Applied - predictive and bias-free hiring platform

Applied is a hiring platform built using behavioural science that helps organisations to hire the best person, without bias. We use data to promote better hiring decisions.

Spun out of the Behavioural Insights Team, Board including Harvard Prof Iris Bohnet.


  • Blind / anonymised screening/sifting of candidates
  • Signature de-biased selection tool including anonymisation, chunking, crowdsourcing, randomisation
  • De-biased interview module that supports scoring, scheduling, and feedback
  • Predictive, skill-based selection tools including work samples/job previews
  • Extensive candidate feedback based on skill strengths and weaknesses
  • Hiring team/candidate feedback to measure experience and promote employer brand
  • Job description/ad text analysis to remove bias and improve conversion
  • Data analytics/reporting including diversity pipeline, adverse impact, predictive validity, sourcing
  • APIs/integrations to job boards, other ATSs, and selection/assessment tools
  • UX/UI focusing on accessibility and delivering simplicity for all users


  • Evidence-backed platform that improves diversity/inclusion by removing unconscious bias
  • Improves the quality and the speed of hiring decisions
  • Candidate-friendly platform with behavioural reminders, and two-way feedback tools
  • Elaborate data analytics/tracking to measure what works and experimentation
  • Demonstrated 3x improvement in the quality and conversion of candidates
  • Demonstrated 67% reduction in sift time and interview efficiency
  • Improves attraction/sourcing, including diverse candidate pools, and ROI calculations
  • State-of-the-art user experience including behavioural 'nudges'; and simple, accessible UX/UI
  • Interview management that de-biases, shows predictive validity, and interviewer data
  • Predictive selection/assessment tools that focus on skills


£500 per licence per month

Service documents


G-Cloud 11

Service ID

3 2 5 3 7 2 0 1 2 2 2 5 9 7 9



Andrew Babbage


Service scope

Service scope
Software add-on or extension Yes, but can also be used as a standalone service
What software services is the service an extension to We also provide a standalone text-based job description analysis tool that improves diversity/inclusion and conversion.

We also hold APIs to other ATSs, assessment/selection tools, and job boards.
Cloud deployment model Public cloud
Service constraints None
System requirements
  • Internet connection
  • License to use the Applied software

User support

User support
Email or online ticketing support Email or online ticketing
Support response times During weekdays, we aim to get back to those with queries within the day if we can, and weekends 24-36 hours (urgent cases only).
User can manage status and priority of support tickets Yes
Online ticketing support accessibility WCAG 2.1 AA or EN 301 549
Phone support Yes
Phone support availability 24 hours, 7 days a week
Web chat support Web chat
Web chat support availability 9 to 5 (UK time), Monday to Friday
Web chat support accessibility standard WCAG 2.1 AA or EN 301 549
Web chat accessibility testing As we use an external web chat system, we rely on their wider platform accessibility standards.
Onsite support Yes, at extra cost
Support levels Customers will receive full onboarding support and a dedicated account manager who will manage the provision of technical support. Depending on the scope of a project, dedicated technical and engineering teams, or additional data analytics, can also be provided. The cost for these staff are priced based on their day rates.
Support available to third parties Yes

Onboarding and offboarding

Onboarding and offboarding
Getting started New users are provided with a choice of digital or onsite training, this training is provided by members of the account management team at Applied. All users receive comprehensive guidance on how to use the product via the application and product website.
Service documentation Yes
Documentation formats
  • HTML
  • PDF
End-of-contract data extraction Users can self-service extract the standard data from the system during and at the end of their contract. There is no additional charge for this. If users would like access to custom datasets, these can be supplied on a fee basis.
End-of-contract process Their logins and access to the account with be removed upon their request or contract end date.

Using the service

Using the service
Web browser interface Yes
Supported browsers
  • Internet Explorer 10
  • Internet Explorer 11
  • Microsoft Edge
  • Firefox
  • Chrome
  • Safari 9+
  • Opera
Application to install No
Designed for use on mobile devices Yes
Differences between the mobile and desktop service Cosmetic layout differences
Service interface No
What users can and can't do using the API We provide a web-hook API to capture hiring events in real-time. It's a read-only service and there are no usage limits.
API documentation Yes
API documentation formats HTML
API sandbox or test environment Yes
Customisation available Yes
Description of customisation Specific content can be customised directly by the hiring manager, such as the questions applicants need to answer, and the automated emails sent to applicants. Further customisation is possible but would be performed by the Applied team at the specific request of customers.


Independence of resources Applied is a single stable platform. There are two ways in which we ensure all customer demands are met.

- Branches and staging sites for product updates. New product features and updates are created in an environment that is separate from the customer version of the product.

- Dedicated account, technical and service teams.


Service usage metrics Yes
Metrics types Applied provides tracking and analytics on candidate interactions with the system. For example

- Drop off pipeline data against diversity metrics
- Performance of candidates in application process
- Performance of hiring teams - reviewers and interviewers
- Predictive validity of skills questions
- Performance of job board and sourcing channels by diversity and quality of candidate
- Volume of hiring team usage
- Time to hire
- Feedback from candidates and hiring teams
Reporting types
  • Real-time dashboards
  • Regular reports
  • Reports on request


Supplier type Not a reseller

Staff security

Staff security
Staff security clearance Other security clearance
Government security clearance Up to Developed Vetting (DV)

Asset protection

Asset protection
Knowledge of data storage and processing locations Yes
Data storage and processing locations United Kingdom
User control over data storage and processing locations No
Datacentre security standards Complies with a recognised standard (for example CSA CCM version 3.0)
Penetration testing frequency At least once a year
Penetration testing approach ‘IT Health Check’ performed by a Tigerscheme qualified provider or a CREST-approved service provider
Protecting data at rest
  • Physical access control, complying with CSA CCM v3.0
  • Encryption of all physical media
Data sanitisation process Yes
Data sanitisation type
  • Explicit overwriting of storage before reallocation
  • Deleted data can’t be directly accessed
Equipment disposal approach Complying with a recognised standard, for example CSA CCM v.30, CAS (Sanitisation) or ISO/IEC 27001

Data importing and exporting

Data importing and exporting
Data export approach Data can be exported by users in the application. The standard format for this is via a CSV file.
Data export formats
  • CSV
  • ODF
Data import formats
  • CSV
  • ODF

Data-in-transit protection

Data-in-transit protection
Data protection between buyer and supplier networks IPsec or TLS VPN gateway
Data protection within supplier network TLS (version 1.2 or above)

Availability and resilience

Availability and resilience
Guaranteed availability We guarantee uptime of 99.5% and offer a pro-rata refund at 10x time. This means that 10.5% downtime would result in a full refund.
Approach to resilience All parts of our service except for the primary database are stateless & very portable, so can either scale horizontally under load, or be quickly rerouted to a fail-over host in case of datacentre problems. Catastrophic failure of the primary database would require using backups & transaction logs to restore data so would cause downtime (to avoid data loss).

Additional information available on request.
Outage reporting Applied has a public status dashboard and an automatically updated twitter account which reports outages to users.

Identity and authentication

Identity and authentication
User authentication needed Yes
User authentication Username or password
Access restrictions in management interfaces and support channels The user's assigned role is checked on every operation.
Access restriction testing frequency At least once a year
Management access authentication Username or password

Audit information for users

Audit information for users
Access to user activity audit information You control when users can access audit information
How long user audit data is stored for At least 12 months
Access to supplier activity audit information You control when users can access audit information
How long supplier audit data is stored for At least 12 months
How long system logs are stored for Less than 1 month

Standards and certifications

Standards and certifications
ISO/IEC 27001 certification No
ISO 28000:2007 certification No
CSA STAR certification No
PCI certification No
Other security certifications Yes
Any other security certifications Cyber Essentials

Security governance

Security governance
Named board-level person responsible for service security Yes
Security governance certified Yes
Security governance standards Other
Other security governance standards We're certified for Cyber Essentials, but are compliant (but not certified) with most of the relevant portions of CSA CCM3, PCI-DSS, and ISO27001
Information security policies and processes Please refer to our security policy ( Access to internal policies available on request.

Operational security

Operational security
Configuration and change management standard Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Configuration and change management approach All changes to infrastructure go through our risk management process, and the potential impact of failures assessed, and mitigated where necessary.

Accepted changes are applied programatically, ensuring our records are always correct. Records are fully version controlled and auditable.

Software changes are reviewed against our security policy. Resulting code changes are fully auditable and are subject to our release procedure, including several types of testing and peer review. We automatically track security flaws and licencing problems in any proprietary or open source components or libraries.
Vulnerability management type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Vulnerability management approach We use open resources like OWASP, vendor advisories, and dependency monitoring services to understand the attack vectors we need to protect against. We also commission penetration tests at regular 6 month intervals, and disseminate the learnings amongst developers.

Patches are typically deployed within 24 hours of receipt.

Where possible, we automate the testing of common application-layer issues. For example, automated testing that fails a build if it finds instances where external input is rendered without being sanitised for XSS.
Protective monitoring type Conforms to a recognised standard, for example CSA CCM v3.0 or SSAE-16 / ISAE 3402
Protective monitoring approach We log all activity centrally so that we can monitor the application as a whole or one component at a time, and have alerts set up that notify us of unusual patterns immediately.

Depending on the severity of the incident it is either escalated immediately, or marked for analysis.

Upon discovering a potential compromise we notify affected customers and end-users within 72 hours (to balance those parties' right to know with our need to find out the facts and any meaningful remedies).
Incident management type Conforms to a recognised standard, for example, CSA CCM v3.0 or ISO/IEC 27035:2011 or SSAE-16 / ISAE 3402
Incident management approach Customers and end-users can report events by email or phone. Our centralised log alerting can also warn us of incidents.

All incidents then follow our incident management process, which can result in escalation to the CTO. They're assessed for for cause, and impact, and where necessary a response plan is triggered. Anticipated incidents, e.g. catastrophic database server failure, or DDoS attacks on DNS providers, are planned in advance.

Notification of an incident is communicated to customers ASAP (currently within 1 hour, but soon in real-time), and explanation of the incident and action plan follows within 72 hours.

Secure development

Secure development
Approach to secure software development best practice Conforms to a recognised standard, but self-assessed

Public sector networks

Public sector networks
Connection to public sector networks No


Price £500 per licence per month
Discount for educational organisations No
Free trial available Yes
Description of free trial Try out our Job Description Analysis Tool and analyse your job descriptions for potentially problematic words that impact on the job description's inclusivity. Use the tool unlimited times to get an inclusion and conversion score, or sign up for full access to the tool for 1 week.
Link to free trial

Service documents

Return to top ↑