Student data privacy, security, and compliance.
UnchartedCareer processes something personal: a student’s voice, and optionally their webcam, in a practice interview. This page states exactly how that data is handled, what we have, and what we don’t have yet. We’re an early-stage company; we’d rather tell you exactly where we are than overstate it.
FERPA school-officialHECVAT on requestGDPR / EU AI Act awareSOC 2 when required
Last reviewed July 2026 · v1.0 · Questions: support@unchartedcareer.com
- Data is encrypted in transit and at rest.
- Raw webcam video is deleted right after analysis.
- Your data is processed to deliver feedback. It is never sold.
- Deletion on request, for a single student or a whole cohort.
- We respond to support and security questions within 1 business day.
- Data we process
- Student voice from the practice interview (required); webcam video only if the student opts in (optional, off by default); account details and the resume or job text a student enters.
- Where it is hosted
- Google Cloud and Firebase, with OpenAI and Google as AI subprocessors. The full subprocessor list is below.
- Residency & transfers
- Regional processing and transfer mechanisms are confirmed per agreement in the DPA. EU/EEA institutions get the affect-free configuration by default.
- Retention
- Raw webcam video is deleted right after analysis. The scored report and transcript are kept until the account expires or deletion is requested.
- Our role
- For institutional deployments we act as a "school official" under the institution's direct control, under a signed DPA with no secondary use.
- Encryption in transit and at rest
- Access scoped to each user account
- Consent-gated capture, with an affect-free EU/EEA configuration
- Raw webcam video deleted right after analysis
- Deletion on request, for a student or a whole cohort
- A written transcript alongside every scored report
- Breach-notification commitments in the DPA
- Signed processor agreements with every subprocessor
- SAML SSO available for larger rollouts
These are the controls we operate today. Where a formal attestation is not yet in place, the compliance table below says so plainly.
What happens to a student's voice and video.
During a mock interview, the student’s voice, and their webcam if they opt in, are processed by our AI subprocessors to run the conversation and generate the scored feedback report. That is the purpose of the processing, and the only one.
Session data is not sold. Raw webcam video is deleted right after analysis; what remains is the scored report and the transcript, kept until the account expires or deletion is requested. We configure our AI providers to limit data retention where possible, and our data-handling commitments are written into the data-processing agreement rather than left as marketing copy.
Webcam analysis is optional and off by default. A voice-only interview is a first-class session with a full scored report.
Where we stand, framework by framework.
Stated plainly. Where we don't have a certification yet, the row says so.
| Framework | Status | Detail |
|---|---|---|
| SOC 2 | Not yet audited | We will pursue SOC 2 when a partner requires it. |
| HECVAT & security questionnaires | Completed on request | We complete HECVAT and institutional security questionnaires and walk your IT team through our controls. |
| FERPA | School-official posture | We operate under the FERPA "school official" model for institutional deployments and sign a DPA that prohibits secondary use. |
| GDPR / UK GDPR | Aware by design | EU users get consent-gated capture; institutional agreements include Art. 28 processor terms. Transfer mechanisms are confirmed per agreement in the DPA. |
| EU AI Act | Affect-free configuration | For EU/EEA institutions we configure the service to omit emotion inference (from face or voice), by design. |
| Accessibility (WCAG 2.1 AA) | Target posture | We build to WCAG 2.1 AA and interview sessions produce a written transcript alongside the scored report. We respond to accessibility questionnaires, and prepare a VPAT/ACR, on request. |
Who touches the data, and why.
The current list of third parties that process data on our behalf. Data-flow and regional details are provided in the DPA and on request.
| Subprocessor | Purpose | Data categories |
|---|---|---|
| OpenAI | Live voice interview and text analysis | Session audio, transcripts, resume and job-description text |
| Google (Gemini) | Webcam video analysis and voice coaching | Webcam video during analysis (raw video deleted right after), audio |
| Google Cloud & Firebase | Hosting, database, file storage, authentication | Account data, reports, usage telemetry |
| Stripe | Payments and invoicing | Billing details. Card data never touches our servers. |
| Microsoft (Graph) | Transactional email | Email address, message content |
Last updated July 2026.
Documents your procurement team can hold.
Data-processing agreement (draft)
FERPA- and GDPR-aware processor terms: purpose limitation, no secondary use, breach notification, deletion and return. Marked draft; final terms are in legal review.
Download the DPA draft (PDF)Pilot order form (draft)
The one-page commercial document a pilot runs on: scope, term, what is included, and what is explicitly not promised. Marked draft; final terms are in legal review.
Download the order-form draft (PDF)HECVAT and other security questionnaires are completed on request. Additional documentation can be shared under NDA. For vulnerability reports, see our security policy (we aim to acknowledge reports within 5 business days). Our privacy practices are detailed in the privacy policy.
Talk to us about security
Security and privacy questions go to support@unchartedcareer.com. We respond within 1 business day, and we’ll get your IT team direct answers rather than a canned packet.
The questions buyers ask.
Answered in the present tense, so procurement can quote us.
Still have questions? Get in touch