You own every
decision.

Here is the law. Here is what compliant hiring looks like. And here is exactly how Amp delivers it — including where the line between Amp and you sits. Amp does the work; the judgment the law requires stays with you.

Tracker last reviewed 09 Jun 2026 · material regulatory changes reflected within 48 hours
The Amp position
Privacy by design

Built as a processor

Retention is on by default with industry-typical windows. Deletion and access requests are fulfilled within 30 days — one SLA, every jurisdiction.

Fairness by design

Every model bias-tested

Scoring models are tested for disparate impact before and after deployment. An adverse finding pauses score emission on that job until a human reviews.

Security by design

Enterprise-grade controls

SOC 2 program underway in 2026. Encryption in transit and at rest, per-tenant isolation, SSO, and role-based access throughout.

Amp is the tool. You are the employer. We build the system to meet the technical and documentation bar that high-risk hiring AI is held to. You keep the human judgment — the final hiring decision — that the law requires of you.

One destination, three layers

How this page works

The regulatory analysis stands on its own — readable by a general counsel without a product pitch attached. The product layer is clearly demarcated and linked, never interleaved as sales prose.

01 — the spine
Regulatory tracker

Every relevant law by jurisdiction: status, effective dates, what employers must do, a primary-source link, and a per-row last-updated timestamp.

02 — the product
How Amp handles it

Capability pages — decision boundary, audit trail & exports, fairness, privacy, security. Real explanations and sample artifacts, linked from each law.

03 — the analysis
Deep dives

Plain-English articles and short explainer videos on what each obligation means for a frontline employer — and where shared responsibility falls.

Layer 01

Regulatory tracker

Excellent in our customers’ jurisdictions first, expanding visibly. Each row links to the primary source and to how Amp handles the obligation. Sample rows shown — content pending counsel verification.

LawStatusKey datesWhat employers must doHow Amp handles itSourceUpdated
Title VII / EEOC UGESPUS FederalIn force29 CFR §1607Avoid selection procedures with unjustified disparate impact; the 4/5ths rule is the screening heuristic. Synthetic bias probe applies the 4/5ths rule plus Fisher's exact test to every scoring model. Every model tested for disparate impact → eeoc.gov ↗June 9, 2026
EEOC AI Technical AssistanceUS FederalGuidanceMay 2023Software/algorithmic selection tools are covered by Title VII; employers retain responsibility for adverse impact. A human owns every final decision; Amp cannot reject a candidate unilaterally. You own every decision → eeoc.gov ↗June 9, 2026
OFCCP — federal contractorsUS FederalIn forceVEVRAA / §503Federal contractors must keep records supporting non-discriminatory selection and produce them on audit. Append-only audit trail and exportable selection-rate records per scoring run. Evidence you can hand to an auditor → dol.gov/ofccp ↗June 9, 2026
I-9 / IRCAUS FederalIn force8 USC §1324aVerify identity and work authorization; retain I-9 records. Workflow automation operates inside your ATS; verification stays a human, documented step. You own every decision → uscis.gov ↗June 9, 2026
NYC Local Law 144 (AEDT)New York CityIn force05 Jul 2023Annual independent bias audit of automated employment decision tools; post a dated summary; notify candidates. LL144-ready audit package — intersectional matrix, impact ratios, hash-verifiable PDF + JSON. Evidence you can hand to an auditor → nyc.gov/dcwp ↗June 9, 2026
Colorado AI Act (SB24-205)ColoradoPhasing inEff. 2026 *Developers and deployers of high-risk AI must use reasonable care to avoid algorithmic discrimination; impact assessments required. Continuous monitoring plus per-run impact documentation provide the deployer's evidence base. Every model tested for disparate impact → leg.colorado.gov ↗June 9, 2026
Illinois AIVIA + IHRA AI amendmentIllinoisPhasing inIHRA eff. 01 Jan 2026 *Notice and consent for AI video analysis; IHRA restricts AI use that produces discriminatory effect. No autonomous rejection; transparent, logged scoring with human review at the decision point. You own every decision → ilga.gov ↗June 9, 2026
California CCPA / CPRA + ADMT regsCaliforniaPhasing inADMT regs 2025–26 *Consumer rights over personal data; emerging rules on automated decision-making technology and access/opt-out. Processor model: deletion and access fulfilled within 30 days through the customer as controller. Processor model, 30-day SLA → cppa.ca.gov ↗June 9, 2026
Maryland HB1202MarylandIn forceOct 2020Consent required before using facial-recognition analysis in a job interview. Amp does not perform facial-recognition analysis of candidates. You own every decision → mgaleg.maryland.gov ↗June 9, 2026
EU AI Act — high-risk (Annex III §4)European UnionPhasing inHigh-risk oblig. Aug 2026 *Hiring AI is high-risk: risk management, logging, transparency, and human oversight obligations split across provider and deployer. Amp ships the provider-side technical controls (Arts 9, 12, 13); your deployment preserves human oversight (Arts 14, 26). Every model tested for disparate impact → artificialintelligenceact.eu ↗June 9, 2026
GDPREuropean UnionIn force25 May 2018Lawful basis, data minimization, storage limitation, and data-subject rights (access, erasure) for personal data. Default-on retention, pseudonymization with annual key destruction, 30-day request SLA. Processor model, 30-day SLA → eur-lex.europa.eu ↗June 9, 2026
UK GDPR + DPA 2018United KingdomIn force2018 / 2021UK data-protection regime; ICO expects fairness, transparency, and DPIAs for AI used in recruitment. Same processor model and data-subject-request tooling as our GDPR posture. Processor model, 30-day SLA → ico.org.uk ↗June 9, 2026

* Effective dates marked with an asterisk are subject to amendment and must be confirmed against the primary source at publish time.

Layer 02

How Amp handles it

Specific, not promotional. Each capability maps to named obligations and, where it exists, ships a sample artifact you can inspect.

Decision boundary

You own every decision

An Amp Teammate can screen, rank, schedule, and communicate — but it cannot mark a candidate rejected. Final go/no-go is always a human's. When a scoring model shows an adverse-impact signal on a job, Amp automatically pauses score emission for that job until a human admin reviews. Automation enforces; a human releases — and the release is logged with the actor's identity.

Maps to: EU AI Act Art 14 & 26 (human oversight, deployer obligations) · EEOC accountability · Illinois IHRA
Audit trail & exports

Evidence you can hand to an auditor Export: next release

Per-request privacy audit log, append-only bias-hold event log, and per-run bias-test records with an embedded methodology version and a SHA-256 integrity hash.

  • LL144-ready bias audit package — customer-shareable PDF + machine-readable JSON
  • Integrity hash an auditor can re-verify independently
  • DSAR data-access report for privacy requests
Maps to: NYC LL144 summary posting · EU AI Act Art 12 · EEOC records retention
Fairness by design

Every model tested for disparate impact

A synthetic bias probe varies demographic signals while holding qualifications constant, then measures selection rates.

  • 4/5ths rule + Fisher's exact + Newcombe CI + Cohen's h
  • Intersectional race × sex matrix
  • Monthly continuous monitoring; adverse findings engage a hold
Honest scope: Tests the model and your review criteria — not real-applicant outcomes downstream of Amp (a disclosed roadmap item). Maps to: EEOC UGESP · LL144 · EU AI Act Art 9/10/15 · ISO/IEC 42001 Annex A
Privacy by design

Processor model, 30-day SLA

Amp processes personal data on your behalf. Individuals exercise their rights against you, the controller; Amp provides the tooling. There is no public “delete-me” portal — by design.

  • Retention on by default, industry-typical windows
  • Right-to-forget & right-to-data-access within 30 days, all jurisdictions
  • Pseudonymization with annual key destruction → mathematically anonymous over time
Maps to: GDPR Arts 5/17/25/28/32 · CCPA/CPRA · PIPEDA
Enterprise security

SOC 2 program underway 2026

A SOC 2 program is underway for 2026, and the controls behind it are live today.

  • Encryption in transit and at rest
  • Per-tenant data isolation, SSO, role-based access
  • Published sub-processor list and hosting region
Maps to: SOC 2 Trust Services Criteria · security questionnaires. Aligned with ISO/IEC 42001 Annex A.
Layer 03

Analysis

Deep dives for the people who have to act on this — general counsel, heads of talent, compliance leads.

48 hours
Tracker updated after any material regulatory change.
1 week
Analysis video published after a material change.
In plain terms

What we don’t claim

Candor is part of the position. These are the limits, stated up front.

  • We are not your auditor. Under LL144 you commission the independent bias audit; we ship the evidentiary inputs, not the verdict.
  • We don’t decide who you hire. Every final hiring decision is yours — by design and by law.
  • We don’t reach data we don’t hold. Upstream ATS records and AI-provider prompt history stay with their owners; we tell you exactly what that means for a deletion request.

Hiring you can defend in an audit.

See Amp running