Sub-processors
Sub-processors
Reviewed by counsel pre-launch — final review pending. This document was drafted from a Termly template and customised by the CAREER iNTEL team. Formal counsel review is scheduled post-first-revenue (D-16). Material questions can be directed to [email protected].
Last updated: 2026-05-20
We engage the following sub-processors to deliver CAREER iNTEL. Engagement is on a least-data + least-privilege basis. New sub-processors are announced 30 days before activation via email + in-app banner.
Data region: United States. Production data is stored in the US (Hetzner, Ashburn, VA). For our international customers (EU/EEA, UK, Nigeria, Canada), transfers to the US and to the sub-processors below are covered by appropriate safeguards — the EU-US Data Privacy Framework, the 2021 Standard Contractual Clauses, and/or the UK IDTA, as applicable. The "Transfer mechanism" column below records the safeguard relied on for each sub-processor.
Sub-processor table
US / global processors are listed first, followed by international processors.
| Sub-processor | Purpose | Data categories | Region | Transfer mechanism | Privacy policy |
|---|---|---|---|---|---|
| Stripe | Payment processing | Tokenised card, name, billing address | US | US (domestic) | https://stripe.com/privacy |
| OpenRouter | LLM gateway (model routing) | Scrubbed user prompts + AI responses, latency + cost metrics | US | US (domestic) | https://openrouter.ai/privacy |
| Anthropic | Downstream LLM provider via OpenRouter (Claude Sonnet 4.6 + Opus 4.7) | Scrubbed prompt content + AI responses | US | US (domestic) via OpenRouter | https://www.anthropic.com/privacy |
| Meta | Downstream LLM provider via OpenRouter (Llama 3.1 70B Instruct) | Scrubbed prompt content + AI responses | US (Llama hosted on partner clouds) | US (domestic) via OpenRouter | https://www.meta.com/policies/privacy/ |
| Sentry (SaaS) | Error monitoring + sourcemap upload | PII-scrubbed exception traces | US (SaaS) | US (domestic) | https://sentry.io/privacy/ |
| Cloudflare | CDN + DNS + Cloudflare Access Zero Trust | IP, request headers, access JWTs | Global edge | DPF / 2021 SCCs (for intl-customer traffic) | https://www.cloudflare.com/privacypolicy/ |
| Unstructured.io | PDF/DOCX hi-res parse strategy (resume parse fallback) | Uploaded resume binary | US | US (domestic) | https://unstructured.io/legal-pages |
| Mistral AI | Downstream LLM provider via OpenRouter (Mixtral 8x22B Instruct fallback) | Scrubbed prompt content + AI responses | EU (FR) | SCCs via OpenRouter (US ↔ EU) | https://mistral.ai/terms/ |
| Brevo | Transactional email + Premium/Accelerator waitlist | Email, name, tier preference | EU (FR) | SCCs (US ↔ EU) | https://www.brevo.com/legal/privacypolicy/ |
| Hetzner | Hosting infrastructure (CX22 / CCX23) | All production data | US (Ashburn, VA) | US (domestic) | https://www.hetzner.com/legal/privacy-policy |
Phase-specific additions
The following sub-processors will be added in later phases. We will give 30 days' notice before activation.
| Phase | Sub-processor | Purpose |
|---|---|---|
| Phase 2 | OpenAI Whisper (or self-hosted faster-whisper on Hetzner) | Voice mock interview transcription |
| Phase 2 | PostHog (self-hosted on Hetzner) | Product analytics |
| Phase 3 | Postal (self-hosted on Hetzner) | Transactional email — replaces Brevo |
| Phase 3 | Microsoft Graph API | Outlook Calendar write-only |
| Phase 4 | Paystack | Payment processing (NGN) |
| Phase 4 | Flutterwave | Payment processing (KE/GH/ZA + pan-Africa) |
Operator-only access
The following access channels are used by our staff only — not as sub-processors of your data:
- Coolify — self-hosted on our infrastructure; not a third-party processor
- OpenBao — self-hosted Transit secrets engine; the encryption key custodian, not a processor of plaintext data
- PostgreSQL 16 — self-hosted; not a third-party processor
- GitHub — code repository only; no Personal Data of customers stored
- 1Password Family — operator credentials only
Data minimisation across sub-processors
| Sub-processor | Data minimisation applied |
|---|---|
| Stripe | We never see raw card data; Stripe tokenises at the browser |
| Brevo | Email + tier only; we don't send name unless required for transactional content |
| OpenRouter | Prompt-injection sanitizer applied before send; no profile-PII appended unless task requires it |
| Anthropic / Meta / Mistral | Downstream of OpenRouter sanitization |
| Hetzner | Operates infrastructure layer; no data-content access |
| Cloudflare | Operates CDN/DNS/Access layer; only sees encrypted TLS payloads + access JWTs |
| Sentry | PII scrubber (cookie + cf-access-jwt + email + IP) before send (S6b) |
| Unstructured.io | Resume binary only; no cross-resume correlation |
How to object to a sub-processor
If a new sub-processor we list will not be removable, you may terminate the service for cause. Contact [email protected] within 30 days of notification.
Reviewed by counsel pre-launch — final review pending.