Skip to main content

Student data privacy, security, and compliance.

UnchartedCareer processes something personal: a student’s voice, and optionally their webcam, in a practice interview. This page states exactly how that data is handled, what we have, and what we don’t have yet. We’re an early-stage company; we’d rather tell you exactly where we are than overstate it.

FERPA school-officialHECVAT on requestGDPR / EU AI Act awareSOC 2 when required

Last reviewed July 2026 · v1.0 · Questions: support@unchartedcareer.com

Trust at a glance
  • Data is encrypted in transit and at rest.
  • Raw webcam video is deleted right after analysis.
  • Your data is processed to deliver feedback. It is never sold.
  • Deletion on request, for a single student or a whole cohort.
  • We respond to support and security questions within 1 business day.
What data we touch, and where it lives
Data we process
Student voice from the practice interview (required); webcam video only if the student opts in (optional, off by default); account details and the resume or job text a student enters.
Where it is hosted
Google Cloud and Firebase, with OpenAI and Google as AI subprocessors. The full subprocessor list is below.
Residency & transfers
Regional processing and transfer mechanisms are confirmed per agreement in the DPA. EU/EEA institutions get the affect-free configuration by default.
Retention
Raw webcam video is deleted right after analysis. The scored report and transcript are kept until the account expires or deletion is requested.
Our role
For institutional deployments we act as a "school official" under the institution's direct control, under a signed DPA with no secondary use.
Controls in place today
  • Encryption in transit and at rest
  • Access scoped to each user account
  • Consent-gated capture, with an affect-free EU/EEA configuration
  • Raw webcam video deleted right after analysis
  • Deletion on request, for a student or a whole cohort
  • A written transcript alongside every scored report
  • Breach-notification commitments in the DPA
  • Signed processor agreements with every subprocessor
  • SAML SSO available for larger rollouts

These are the controls we operate today. Where a formal attestation is not yet in place, the compliance table below says so plainly.

AI and your data

What happens to a student's voice and video.

During a mock interview, the student’s voice, and their webcam if they opt in, are processed by our AI subprocessors to run the conversation and generate the scored feedback report. That is the purpose of the processing, and the only one.

Session data is not sold. Raw webcam video is deleted right after analysis; what remains is the scored report and the transcript, kept until the account expires or deletion is requested. We configure our AI providers to limit data retention where possible, and our data-handling commitments are written into the data-processing agreement rather than left as marketing copy.

Webcam analysis is optional and off by default. A voice-only interview is a first-class session with a full scored report.

Compliance

Where we stand, framework by framework.

Stated plainly. Where we don't have a certification yet, the row says so.

FrameworkStatusDetail
SOC 2Not yet auditedWe will pursue SOC 2 when a partner requires it.
HECVAT & security questionnairesCompleted on requestWe complete HECVAT and institutional security questionnaires and walk your IT team through our controls.
FERPASchool-official postureWe operate under the FERPA "school official" model for institutional deployments and sign a DPA that prohibits secondary use.
GDPR / UK GDPRAware by designEU users get consent-gated capture; institutional agreements include Art. 28 processor terms. Transfer mechanisms are confirmed per agreement in the DPA.
EU AI ActAffect-free configurationFor EU/EEA institutions we configure the service to omit emotion inference (from face or voice), by design.
Accessibility (WCAG 2.1 AA)Target postureWe build to WCAG 2.1 AA and interview sessions produce a written transcript alongside the scored report. We respond to accessibility questionnaires, and prepare a VPAT/ACR, on request.
Subprocessors

Who touches the data, and why.

The current list of third parties that process data on our behalf. Data-flow and regional details are provided in the DPA and on request.

SubprocessorPurposeData categories
OpenAILive voice interview and text analysisSession audio, transcripts, resume and job-description text
Google (Gemini)Webcam video analysis and voice coachingWebcam video during analysis (raw video deleted right after), audio
Google Cloud & FirebaseHosting, database, file storage, authenticationAccount data, reports, usage telemetry
StripePayments and invoicingBilling details. Card data never touches our servers.
Microsoft (Graph)Transactional emailEmail address, message content

Last updated July 2026.

Documentation

Documents your procurement team can hold.

Data-processing agreement (draft)

FERPA- and GDPR-aware processor terms: purpose limitation, no secondary use, breach notification, deletion and return. Marked draft; final terms are in legal review.

Download the DPA draft (PDF)

Pilot order form (draft)

The one-page commercial document a pilot runs on: scope, term, what is included, and what is explicitly not promised. Marked draft; final terms are in legal review.

Download the order-form draft (PDF)

HECVAT and other security questionnaires are completed on request. Additional documentation can be shared under NDA. For vulnerability reports, see our security policy (we aim to acknowledge reports within 5 business days). Our privacy practices are detailed in the privacy policy.

Talk to us about security

Security and privacy questions go to support@unchartedcareer.com. We respond within 1 business day, and we’ll get your IT team direct answers rather than a canned packet.

The questions buyers ask.

Answered in the present tense, so procurement can quote us.

Still have questions? Get in touch