instruct any other persons who received copies … to also delete the videos, including all electronically generated backup copies.”

AI Video Interview Act — 820 ILCS 42/15

Stori's design response

On request, interview recordings can be deleted within the required window, including backup copies held by Stori.

The law, quoted

“No private entity may collect … a person's … biometric identifier or biometric information, unless it first … receives a written release executed by the subject.”

BIPA — 740 ILCS 14/15(b)

Stori's design response

Stori reads the content of what a candidate says — the interview transcript — not facial geometry or voiceprints. It does not generate a biometric identifier as a scoring input.

The law, quoted

“any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making.”

Admin Code §20-870

Stori's design response

Stori does not rely on unexplained verdicts. Evidence is linked to its source, human-reviewable, and overridable, and is designed to support discretion rather than replace it.

The law, quoted

“such tool has been the subject of a bias audit conducted no more than one year prior to the use of such tool; and … a summary of the results of the most recent bias audit … has been made publicly available.”

Admin Code §20-871(a)

Stori's design response

Where an employer's use makes Stori an AEDT, Stori provides the structured data an independent auditor needs, so a bias audit can be conducted and its summary published before use.

The law, quoted

“That an automated employment decision tool will be used … Such notice shall be made no less than ten business days before such use and allow a candidate to request an alternative selection process … [and] The job qualifications and characteristics that such … tool will use.”

Admin Code §20-871(b)

Stori's design response

Stori supports the employer's candidate notice and the disclosure of the job qualifications and characteristics assessed.

The law, quoted

“a bias audit must, at a minimum: … Calculate the selection rate for each category; … Calculate the impact ratio for each category … [for] Sex categories … Race/Ethnicity categories … and intersectional categories.”

6 RCNY §5-301(b)

Stori's design response

Stori's outputs are structured by category, so selection rates and impact ratios can be calculated across sex, race/ethnicity, and intersectional groups.

The law, quoted

“a covered entity … is not immunized from liability for violating the LAD merely because its discriminatory policy or practice involves using or relying on an automated decision-making tool. A covered entity can violate the LAD even if it has no intent to discriminate, and even if a third-party was responsible for developing the … tool.”

NJ DCR Guidance (Jan 2025)

Stori's design response

Stori gives employers the explainability and bias-monitoring evidence they need to meet their LAD obligations, and excludes protected characteristics and their proxies from its ordering — so an employer's use rests on role-relevant evidence it can defend.

The law, quoted

“A person may not develop or deploy an artificial intelligence system with the intent to unlawfully discriminate against a protected class in violation of state or federal law.”

§ 552.056(b)

Stori's design response

Stori is not designed to discriminate against any protected class. It orders role-relevant, checkable evidence and never targets — or proxies for — protected characteristics.

The law, quoted

“For purposes of this section, a disparate impact is not sufficient by itself to demonstrate an intent to discriminate.”

§ 552.056(c)

Stori's design response

Texas requires intent, but Stori goes further than the floor: it monitors its outputs for adverse impact and excludes protected proxies, rather than relying on the absence of intent.

The law, quoted

““Artificial intelligence system” means any machine-based system that … infers from the inputs the system receives how to generate outputs, including content, decisions, predictions, or recommendations, that can influence physical or virtual environments.”

§ 551.001(1)

Stori's design response

Stori is an AI system within scope, and is designed accordingly — transparent, overseeable, and explainable.

The law, quoted

“An employer may not use a facial recognition service for the purpose of creating a facial template during an applicant's interview for employment unless an applicant consents under subsection (c) of this section.”

Labor & Empl. §3-717(b)

Stori's design response

Stori does not use facial recognition or create a facial template during interviews. Its assessment reads what a candidate says, not their face.