Why This Decision Matters More Than Most HR Teams Realise
The decision between self-hosted and SaaS recruitment software is typically made on three criteria: cost, ease of deployment, and feature set. Compliance comes fourth, if it comes at all. For organisations operating under GDPR, HIPAA, or FCA regulation, this order of priorities creates significant legal exposure.
Candidate personal data — names, contact details, CV content, employment history, salary expectations, assessment scores — is classified as personal data under GDPR Article 4. When that data is processed by a third-party SaaS vendor, your organisation becomes the Data Controller and that vendor becomes the Data Processor. The obligations that flow from that relationship are not trivial.
GDPR Article 28 requires a binding Data Processing Agreement with every vendor that processes personal data on your behalf. Many SaaS ATS contracts include DPA language — but the terms they offer are the vendor's terms, not yours. Your DPO should review these before any data is uploaded.
The GDPR Legal Framework — What Actually Applies
Three GDPR articles create the core compliance framework for recruitment software decisions. Understanding these is the starting point for any deployment evaluation.
| GDPR Article | What It Requires | Self-Hosted Impact | SaaS Impact |
|---|---|---|---|
| Article 5 — Data Minimisation | Collect only what is necessary for the stated purpose | Full control over what is collected | Dependent on vendor's data model |
| Article 17 — Right to Erasure | Delete personal data on request, within 30 days | Direct deletion — no vendor dependency | Requires vendor cooperation |
| Article 25 — Privacy by Design | Embed data protection into system design from the start | Architecture entirely under your control | Dependent on vendor's architectural choices |
| Article 28 — Data Processor Requirements | Binding DPA with every processor; specific clauses required | No third-party processor | Mandatory DPA — vendor's terms typically apply |
| Article 32 — Security of Processing | Appropriate technical and organisational security measures | Full control — encryption, access, audit | Dependent on vendor's security posture |
| Article 46 — Cross-Border Transfers | Adequate safeguards required for non-EEA data transfers | No cross-border transfer if on-premises | Risk if vendor infrastructure is outside EEA |
| Article 83 — Administrative Fines | Fines up to €20M or 4% annual global turnover | Full organisational accountability | Shared — but you remain the Data Controller |
The Cross-Border Transfer Problem — SaaS Specific
Most enterprise SaaS recruitment platforms are headquartered in the United States, with server infrastructure that may span multiple regions. Under GDPR, transferring personal data outside the EEA requires one of the following safeguards: an adequacy decision, Standard Contractual Clauses (SCCs), or Binding Corporate Rules.
The UK-US Data Bridge (successor to Privacy Shield) provides a framework for US transfers — but only for US organisations that have self-certified under the framework. Before signing any SaaS ATS contract, your DPO should verify the vendor's transfer mechanism and jurisdiction.
"The question is not whether your SaaS vendor has a DPA. They all do. The question is whether their DPA gives your DPO the control they actually need — or just the appearance of it."
— Cognitosage Compliance TeamThe Decision Framework — Six Questions Your DPO Should Ask
Before selecting a deployment model, any organisation processing candidate data at scale should be able to answer the following six questions. The answers determine whether SaaS or self-hosted is the compliant choice for your specific context.
| # | Question | If Yes — Implication | Recommended Model |
|---|---|---|---|
| 1 | Does your industry have sector-specific data regulations beyond GDPR? (HIPAA, FCA, NHS DSP Toolkit) | Sector regulation may require explicit data residency or self-hosting | Self-Hosted |
| 2 | Do you process candidate data for roles with security clearance requirements? | National security and vetting regulations typically prohibit third-party cloud processing | Self-Hosted |
| 3 | Has your board or DPO mandated that candidate data stays on-premises? | Board mandate supersedes cost/convenience considerations | Self-Hosted |
| 4 | Do you need to demonstrate data sovereignty to clients or regulators? | Client contracts may require documented on-premises processing | Self-Hosted |
| 5 | Do you lack internal DevOps capability for platform maintenance? | Without maintenance resource, self-hosted creates compliance risk through patching gaps | Managed Cloud or Hybrid |
| 6 | Do you need fastest possible time-to-value for a pilot or trial? | Managed cloud deployment eliminates infrastructure setup — live within hours | Managed Cloud → Migrate Later |
Industry-Specific Requirements — Beyond GDPR
For organisations in regulated industries, GDPR is the floor, not the ceiling. Sector-specific regulations create additional requirements that further distinguish the two deployment models.
| Industry | Regulation | Key Requirement | Self-Hosted Advantage |
|---|---|---|---|
| Financial Services (UK) | FCA SYSC 8 / SM&CR | Senior manager accountability for data processing decisions | Full audit trail, no vendor dependency in accountability chain |
| Healthcare (US) | HIPAA | Business Associate Agreement; minimum necessary standard | No BAA required; data never leaves covered entity's environment |
| Healthcare (UK) | NHS DSP Toolkit | Data Security and Protection Toolkit compliance | On-premises satisfies data residency requirements |
| Government / Defence | OFFICIAL-SENSITIVE / SC cleared | Data processed in accredited environment only | On-premises accreditation possible; cloud typically not permitted |
| Legal (UK/EU) | SRA / Bar Standards Board | Client confidentiality obligations extend to staff data handling | No third-party exposure of candidate data relating to client matters |
| All EU/UK Orgs >250 employees | GDPR Article 30 | Records of processing activities; DPA with every processor | Zero third-party processor records required for candidate data |
The Hybrid Path — Start Managed, Migrate to Self-Hosted
The deployment choice does not have to be permanent or binary. The most pragmatic approach for many organisations — particularly those piloting AI recruitment automation for the first time — is a managed cloud deployment to begin, with a planned migration to self-hosted once the platform is configured and validated.
This approach offers three specific advantages:
- Fastest time to first shortlist — managed cloud deployments are live within hours, with no internal infrastructure work required
- Proof of value before infrastructure investment — your leadership team sees ranked shortlists on real candidates before any data sovereignty architecture is designed
- Clean migration path — a well-architected platform (like CognitoHire) stores data in standard PostgreSQL, making migration to self-hosted a clean, documented process rather than a vendor lock-in escape
| Factor | Managed Cloud | Self-Hosted |
|---|---|---|
| Time to first shortlist | Hours | 24 hours |
| Internal setup required | None | Standard PostgreSQL + Node.js |
| Data leaves your infrastructure | No — isolated, encrypted | Never |
| GDPR DPA required | Yes — Cognitosage DPA provided | No |
| Suited for regulated industries | Most cases | All cases including highest-security |
| External API cost per query | $0 | $0 |
| Migration between models | Supported — standard PostgreSQL, documented migration | |
The Bottom Line for Your DPO and Board
The deployment decision for recruitment software is a compliance decision first, a cost decision second, and a convenience decision third. The organisations that get into compliance trouble are the ones that make it the other way around.
For most organisations in financial services, healthcare, legal, or government — or any organisation where board-level data governance has been explicitly established — self-hosted is the appropriate default position. The question is not whether self-hosted is more complex. It is whether the compliance risk of the alternative is acceptable.
For organisations that need to move fast and prove value first, managed cloud is a legitimate and compliant starting point — provided the vendor's DPA is reviewed, the data residency is confirmed, and the migration path to self-hosted is documented before go-live.
Not Sure Which Deployment Model Is Right for Your Organisation?
Our team will review your compliance requirements and advise on the right deployment model for your specific context — GDPR, HIPAA, FCA, or NHS DSP Toolkit. No commitment required.
Get a Free Compliance Consultation →Response within 24 hours · Free consultation · No credit card required