This list identifies the third parties HiringCoachAI engages to help deliver our service. We remain accountable for the data they process on our behalf.
Advance notice of new sub-processors is available by request at [email protected].
This page identifies vendor names, purposes, data categories, locations, and high-level assurance posture. API keys, account IDs, DPA acceptance timestamps, dashboard screenshots, security runbooks, and credential locations remain internal.
Core infrastructure
| Sub-processor | Purpose | Data processed | Location | Certifications |
|---|
| Google Cloud Platform / Firebase | Authentication, Firestore database, Cloud Storage backup/export buckets, Cloud Functions source buckets, Cloud Tasks, Cloud Text-to-Speech. User file uploads are not live in production yet. | All user profile, content, session, audit data; backup/export objects inherit source classification | US: Firestore live database in US multi-region; backup/export buckets in US multi-region; Cloud Functions source buckets in a US region | SOC 1/2/3, ISO 27001/17/18/701, Payment Card Industry Data Security Standard (PCI DSS), HIPAA, FedRAMP High |
| Vercel | Application hosting, Edge Middleware, Serverless Functions, AI Gateway, logs, and Vercel Analytics when analytics consent is granted | Request headers, execution logs, routed AI traffic, and consented site-level analytics telemetry | Global edge; primary US | SOC 2 Type II, ISO 27001 |
| Cloudflare | Public DNS, reverse proxy, CDN/security edge for hiringcoach.ai | DNS records, request metadata, IP addresses, HTTP headers for proxied traffic | Global edge | SOC 2 Type II, ISO 27001 |
Payments
| Sub-processor | Purpose | Data processed | Location | Certifications |
|---|
| Stripe | Subscription billing, payment card processing (hosted Checkout and Elements / Payment Element) | Customer ID, email, payment token, subscription and billing-status metadata. No payment-card primary account number (PAN), card verification value (CVV), or card-track data touches HiringCoachAI. | US + EU | Payment Card Industry Data Security Standard (PCI DSS) Level 1, SOC 1/2, ISO 27001 |
Communications
| Sub-processor | Purpose | Data processed | Location | Certifications |
|---|
| SendGrid (Twilio) | Transactional email (magic-link signin, notifications) | Recipient email, send metadata, bounce / complaint records | US | SOC 2 Type II, ISO 27001 |
| Mailchimp (Intuit) | Account/customer communications, communication-list management, and opt-in marketing email where applicable | Email, name, communication preferences | US | SOC 2 Type II |
AI providers
We do not have separate Zero Data Retention (ZDR) agreements with any AI provider. Where a provider exposes per-request storage or transcript-exposure controls, our code sends them, and an automated check runs in local compliance checks and the scheduled/manual security workflow to verify covered OpenAI Chat Completions or Responses requests include store: false and Deepgram transcription requests include redact=true. These flags reduce provider-side storage or transcript exposure where supported, but they are not the same as a signed ZDR agreement. Each provider's then-current standard API retention windows otherwise apply. The no-training posture relies on each provider's then-current standard API terms; we have not signed separate enterprise no-training amendments.
| Sub-processor | Purpose | Data processed | Location | Retention |
|---|
| OpenAI (called both directly and via Vercel AI Gateway) | LLM generation (resumes, cover letters, pitches, coaching) | User prompts (resume text, job descriptions, questions) and completions | US | Per-request store: false on OpenAI Chat Completions and Responses requests. No Zero Data Retention (ZDR) amendment: OpenAI's then-current standard API retention windows apply. |
| Perplexity AI | Research-backed company intelligence (optional) | Query text | US | Standard API terms; provider default retention applies. |
| ElevenLabs | Text-to-speech | Text to be spoken | US | Standard API terms; provider default retention applies. |
| Deepgram | Speech-to-text | Audio clips (user voice) | US | Per-request redact=true to redact sensitive number-like entities from transcripts, such as payment cards and Social Security numbers; provider default audio retention otherwise applies. |
| Google Cloud Text-to-Speech | Alternate TTS | Text | US | Standard API terms; provider default retention applies. |
Error monitoring and analytics
| Sub-processor | Purpose | Data processed | Consent |
|---|
| Sentry | Application error & performance monitoring, plus Vercel log drain destination | Stack traces, user IDs only where needed for debugging, request metadata after beforeSend scrubbing; no prompts/completions intentionally logged | Essential |
| Amplitude | Product analytics and session replay | Event data, session IDs, session recordings of consented sessions | Analytics consent |
| Mixpanel | Product analytics and session replay | Event data, session recordings of consented sessions | Analytics consent |
| PostHog (PostHog Inc.) | Product analytics: event capture, funnels, and behavioral insights | Event names and properties (e.g. login_attempted, subscription_purchased, plan tier); stable user identifier (Firebase UID) and email attached only after analytics consent is granted; standard request metadata (IP, user-agent) | Analytics consent. Client-side SDK starts opted-out by default; capture begins only after analytics consent and is revoked live on consent withdrawal. Server-side transactional events from Stripe webhook and account-deletion confirmation fire under the corresponding lawful basis documented per-event in the data map. PostHog Inc., US-hosted; standard PostHog DPA applies. |
| Hotjar (Contentsquare) | Heatmaps and session insights | Session recordings; default input masking applies | Analytics consent |
| Google Analytics / Google Tag Manager (GTM) | Web analytics and attribution tags | Page views, events | Analytics consent for analytics tags; marketing consent for advertising/attribution tags |
| Meta Pixel (Facebook) | Conversion measurement (Conversions API) | Conversion events, hashed identifiers | Marketing consent |
Developer productivity / integrations
| Sub-processor | Purpose | Data processed | Location | Certifications |
|---|
| Mapbox | Geocoding and location display | Approximate location strings entered by user | US | SOC 2 Type II |
| LinkedIn | OAuth sign-in; profile import (with user consent) | LinkedIn profile fields, limited scope | US | SOC 2 Type II, ISO 27001 |
| Google OAuth | OAuth sign-in; Google Drive export (opt-in) | Profile, email; Drive scope only on user grant | US | SOC 1/2/3, ISO 27001 (Google Cloud parent) |
| Facebook OAuth | OAuth sign-in | Profile, email | US | SOC 2 Type II, ISO 27001 |
| Canva | Design asset import | File metadata | Australia + US | SOC 2 Type II, ISO 27001 |
Platform
| Sub-processor | Purpose | Location |
|---|
| GitHub | Source-code hosting and CI | US |
| Domain registrar + DNS | Domain and DNS management | US |
Historical / removed
None yet. Removals will be dated here and retained indefinitely for audit.
How to object
Per our Privacy Policy, you may object to specific processing. Contact [email protected]. Some sub-processors (payments, identity, infrastructure) are essential to the service; we cannot provide the service without them. For others (analytics, marketing), you can opt out via the cookie banner or your account settings.
Change log
| Date | Change |
|---|
| 2026-04-24 | Initial publication |
| 2026-05-11 | Confirmed /sub-processors renders from this canonical markdown source and added public-safety note. |
| 2026-05-17 | Added PostHog (PostHog Inc., US) as a product-analytics sub-processor. Client-side SDK is opted-out by default and gated through the analytics consent category. |
