UAE Compliance Requirements

Overview

This document explains the compliance architecture and regulatory requirements that the AI hiring platform is aligned with with UAE labour laws, data protection requirements, cybersecurity expectations, and AI governance best practices.

The platform must NOT operate as a fully autonomous hiring system. The product must always function as an AI-assisted recruitment platform where human HR personnel make the final hiring decisions. The platform is built using a "human-in-the-loop" model.

1. Human Review Requirement

The AI system must NEVER make the final hiring decision.

The AI can:

• Conduct structured interviews
• Generate interview summaries
• Generate candidate scores
• Recommend next steps
• Rank candidates based on rubric criteria

The AI CANNOT:

• Automatically reject candidates
• Automatically hire candidates
• Make final employment decisions
• Override HR decisions

Required Features:

• HR approval required before rejection
• HR approval required before progression
• Manual override button for all AI scores
• Mandatory reason logging when HR overrides AI recommendations
• Clear label on all scores saying "AI Recommendation Only"

2. Candidate Consent & Privacy

Before the AI interview starts, candidates must see a consent and disclosure page. The candidate must explicitly agree to:

• Recruitment data processing
• AI-assisted interview process
• Transcript generation
• Audio/video recording if enabled
• Data storage and processing
• Human review workflow

The consent screen must clearly explain:

• AI is assisting HR
• AI does not make final hiring decisions
• HR reviews all recommendations
• Candidates may request human review
• Candidates may request non-AI alternatives

Required Backend Logging:

• Consent timestamp
• IP address
• Policy version accepted
• Candidate ID
• User agent/device
• Job ID
• Company ID

3. Candidate Rights Portal

The platform must support UAE PDPL-style privacy rights. Candidates must be able to:

• Request data export
• Request correction of data
• Request deletion of data
• Withdraw consent
• Request human review
• Object to automated processing
• Request alternative interview formats

Required Admin Features:

• Rights request queue
• Status tracking
• Audit log for requests
• Export tools
• Delete/anonymize tools

4. Protected Attribute Restrictions

The AI system MUST NOT score or evaluate candidates based on:

• Gender, Nationality, Race, Religion, Ethnicity
• Disability, Marital status, Political views
• Family status, Physical appearance, Age

5. Prohibited AI Features

The platform MUST NOT implement:

• Emotion detection
• Facial expression analysis
• Personality inference
• Attractiveness scoring
• Accent discrimination
• Biometric analysis
• Behavioural prediction models

6. Security & Access Control

• Multi-factor authentication (MFA)
• Role-based access control (RBAC)
• Tenant isolation
• Session logging
• Login audit logs
• Encryption at rest (AES-256) and in transit (TLS 1.3)

7. Audit Logging

The platform maintains immutable audit logs for all critical events including candidate applications, interview completion, AI score generation, HR decisions, HR overrides, admin changes, permission changes, data exports, candidate deletions, login attempts, and security events.

8. AI Governance

All AI prompts must exclude protected characteristics, focus only on job-relevant skills, avoid personality assumptions, avoid demographic inference, and avoid emotional interpretation. The system clearly discloses that AI is being used, which parts are AI-assisted, that HR reviews all decisions, and that scores are recommendations only.

9. Data Retention

Retention is configurable per company. Default retention periods:

• Candidate applications: 12 months
• Employee records: minimum 2 years after employment
• Voice recordings: 90 days (configurable)
• Audit logs: 7 years (legal obligation)

10. Contact