Specialist 04 / Knowledge Curator + compliance
Pass procurement on day one.
Built for European auditors.
GDPR Art. 32 controls implemented. NEN 7510 aligned. EU AI Act Limited Risk (self-assessed, outside Annex III high-risk because we automate Q&A and admin, not hire/fire decisioning). EN 301 549 WCAG 2.1 AA commitment. Hash-chained audit trail exportable for regulators. The Knowledge Curator indexes your full policy library and flags contradictions before employees find them.
Hash-chain audit · live fragment
SealedEvery decision logged.
Tamper-evident.
LEAVE_QUERY
CAO VVT · Art. 5.2
POLICY_INDEX
Handbook v2.4 ingest
DSAR_EXPORT
Employee #1042
CASE_ESCALATE
Maternity transition
POORT_MILESTONE
Week 8 · PvA signed
Append-only · SHA-256 · 60-second regulator export
GDPR
Data minimisation, purpose limitation, retention rules per category, DSAR workflows.
EU AI Act
Article 50 transparency. Source citation. Confidence display. Human escalation. Annex III §4 carve-out: no performance scoring or hire/fire decisioning.
EN 301 549
Accessibility commitment. WCAG 2.1 AA baseline. Public sector ready.
NEN 7510 aligned
Designed to the Dutch healthcare information-security norm. Control mapping available under NDA. Formal certification on 2027 roadmap.
AVG Art. 9 special category
BIG-registratie, ziekmelding (medical), pensioenstatus, VOG and similar special-category data are processed only on documented instruction, with explicit lawful-basis tagging and tighter retention.
AI Act Annex III §4 carve-out
AskMyHRM does not score, rank, or evaluate individual performance. Functioneringscyclus and probation workflows ship as scaffolding only; AI does not produce evaluative judgements.
Multilingual non-discrimination
The Employee Support specialist passes responses through equal-treatment guardrails across NL, EN, DE, PL, TR. Awgb-aware: no language-dependent answer divergence on rights or benefits.
Hash-chained audit
The audit trail your auditor actually trusts.
Every event is hashed. Each entry references the hash of the previous one. The resulting chain is queryable by your DPO and exportable to your regulator. If someone tries to rewrite history, the chain breaks visibly.
AUDIT ENTRY
{
"id": "evt_8w4j2",
"tenantId": "tnt_NL_amsterdam_h12",
"actor": { "type": "ai_specialist", "name": "HROperations" },
"action": "policy.lookup",
"subject": { "type": "Employee", "id": "emp_412" },
"policyRefs": ["pol/onboarding/contract-template.v3"],
"confidence": 0.94,
"previousHash": "9f2a...",
"hash": "b41e...",
"ts": "2026-05-31T08:14:22Z"
}No autonomous HR decisions
The AI Act calls out high-risk HR systems specifically. AskMyHRM agents never make autonomous decisions about hiring, firing, promotion, or disciplinary actions.
No data exfiltration
Models run via a tenant-scoped backend. Conversation data never enters general training corpora. AskMyHRM does not train any model on customer data. Tenant isolation fails closed at four enforced boundaries.
DPO ready
A dedicated DPO console exposes data flows, retention timers, third-party processors, and DSAR queues in one place.
Frequently asked
Compliance questions, answered upfront.
Where is the data hosted?
Hosted in Azure Sweden Central (EU). Both application data (PostgreSQL, Blob) and AI inference (Azure OpenAI) live in Sweden Central. No data leaves the EEA under standard configuration; Chapter V safeguards apply on customer-requested exceptions.
How does AskMyHRM comply with the EU AI Act?
Every AI interaction is transparent under EU AI Act Article 50. Users are told on first contact that they are interacting with an AI specialist. AskMyHRM is self-assessed as Limited Risk because we automate Q&A and HR-administration, not Annex III §4 high-risk decisions (recruitment, promotion, termination, performance evaluation, task allocation). Sources are cited. Confidence is shown. Human escalation is always one click away.
Do you sign a Data Processing Agreement?
Yes. A DPA is part of the standard contract. We provide a template that meets GDPR Article 28 requirements out of the box.
How does the audit trail work?
Every mutation, agent action, and access event is written to an append-only audit log. Entries are hash-chained so tampering becomes visible. The audit log is queryable by tenant administrators and exportable for regulators.
How do you handle DSAR requests?
Built-in workflows for access, correction, export, and deletion. Subject rights can be exercised by HR, by the employee through the workspace, or by the DPO through the admin console.
Send the SIG questionnaire. We answer within 5 working days.
We share our security model, our DPA template, our AI Act transparency notice, and our SBOM on first request. No NDA gate. EU hosted, GDPR Art. 32 controls implemented, NEN 7510 aligned.