Sub-processors

Sub-processors

Reviewed by counsel pre-launch — final review pending. This document was drafted from a Termly template and customised by the CAREER iNTEL team. Formal counsel review is scheduled post-first-revenue (D-16). Material questions can be directed to [email protected].

Last updated: 2026-05-20

We engage the following sub-processors to deliver CAREER iNTEL. Engagement is on a least-data + least-privilege basis. New sub-processors are announced 30 days before activation via email + in-app banner.

Data region: United States. Production data is stored in the US (Hetzner, Ashburn, VA). For our international customers (EU/EEA, UK, Nigeria, Canada), transfers to the US and to the sub-processors below are covered by appropriate safeguards — the EU-US Data Privacy Framework, the 2021 Standard Contractual Clauses, and/or the UK IDTA, as applicable. The "Transfer mechanism" column below records the safeguard relied on for each sub-processor.


Sub-processor table

US / global processors are listed first, followed by international processors.

Sub-processorPurposeData categoriesRegionTransfer mechanismPrivacy policy
StripePayment processingTokenised card, name, billing addressUSUS (domestic)https://stripe.com/privacy
OpenRouterLLM gateway (model routing)Scrubbed user prompts + AI responses, latency + cost metricsUSUS (domestic)https://openrouter.ai/privacy
AnthropicDownstream LLM provider via OpenRouter (Claude Sonnet 4.6 + Opus 4.7)Scrubbed prompt content + AI responsesUSUS (domestic) via OpenRouterhttps://www.anthropic.com/privacy
MetaDownstream LLM provider via OpenRouter (Llama 3.1 70B Instruct)Scrubbed prompt content + AI responsesUS (Llama hosted on partner clouds)US (domestic) via OpenRouterhttps://www.meta.com/policies/privacy/
Sentry (SaaS)Error monitoring + sourcemap uploadPII-scrubbed exception tracesUS (SaaS)US (domestic)https://sentry.io/privacy/
CloudflareCDN + DNS + Cloudflare Access Zero TrustIP, request headers, access JWTsGlobal edgeDPF / 2021 SCCs (for intl-customer traffic)https://www.cloudflare.com/privacypolicy/
Unstructured.ioPDF/DOCX hi-res parse strategy (resume parse fallback)Uploaded resume binaryUSUS (domestic)https://unstructured.io/legal-pages
Mistral AIDownstream LLM provider via OpenRouter (Mixtral 8x22B Instruct fallback)Scrubbed prompt content + AI responsesEU (FR)SCCs via OpenRouter (US ↔ EU)https://mistral.ai/terms/
BrevoTransactional email + Premium/Accelerator waitlistEmail, name, tier preferenceEU (FR)SCCs (US ↔ EU)https://www.brevo.com/legal/privacypolicy/
HetznerHosting infrastructure (CX22 / CCX23)All production dataUS (Ashburn, VA)US (domestic)https://www.hetzner.com/legal/privacy-policy

Phase-specific additions

The following sub-processors will be added in later phases. We will give 30 days' notice before activation.

PhaseSub-processorPurpose
Phase 2OpenAI Whisper (or self-hosted faster-whisper on Hetzner)Voice mock interview transcription
Phase 2PostHog (self-hosted on Hetzner)Product analytics
Phase 3Postal (self-hosted on Hetzner)Transactional email — replaces Brevo
Phase 3Microsoft Graph APIOutlook Calendar write-only
Phase 4PaystackPayment processing (NGN)
Phase 4FlutterwavePayment processing (KE/GH/ZA + pan-Africa)

Operator-only access

The following access channels are used by our staff only — not as sub-processors of your data:

  • Coolify — self-hosted on our infrastructure; not a third-party processor
  • OpenBao — self-hosted Transit secrets engine; the encryption key custodian, not a processor of plaintext data
  • PostgreSQL 16 — self-hosted; not a third-party processor
  • GitHub — code repository only; no Personal Data of customers stored
  • 1Password Family — operator credentials only

Data minimisation across sub-processors

Sub-processorData minimisation applied
StripeWe never see raw card data; Stripe tokenises at the browser
BrevoEmail + tier only; we don't send name unless required for transactional content
OpenRouterPrompt-injection sanitizer applied before send; no profile-PII appended unless task requires it
Anthropic / Meta / MistralDownstream of OpenRouter sanitization
HetznerOperates infrastructure layer; no data-content access
CloudflareOperates CDN/DNS/Access layer; only sees encrypted TLS payloads + access JWTs
SentryPII scrubber (cookie + cf-access-jwt + email + IP) before send (S6b)
Unstructured.ioResume binary only; no cross-resume correlation

How to object to a sub-processor

If a new sub-processor we list will not be removable, you may terminate the service for cause. Contact [email protected] within 30 days of notification.


Reviewed by counsel pre-launch — final review pending.