VettaHireSub-processors
Last updated: May 25, 2026
VettaHire uses the following sub-processors to operate VettaHire. They process personal information only on our instructions and for the purposes described in our Privacy Policy and Data Processing Addendum.
Notice of changes
We provide at least 30 days' notice before adding or replacing a sub-processor that materially affects processing of Customer or Candidate personal data. To receive notice, email info@vettahire.com to subscribe to the sub-processor mailing list. Enterprise Customers with a signed DPA receive notice directly.
Infrastructure
| Provider | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| Cloudflare, Inc. (Delaware, USA) | Application hosting (Workers runtime), primary database (D1), object storage for profile photos (R2), CDN, DDoS and WAF protection, application logs (Workers Observability) | All Customer and Candidate data, including interview transcripts, account information, and application logs | D1 database primary region: WNAM (US West). R2 bucket: United States. Workers execute globally at the edge for request routing only; persistent data resides in the primary region. | SOC 2 Type II, ISO 27001, ISO 27018 |
AI inference
| Provider | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| Deep Infra, Inc. (Delaware, USA) | Large language model inference using open-weight DeepSeek V4 Flash model. Powers AI interviewer responses, transcripts, summaries, and recommendation scoring. | Interview prompts and completions including Candidate responses. No account, billing, or authentication data. | United States — Deep Infra-operated GPU data centers | SOC 2 Type II, ISO 27001. Zero data retention: inputs and outputs are not stored on disk and are deleted from memory after inference. No training use of customer data. |
OpenAI, Inc. may be used as a secondary fallback inference provider during Deep Infra service disruptions. This fallback is configurable and can be disabled on request for enterprise accounts with specific data residency requirements. When active, the same categories of data listed above apply.
Operations
| Provider | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| Resend, Inc. (Delaware, USA) | Transactional email delivery (interview invitations, account notifications, team invitations) | Candidate email address, derived first name, role title, hiring company name, and secure interview link. Customer email address for account and team notifications. No interview content. | United States | SOC 2 Type II |
| Google LLC | OAuth identity verification for Customer accounts only (sign-up and sign-in for recruiters and admins). Candidates do not authenticate via Google. | Customer user email address, display name, and Google account identifier. No Candidate data. | Global | SOC 2, ISO 27001, ISO 27018 |
| Stripe, Inc. (Delaware, USA) | Subscription billing and payment processing | Customer billing contact (name, email, address) and payment method. No Candidate data. | United States | PCI DSS Level 1, SOC 1, SOC 2 Type II |
Data residency summary
| Data category | Primary storage location |
|---|---|
| Candidate data (interviews, profiles, transcripts) | United States (Cloudflare D1, WNAM primary region) |
| AI inference processing | United States (Deep Infra) |
| Customer account data | United States (Cloudflare D1) |
| Profile photos | United States (Cloudflare R2) |
| Email delivery | United States (Resend) |
| Authentication identity | Global (Google OAuth — identity only, transient) |
| Billing data | United States (Stripe) |
VettaHire does not transfer Candidate Data outside the United States.
Questions
Contact info@vettahire.com about sub-processor due diligence or to request DPAs, SOC 2 reports, or other compliance documentation from our sub-processors. For our processing terms, see our Data Processing Addendum.