Most ATSs collect candidate documents on day one and forget to delete them on day 200. Vault Hire does the opposite: nothing leaves your vault until the moment it's legally required. Employers see a signal that you have what they need — not the document itself — until you both reach the stage where release is justified.
Signal, not document
A "verified" badge tells the employer Vault Hire holds your document — without the document leaving your vault until you decide it should. Generic by design: never the document type, country, or expiry until release stage.
Stage-locked release
Each item has a declared stage at which the actual content is shared (pre-offer / post-acceptance / never). Release rules are enforced server-side, not in the UI.
Lawful basis per item
Every requirement an employer adds carries one of four UK GDPR Article 6 bases. Restricted items (credit check, DBS Standard/Enhanced, FINRA U4, fingerprint) are blocked unless the role is flagged with the matching regulator context.
Ranking-blind by architecture
Pack readiness signals are deliberately isolated from our credibility-scoring, matching and AI surfaces. A "ready pack" never moves you up an algorithmic ranking. The mechanism that guarantees this is covered under our security briefing (NDA).
How it feels for both sides
A high-level view of the flow. The step-by-step mechanics — including the enforcement layer that makes early-stage release impossible even for employer admins — are covered in our security briefing under NDA.
01Employer publishes a manifest. When the job is created, they pick exactly which items they need and declare a lawful basis + release stage for each. Restricted items are blocked unless the role is genuinely regulated.
02Candidate sees the checklist. On the application, you see exactly what's needed and what you already hold. For each item you have, you decide whether to switch the "signal" ON.
03Employer sees coarse signals. "Pack 4/7 ready" — never the document. Every view by the employer is logged in your candidate audit log.
04Release happens at the declared stage. Early-stage access to a later-stage document is architecturally impossible — including for employer admins.
05Revoke any time. Withdraw the application and the signals + audit linkage are tombstoned in line with our retention policy.
What a real pack looks like
Examples from our public template catalogue (employers can edit or write their own).
Standard hire
Baseline compliance pack for non-regulated roles.
rtw·Post-acceptance
id_verification·Post-acceptance
reference·Pre-offer
Banking Senior Manager Function (UK SMCR)
FCA/PRA (UK)
FCA Senior Manager Function — full SMCR pack incl. SYSC 22 6-year regulatory references.
§UK GDPR Art. 5(1)(c) — data minimisation. Only the minimum personal data necessary for the specified purpose.
§UK GDPR Art. 25 — data protection by design and by default. Default settings limit what is processed.
§UK GDPR Art. 7(4) — consent must be freely given. Our UI never penalises candidates who don't toggle signals on.
§UK Equality Act 2010 — restricted checks (credit, DBS Std/Enh) gated by role flag to prevent indirect discrimination.
§FCA SYSC 22 — regulatory references for SMF moves with 6-year lookback handled as a first-class item.
§EU AI Act Art. 6 / Annex III — pack readiness signals are deliberately kept outside the data fed to any ranking model. Architectural detail covered under NDA.
Pack preview
Pick your regulator — see exactly what we'd collect
Every line below is gated by the candidate's explicit signal toggle. The pack updates live as you switch regulators.
FCA/PRA (UK)
FCA Senior Manager Function — full SMCR pack incl. SYSC 22 6-year regulatory references.
rtw·Post-acceptance
id_verification·Post-acceptance
regulatory_reference·Pre-offer6-yr lookback
dbs_standard·Post-acceptance
credit_check·Pre-offer
sanctions_screening·Pre-offer
fca_fit_proper·Post-acceptance
professional_qualification·Pre-offer
Already in a vendor review?
If your compliance team has a security questionnaire, ask us for portal access — you can submit questions one-by-one and we (or our AI, with full source citations) will answer.