You own every
decision.
Here is the law. Here is what compliant hiring looks like. And here is exactly how Amp delivers it — including where the line between Amp and you sits. Amp does the work; the judgment the law requires stays with you.
Built as a processor
Retention is on by default with industry-typical windows. Deletion and access requests are fulfilled within 30 days — one SLA, every jurisdiction.
Every model bias-tested
Scoring models are tested for disparate impact before and after deployment. An adverse finding pauses score emission on that job until a human reviews.
Enterprise-grade controls
SOC 2 program underway in 2026. Encryption in transit and at rest, per-tenant isolation, SSO, and role-based access throughout.
Amp is the tool. You are the employer. We build the system to meet the technical and documentation bar that high-risk hiring AI is held to. You keep the human judgment — the final hiring decision — that the law requires of you.
How this page works
The regulatory analysis stands on its own — readable by a general counsel without a product pitch attached. The product layer is clearly demarcated and linked, never interleaved as sales prose.
Every relevant law by jurisdiction: status, effective dates, what employers must do, a primary-source link, and a per-row last-updated timestamp.
Capability pages — decision boundary, audit trail & exports, fairness, privacy, security. Real explanations and sample artifacts, linked from each law.
Plain-English articles and short explainer videos on what each obligation means for a frontline employer — and where shared responsibility falls.
Regulatory tracker
Excellent in our customers’ jurisdictions first, expanding visibly. Each row links to the primary source and to how Amp handles the obligation. Sample rows shown — content pending counsel verification.
| Law | Status | Key dates | What employers must do | How Amp handles it | Source | Updated |
|---|---|---|---|---|---|---|
| Title VII / EEOC UGESPUS Federal | In force | 29 CFR §1607 | Avoid selection procedures with unjustified disparate impact; the 4/5ths rule is the screening heuristic. | Synthetic bias probe applies the 4/5ths rule plus Fisher's exact test to every scoring model. Every model tested for disparate impact → | eeoc.gov ↗ | June 9, 2026 |
| EEOC AI Technical AssistanceUS Federal | Guidance | May 2023 | Software/algorithmic selection tools are covered by Title VII; employers retain responsibility for adverse impact. | A human owns every final decision; Amp cannot reject a candidate unilaterally. You own every decision → | eeoc.gov ↗ | June 9, 2026 |
| OFCCP — federal contractorsUS Federal | In force | VEVRAA / §503 | Federal contractors must keep records supporting non-discriminatory selection and produce them on audit. | Append-only audit trail and exportable selection-rate records per scoring run. Evidence you can hand to an auditor → | dol.gov/ofccp ↗ | June 9, 2026 |
| I-9 / IRCAUS Federal | In force | 8 USC §1324a | Verify identity and work authorization; retain I-9 records. | Workflow automation operates inside your ATS; verification stays a human, documented step. You own every decision → | uscis.gov ↗ | June 9, 2026 |
| NYC Local Law 144 (AEDT)New York City | In force | 05 Jul 2023 | Annual independent bias audit of automated employment decision tools; post a dated summary; notify candidates. | LL144-ready audit package — intersectional matrix, impact ratios, hash-verifiable PDF + JSON. Evidence you can hand to an auditor → | nyc.gov/dcwp ↗ | June 9, 2026 |
| Colorado AI Act (SB24-205)Colorado | Phasing in | Eff. 2026 * | Developers and deployers of high-risk AI must use reasonable care to avoid algorithmic discrimination; impact assessments required. | Continuous monitoring plus per-run impact documentation provide the deployer's evidence base. Every model tested for disparate impact → | leg.colorado.gov ↗ | June 9, 2026 |
| Illinois AIVIA + IHRA AI amendmentIllinois | Phasing in | IHRA eff. 01 Jan 2026 * | Notice and consent for AI video analysis; IHRA restricts AI use that produces discriminatory effect. | No autonomous rejection; transparent, logged scoring with human review at the decision point. You own every decision → | ilga.gov ↗ | June 9, 2026 |
| California CCPA / CPRA + ADMT regsCalifornia | Phasing in | ADMT regs 2025–26 * | Consumer rights over personal data; emerging rules on automated decision-making technology and access/opt-out. | Processor model: deletion and access fulfilled within 30 days through the customer as controller. Processor model, 30-day SLA → | cppa.ca.gov ↗ | June 9, 2026 |
| Maryland HB1202Maryland | In force | Oct 2020 | Consent required before using facial-recognition analysis in a job interview. | Amp does not perform facial-recognition analysis of candidates. You own every decision → | mgaleg.maryland.gov ↗ | June 9, 2026 |
| EU AI Act — high-risk (Annex III §4)European Union | Phasing in | High-risk oblig. Aug 2026 * | Hiring AI is high-risk: risk management, logging, transparency, and human oversight obligations split across provider and deployer. | Amp ships the provider-side technical controls (Arts 9, 12, 13); your deployment preserves human oversight (Arts 14, 26). Every model tested for disparate impact → | artificialintelligenceact.eu ↗ | June 9, 2026 |
| GDPREuropean Union | In force | 25 May 2018 | Lawful basis, data minimization, storage limitation, and data-subject rights (access, erasure) for personal data. | Default-on retention, pseudonymization with annual key destruction, 30-day request SLA. Processor model, 30-day SLA → | eur-lex.europa.eu ↗ | June 9, 2026 |
| UK GDPR + DPA 2018United Kingdom | In force | 2018 / 2021 | UK data-protection regime; ICO expects fairness, transparency, and DPIAs for AI used in recruitment. | Same processor model and data-subject-request tooling as our GDPR posture. Processor model, 30-day SLA → | ico.org.uk ↗ | June 9, 2026 |
* Effective dates marked with an asterisk are subject to amendment and must be confirmed against the primary source at publish time.
How Amp handles it
Specific, not promotional. Each capability maps to named obligations and, where it exists, ships a sample artifact you can inspect.
You own every decision
An Amp Teammate can screen, rank, schedule, and communicate — but it cannot mark a candidate rejected. Final go/no-go is always a human's. When a scoring model shows an adverse-impact signal on a job, Amp automatically pauses score emission for that job until a human admin reviews. Automation enforces; a human releases — and the release is logged with the actor's identity.
Evidence you can hand to an auditor Export: next release
Per-request privacy audit log, append-only bias-hold event log, and per-run bias-test records with an embedded methodology version and a SHA-256 integrity hash.
- LL144-ready bias audit package — customer-shareable PDF + machine-readable JSON
- Integrity hash an auditor can re-verify independently
- DSAR data-access report for privacy requests
Every model tested for disparate impact
A synthetic bias probe varies demographic signals while holding qualifications constant, then measures selection rates.
- 4/5ths rule + Fisher's exact + Newcombe CI + Cohen's h
- Intersectional race × sex matrix
- Monthly continuous monitoring; adverse findings engage a hold
Processor model, 30-day SLA
Amp processes personal data on your behalf. Individuals exercise their rights against you, the controller; Amp provides the tooling. There is no public “delete-me” portal — by design.
- Retention on by default, industry-typical windows
- Right-to-forget & right-to-data-access within 30 days, all jurisdictions
- Pseudonymization with annual key destruction → mathematically anonymous over time
SOC 2 program underway 2026
A SOC 2 program is underway for 2026, and the controls behind it are live today.
- Encryption in transit and at rest
- Per-tenant data isolation, SSO, role-based access
- Published sub-processor list and hosting region
Analysis
Deep dives for the people who have to act on this — general counsel, heads of talent, compliance leads.
The Governance Gap in Agentic AI for HR: Why 75% Plan to Deploy Agents but Only 21% Are Ready to Govern Them
The EU AI Act Compliance Deadline Is August 2. Is Your AI Hiring Stack Ready?
The Trust Stack for Agentic AI in HR: Autonomy Boundaries, Audit Trails, and Cross-Functional Governance
What we don’t claim
Candor is part of the position. These are the limits, stated up front.
- We are not your auditor. Under LL144 you commission the independent bias audit; we ship the evidentiary inputs, not the verdict.
- We don’t decide who you hire. Every final hiring decision is yours — by design and by law.
- We don’t reach data we don’t hold. Upstream ATS records and AI-provider prompt history stay with their owners; we tell you exactly what that means for a deletion request.