AI System Inventory — Scout
Project: Sable AI Ltd — AI Governance Framework
Stage: Stage 2 — Governance Foundation
Status: Draft
Version: v1
Date: 2026-03-01
Assumptions: Built on outline assumptions — not verified against real Sable AI Ltd data
1. Purpose of This Document
This document is the system registry entry for Scout, Sable AI Ltd's AI-powered CV screening and candidate shortlisting product. It records the technical and operational characteristics of Scout as the foundation for:
- Risk classification —
L1-2.2-Risk-Classification-Framework-v1.md
- Data flow mapping —
L1-2.3-Data-Flow-Map-v1.md
- Downstream regulatory alignment, monitoring, and commercial packaging documents
All infrastructure and operational fields are populated from assumed company characteristics. Fields relying on unverified assumptions are marked [ASSUMPTION].
2. System Registry Entry
2.1 Core Identity
| Field |
Value |
| System name |
Scout |
| System owner |
Sable AI Ltd |
| Version documented |
Production deployment — version not confirmed [ASSUMPTION] |
| Date of this entry |
2026-03-01 |
| Registry maintained by |
CTO / AI Lead [ASSUMPTION] — see L1-2.5-Roles-and-Responsibilities-v1.md (forthcoming) |
| Review frequency |
Annual minimum; on material system change |
2.2 Purpose and Function
| Field |
Value |
| Primary purpose |
AI-powered screening and shortlisting of job candidates based on CV content assessed against a job description |
| Secondary functions |
Candidate ranking by suitability; structured assessment output for recruiter review |
| AI type |
Natural language processing (NLP) via large language model (LLM) applied to text-based CV and job description content [ASSUMPTION] |
| Decision type produced |
Recommendation and ranking — Scout produces a ranked or scored shortlist for mandatory human review; it does not issue final hiring decisions [ASSUMPTION — A-007] |
| Intended users |
Recruiters and HR professionals employed by or contracted to Sable AI Ltd's customers |
| Deployment model |
Software-as-a-service (SaaS) — customer-facing web application [ASSUMPTION] |
2.3 Underlying Model and Infrastructure
| Field |
Value |
| Underlying AI model |
Anthropic Claude API [ASSUMPTION — A-002] |
| Model provider |
Anthropic PBC |
| Model function |
Scout sends extracted CV text and job description content to the Claude API; the model returns a structured assessment or ranked shortlist output [ASSUMPTION] |
| Candidate data used for model training |
No — [ASSUMPTION — A-005]: candidate data submitted through Scout is not used to train Anthropic's foundation models. This must be confirmed against the current Anthropic API usage policy and the terms of the Data Processing Agreement between Sable AI Ltd and Anthropic |
| Cloud hosting |
AWS eu-west-2 (London region) [ASSUMPTION — A-004] |
| Data residency |
UK [ASSUMPTION — A-004] — any deviation would engage UK GDPR Chapter V international transfer obligations |
| Sub-processors |
Anthropic PBC (AI model inference); AWS (infrastructure and storage) [ASSUMPTION] |
2.4 Data Processed
| Field |
Value |
| Input data — candidate |
CV text (unstructured document content); may include name, address, employment history, education, skills, dates, and any additional information included by the candidate [ASSUMPTION] |
| Input data — customer |
Job description text; role criteria; screening parameters set by recruiter [ASSUMPTION] |
| Output data |
Ranked or scored candidate shortlist; structured assessment commentary; suitability indicators [ASSUMPTION] |
| Special category data — intentional |
Not intentionally collected or processed by Scout |
| Special category data — incidental / inferred |
CV content may reveal or allow inference of: racial or ethnic origin; disability or health conditions; religion or belief; age; sex; pregnancy or maternity. The ICO's November 2024 AI in Recruitment Outcomes Report confirmed that "information intentionally inferred in this way is still special category data." Risk is assessed in L1-2.2-Risk-Classification-Framework-v1.md. |
| Data subjects |
Job candidates — individuals who have submitted CVs for consideration for employment |
| Data volume / processing scale |
Not confirmed [ASSUMPTION] — relevant to ICO high-risk processing threshold and Art. 35 DPIA trigger assessment |
2.5 Customer Segments and Data Relationships
| Customer type |
Description |
Controller / processor arrangement |
Key complexity |
| Recruitment agency |
UK recruitment agency using Scout to screen candidates on behalf of employer clients [ASSUMPTION — A-003] |
Complex — agency screens as processor for employer client; whether agency or employer (or both jointly) is the controller of candidate data depends on who determines the purposes of processing [ASSUMPTION — A-008] |
Potential joint controller arrangement between agency and employer under UK GDPR Art. 26 — assessed in L1-2.3-Data-Flow-Map-v1.md |
| In-house HR team |
Corporate HR function using Scout for direct-hire candidate screening [ASSUMPTION — A-003] |
Customer is controller of candidate data; Sable AI Ltd is processor [ASSUMPTION — A-008] |
Simpler controller-processor structure — customer DPA governs |
2.6 Human Oversight Design
| Field |
Value |
| Human review requirement |
Mandatory — [ASSUMPTION — A-007]: Scout outputs are subject to human review by a recruiter or HR professional before any candidate contact is made |
| Review mechanism |
Design and operational rigour of human review step not confirmed [ASSUMPTION] |
| Significance for Art. 22A |
Whether Scout's operation constitutes "solely automated" processing under Art. 22A UK GDPR (as inserted by the Data (Use and Access) Act 2025) depends on whether the mandatory human review is genuinely meaningful. The ICO requires that "the human involvement has to be active and not just a token gesture." This determination is made in L1-2.2-Risk-Classification-Framework-v1.md. [LEGAL REVIEW REQUIRED] |
3. Regulatory Classification Summary
| Regulatory instrument |
Preliminary classification |
Detail |
| UK GDPR / DUAA 2025 Arts. 22A–22D |
To be assessed — conditional on human review quality |
See L1-2.2-Risk-Classification-Framework-v1.md |
| UK GDPR Art. 35 |
DPIA required |
ICO confirms AI-based CV screening is high-risk processing — DPIA must be completed before processing begins |
| Equality Act 2010 |
High discrimination risk |
Automated CV screening risks indirect discrimination against multiple protected characteristics under s. 19 |
| DPA 2018 / UK GDPR Art. 9 |
Special category data risk |
Inferred characteristics (ethnicity, disability) may be special category data requiring Art. 9(2) condition and DPA 2018 Schedule 1 condition |
Full risk tier assignment is in L1-2.2-Risk-Classification-Framework-v1.md.
4. Sub-Processor Chain
| Entity |
Role |
Headquarters |
Data sent |
DPA in place |
Notes |
| Anthropic PBC |
AI model inference (Claude API) |
USA [ASSUMPTION] |
Extracted CV text and job description content [ASSUMPTION] |
[ASSUMPTION — A-005]: DPA assumed to be in place |
International transfer: if Anthropic processes data outside the UK, UK GDPR Chapter V applies — adequacy decision or appropriate safeguards required. Must be confirmed. |
| AWS (eu-west-2) |
Cloud infrastructure and data storage |
USA (region: UK) [ASSUMPTION] |
All Scout application data [ASSUMPTION] |
[ASSUMPTION]: AWS DPA assumed — standard for AWS commercial terms |
AWS eu-west-2 is UK-based; confirm that no data is processed outside this region without appropriate transfer safeguards |
5. Assumptions Flagged in This Document
| Assumption ID |
Statement |
Status |
| A-002 |
Scout uses the Anthropic Claude API as its underlying AI model |
🔴 Unverified |
| A-003 |
Customers include UK recruitment agencies (B2B) and in-house HR teams at UK corporates |
🔴 Unverified |
| A-004 |
Hosting is on AWS eu-west-2 (London region) |
🔴 Unverified |
| A-005 |
Candidate data is not used for model training; DPA with Anthropic is in place |
🔴 Unverified |
| A-007 |
Scout outputs are subject to mandatory human review before candidate contact |
🔴 Unverified |
| A-008 |
Sable AI Ltd's primary role is as data processor to its customers |
🔴 Unverified |
| A-010 |
Scout is deployed as a SaaS web application accessed by customer users via browser |
🔴 Unverified |
| A-011 |
Only extracted CV text and job description text are transmitted to the Anthropic Claude API — no raw document files or additional personal data fields |
🔴 Unverified |
6. Cross-References
| Document |
Relationship |
L1-2.2-Risk-Classification-Framework-v1.md |
Risk tier assignment based on this inventory |
L1-2.3-Data-Flow-Map-v1.md |
End-to-end data flow from this system profile |
L1-2.4-Governance-Policy-v1.md (forthcoming) |
Governance obligations applying to Scout |
L1-2.5-Roles-and-Responsibilities-v1.md (forthcoming) |
Accountability owners for Scout |
L2-3.1-UK-GDPR-Mapping-Matrix-v1.md (forthcoming) |
Full UK GDPR obligation mapping for Scout's processing activities |
L2-3.4-DPIA-Template-v1.md (forthcoming) |
Full DPIA for Scout's CV screening workflow |
L4-5.1-Data-Processing-Agreement-Template-v1.md (forthcoming) |
Customer DPA templates (agency and in-house HR variants) |
This document is a draft built on assumed company characteristics. All [ASSUMPTION] fields must be validated against actual Sable AI Ltd operational data before use. Legal review is required before this framework is used for compliance purposes.