Can Claude Cowork be used to analyze CVs in France?

Yes for targeted use cases (1 CV, small batch, role-specific project), provided you sign Anthropic's DPA, respect candidate disclosure (GDPR Art. 13) and ensure real human supervision (Art. 22). No for scanning a full database, both for technical reasons (tokens, context) and legal ones (CLOUD Act, purpose limitation).

Does the CLOUD Act really apply to European data?

Yes. The CLOUD Act (H.R. 4943, 2018) lets U.S. judicial authorities compel a U.S.-jurisdiction provider to hand over data stored anywhere in the world, including Europe. That precise point led the CJEU to invalidate the Privacy Shield in Schrems II (C-311/18, July 2020). A European datacenter run by a U.S. vendor does not neutralize that obligation.

Does the AI Act sanction the use of Claude for recruitment?

The AI Act does not target the tool, it targets the deployer. Recruitment is classified as a high-risk AI system (Annex III, point 4). From August 2, 2026, the deployer must keep an AI Act register, run a FRIA, document human supervision and pass a conformity assessment. Penalties up to 15M euros or 3% of annual global turnover.

What is the sovereign alternative to Claude for CV analysis?

A stack built on European open models (Mistral Large, Mixtral) served by vLLM or TGI on sovereign infrastructure. That is precisely the architecture JobAffinity relies on, hosted at Scaleway in France (datacenters certified APSAD R13, HDS-qualified, SecNumCloud in progress). Coupled with a vector DB index (Qdrant, Weaviate) on the existing CV database. Quality on par with U.S. models, EU jurisdiction end to end.

How much does scanning 70,000 CVs with Claude Sonnet 4.6 cost?

About 420 dollars per full scan in raw input. Math: 70,000 CVs x 2,000 tokens approx 140 million tokens, so 140 calls minimum within a 1M-token window, at 3 dollars per million input tokens. On every new business query against the database. Prompt caching reduces this cost but with limited lifetime, poorly suited to recurring HR usage.

Is a human validating an AI shortlist enough to be compliant?

No, not if they validate mechanically. The CJEU ruled in 2023: an operator who rubber-stamps the algorithm's output without effective discretion does not move the processing out of GDPR Article 22. Practical consequence: human supervision must be documented, the decision-maker must see qualitative inputs and have real latitude to override the score.

Claude Cowork and CVs: what works, what breaks (2026)

The scenario we hear every week

An HR director calls us: "Can you plug our ATS into Claude Cowork? We have 70,000 CVs in the database, we'd like the AI to find the right profiles for each new role."

Honest answer. Technically, it works for some use cases, not that one. Legally, it doesn't hold up. And if you're already with us, the right answer is within reach: a sovereign, compliant, useful HR AI.

We take the three questions in order, no dogma, no hiding what breaks.

Technically: it works, and it doesn't

Context is not a database

First confusion to clear up. Even if Claude can access a folder containing all your CVs, it only knows what fits into context. Context is the working memory of the current conversation, and it has a hard limit.

It's misleading: you test on 10 CVs, it works, you think "great, I'll feed it the whole base." It doesn't. A folder of 70,000 CVs stays a closed box. Claude looks at what you ask it to open, within what fits the window. The rest doesn't exist for the conversation. It's a conversational copilot, not an index.

What actually works

For targeted use cases, Cowork is useful.

Deep analysis of one CV against a job description: gaps, interview questions, fuzzy areas.
Small batch (10 to 30 CVs) to pre-shortlist on a given role with your evaluation grid. Sonnet 4.6's context window (1 million tokens GA since March 2026) handles this without issue.
Interview preparation: tailored questions, traps, watch-outs.
Drafting: LinkedIn outreach, rejection notes, debriefs, follow-ups. Massive time savings.
Cowork projects scoped to one role: persisting the manager brief, JD, grid and pre-selected CVs.

And we haven't even mentioned hallucinations and procedure drift.

What doesn't work, with the math

"Score my 70,000 CVs, show the top 50 for this role." This request breaks for two simple reasons.

Context window. An average PDF CV weighs about 2,000 tokens. 70,000 x 2,000 = 140 million tokens. Sonnet 4.6's max window: 1 million. You need 140 calls minimum to sweep the base.

Cost. Anthropic 2026 pricing: 3 dollars per million input tokens on Sonnet 4.6. 140 x 3 = 420 dollars per full scan, raw input only, on every new business query. Multiply by the queries you run in a week. Prompt caching cuts the bill (up to 90% on hits) but the cache lives 5 minutes, poorly compatible with HR usage spread across the day.

Continuous search. You want the AI to flag when a new CV matches an open role. Cowork doesn't do that. You need a system, not a copilot.

The right architecture

The ATS stays the index, the filter, the audit trail. The LLM is the qualitative copilot. Complementary, not interchangeable.

Legally: it doesn't work

Anthropic DPA mandatory (GDPR Art. 28, non-EU processor). No DPA signed, no legal transfer.

Candidate disclosure (Art. 13). Your privacy notice must explicitly mention the use of a third-party AI tool outside the EU and the purpose. Many notices are silent, that's the typical breach the CNIL retains.

Purpose limitation (Art. 5.1.b). A CV received for a specific role cannot be reused for a different role without a new legal basis. The trap: "we already have it, we'll use it." No. The original purpose tied the data to the original role.

Real human supervision (Art. 22). The CJEU clarified in 2023 that a human who validates mechanically, without effective discretion, does not move the processing out of Art. 22. Ticking "approved" on 200 lines does not save the procedure.

B. CLOUD Act: the point nobody raises

The CLOUD Act (H.R. 4943, 2018) lets U.S. judicial authorities compel a provider under U.S. jurisdiction to hand over data stored anywhere in the world.

That's what the CJEU sanctioned by invalidating the Privacy Shield in Schrems II (C-311/18, 2020): U.S. law does not meet European standards of proportionality or effective remedy. The 2023 Data Privacy Framework changes nothing about the underlying FISA 702 powers.

Consequence: even if Anthropic opened a Strasbourg datacenter tomorrow, your CVs could legally leave the EU on a U.S. requisition, without notifying the data controller. A European datacenter does not neutralize U.S. jurisdiction.

C. AI Act: the calendar coming fast

The European regulation classifies recruitment among high-risk AI systems (Annex III, point 4). Obligations enter into force on August 2, 2026.

For you, the deployer (the employer, not Anthropic, not Intuition Software):

AI Act register
FRIA, fundamental rights impact assessment for candidates
Documented and operable human supervision
Conformity assessment, data governance
Reinforced transparency to candidates

Penalties: up to 15 million euros or 3% of annual global turnover, whichever is higher. The model vendor doesn't pay. The organization that decides does.

If you're with us, you already have the right solution: AI and sovereign

JobAffinity, published by Intuition Software, is one of the rare ATSes to have taken AI seriously from the start, without the "our AI makes coffee" marketing. Our line: total sovereignty, total compliance, useful features, zero AI washing.

Concretely, your data is hosted at Scaleway, the French provider chosen by the French State for sensitive projects. Datacenters certified APSAD R13, qualified HDS, SecNumCloud qualification in progress. 4 million CVs per year flow through this infrastructure, in France, beyond CLOUD Act reach. French AI, self-hosted, no U.S. model in the chain. CNIL-registered DPO, native GDPR, 24/7 CSIRT, incremental backups, rollback in under 5 minutes. Verifiable on intuition-software.com/fr/confiance.

European open models do the job

Mistral Large, Mixtral 8x22B (Apache 2.0): on HR tasks (CV analysis, matching, interview prep, drafting), the level matches GPT-4 and Claude. In practice, the gap is invisible.

A mature sovereign infrastructure

Scaleway, 3DS Outscale qualified SecNumCloud 3.2, OVH on Hosted Private Cloud, nine providers qualified in 2026 and twelve applications pending at ANSSI. The ecosystem is here.

The stack in practice

Dedicated GPU at the sovereign provider, A100 or H100
European open models served by vLLM or TGI, strict self-hosting
European embeddings (BGE, Mistral Embed) on the CV base, indexed in Qdrant or Weaviate
Semantic search in O(log n), not O(n): no full-scan, no thousands of dollars per query
LLM as copilot on profiles returned by the vector DB

Compliance by design: AI Act register, integrated FRIA, traceability, EU jurisdiction end to end.

Decision grid: three questions, then we cut

For each use case, three questions.

1. Technically suited? Is the LLM the right tool, at this scale, at this marginal cost per query? If the answer means scanning the whole base on every question, go back to the architecture.

2. GDPR + CLOUD Act + AI Act compatible? DPA signed, purpose respected, real human supervision, AI Act register, FRIA. And above all: can the data legally leave the EU under foreign jurisdiction?

3. Aligned with your candidate commitment on data? What your privacy notice and employer charter actually say. Coherence or rupture?

A single red box: don't plug. For three green boxes at scale, the path exists. Sovereign, not American. That's the line we've held at Intuition Software since 2009.

Can you use Claude Cowork to manage CVs?

The scenario we hear every week