Subprocessors

Last Updated: May 8, 2026

This page lists the subprocessors Introvy uses to deliver the Service. Each subprocessor is bound by a written data processing agreement and is reviewed for security, privacy, and (where applicable) cross‑border transfer adequacy. We will provide at least 30 days' advance notice of new subprocessors that handle personal data, by updating this page and notifying Customers via email or in‑product banner.

Customers may object to a new subprocessor on reasonable, documented grounds within 30 days of notification, in which case we will work in good faith to resolve, or — failing that — Customer may terminate the affected portion of the Service for refund of pre‑paid, unused fees.

| Subprocessor | Service Provided | Data Categories | Processing Locations | Transfer Mechanism | |---|---|---|---|---| | Supabase Inc. | Postgres database, authentication, storage of media files | Account data, candidate identifiers, user content (videos/audio), transcripts, consent records | United States (primary) | SCCs Module 2/3, DPA | | Vercel Inc. | Backend API hosting (Next.js / Vercel Functions) | API request data including user identifiers and submission payloads (in transit, ephemeral) | United States | SCCs Module 3, DPA | | Render | Long‑running worker, MCP server, orchestrator hosting | API request data, ATS webhook payloads, AI orchestration state | United States | SCCs Module 3, DPA | | Netlify Inc. | Marketing & app frontend hosting (Vite/React) | Page request logs, IP, user agent | United States | SCCs Module 3, DPA | | Cloudflare Inc. | Video upload, storage, transcoding, and global delivery (Cloudflare Stream); CDN; DNS; DDoS protection | Video/audio media; request metadata | Global edge; primary US | SCCs Module 3, DPA | | Stripe, Inc. | Subscription billing, identity verification (optional) | Customer/billing identifiers, payment metadata | United States, EU | SCCs (Stripe DPA), DPF where applicable | | Postmark (ActiveCampaign) | Transactional email delivery | Recipient email, message content | United States | SCCs, DPA | | OpenAI, L.L.C. | AI inference: question generation, transcription (Whisper), summaries, evaluations | AI prompts derived from user content; transient | United States | OpenAI DPA, SCCs; content excluded from training by API default | | RecruitCRM | ATS integration (Customer‑initiated; receives writebacks) | Candidate IDs, completion summaries, share links, stage updates | India / Customer‑configured | Customer‑level DPA; processing under Customer instructions | | RecruiterFlow | ATS integration (Customer‑initiated) | Candidate IDs, completion summaries, share links, stage updates | United States | Customer‑level DPA; processing under Customer instructions |

Optional / future

• Sentry (error monitoring) — only enabled when VITE_SENTRY_DSN and SENTRY_DSN are set; PII is scrubbed.
• PostHog or equivalent product analytics — only enabled when the cookie banner's analytics category is accepted.
• Anthropic — may be enabled as an additional AI inference provider; subject to a separate DPA and notice on this page.

Customer offshore recruiters and operators

Customer accounts often include offshore team members (India, the Philippines, LATAM, Eastern Europe, etc.). Customer team members are not Introvy subprocessors; they are users authorized by the Customer (the controller). Customers are responsible for managing access for their own team members, including offshore staff.

Contact

DPA requests, subprocessor objections, or audit requests: hello@introvy.ai.