Legal
Sub-Processors and International Data Transfers
Last updated: 2025-11-16
1. Overview
This page lists the third-party sub-processors that DWEET LTD ("Dweet", "we") uses to provide Nova.
Details of data categories, legal bases, security measures, transfer mechanisms and AI training posture are set out in:
Those documents take precedence for any data protection or transfer questions.
This page is incorporated by reference into our Terms of Service and Data Processing Agreement and forms part of our description of processing and international data transfers.
2. Changes and notifications
We may add or remove sub-processors as we operate and improve Nova.
- We aim to provide at least 7 days’ notice for material changes to this list, except in emergencies.
- We update this page when sub-processors are added or removed.
- To subscribe to change notifications, email
privacy@dweet.com.
Any rights to object to a new sub-processor and related remedies are governed by the DPA.
3. Current sub-processors
3.1 Primary infrastructure and AI processing
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Amazon Web Services (AWS) | United Kingdom (eu-west-2, London) | Primary cloud hosting (compute, storage, networking) for Nova. | Candidate and application data, user account data, configuration data, file attachments, logs and backups. | Data stored in the UK (eu-west-2). Transfers from the EEA to the UK rely on the EU adequacy decision for the UK; SCCs are used only where adequacy no longer applies or is otherwise required. (Amazon Web Services, Inc.) |
| OpenAI, L.L.C. | United States | AI inference for scoring, summarisation and content generation features. | Text prompts derived from candidate and job data (for example CV content, job descriptions, application answers) and system metadata needed to provide the API. | EU Standard Contractual Clauses and UK IDTA where required; OpenAI DPA and trust portal. (OpenAI) |
| Google Cloud (Vertex AI / Gemini) | European Union and United States (per endpoint) | AI inference and embeddings for search and scoring features. | Text prompts and embeddings derived from candidate and job data; limited metadata required to operate the service. | EU Standard Contractual Clauses and UK IDTA where required; Google Cloud Data Processing Addendum. (Google Cloud) |
Note: For Third-Party AI Services, we configure providers so that Customer Personal Data is not used to train their own general models, as described in our AI Terms and DPA.
3.2 Task processing and automation
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Trigger.dev (API Hero Ltd) | Frankfurt, Germany (EEA region) and United States | Background job processing for ATS sync, scoring and notifications. | Candidate and application data required to execute background jobs; job metadata and logs (which may include ATS payloads for debugging). | Worker execution can be configured in an EU region (eu-central-1). Operational and log data is stored in us-east-1. International transfers are subject to Trigger.dev’s GDPR commitments and appropriate safeguards, including EU Standard Contractual Clauses and, where relevant, the UK Addendum, as described in their GDPR guidance and security portal. (security.trigger.dev) |
3.3 Search and data enhancement (optional)
Used only where the relevant feature is enabled.
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Exa Labs Inc. | United States | Web search to support company and market research features. | Company names, role titles and similar business-context terms derived from customer configuration; no candidate CV content by default. | Appropriate safeguards for international transfers under GDPR and UK GDPR (for example EU Standard Contractual Clauses and the UK Addendum) as required by our DPA Annex IV and Exa’s data protection terms. (Exa) |
| OpenCage Data | Europe | Geocoding and reverse geocoding of location strings. | Location strings from job and candidate records (for example city, region, country). | EU Standard Contractual Clauses and UK IDTA / EU adequacy where required. (opencagedata.com) |
3.4 Monitoring and analytics
These providers receive telemetry, logs and analytics data that may include limited personal data and portions of application content (for example ATS request and response payloads) where necessary to operate, secure, and improve Nova.
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Datadog, Inc. | EU region (Germany) and other regions as configured | Application and infrastructure monitoring (metrics and logs), including ATS request/response payloads where necessary to debug integrations. | System and application metrics, service health indicators, and logs that may include personal data and portions of application content (including candidate and job data in ATS payloads). | EU Standard Contractual Clauses and UK IDTA via Datadog DPA, plus any additional locations and safeguards disclosed in Datadog’s data protection terms. (trust.datadoghq.com) |
| PostHog Inc. | Europe | Product analytics for Nova web UI usage. | Nova user interaction data (e.g. page views, clicks, feature usage) associated with user accounts; no ATS/candidate content. | Processing in EEA/UK only (no restricted transfer) under PostHog’s EU hosting. |
| Sentry, Inc. | Europe | Error tracking and performance monitoring for Nova applications. | Error events, stack traces and limited context fields that may incidentally include personal data (e.g. IDs, email address in a URL). No CV file content by design. | EU Standard Contractual Clauses and UK IDTA where required under Sentry DPA. |
3.5 Payment processing
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Stripe, Inc. | European Union, United Kingdom and United States | Payment processing, subscription billing and invoicing for Nova customers. | Billing contact details, payment method identifiers (e.g. tokenised card data), invoice and transaction metadata. | EU Standard Contractual Clauses and UK IDTA via Stripe DPA. |
3.6 Development and collaboration
These tools are used for internal development and deployment workflows and handle limited customer-related metadata only.
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Flightcontrol | United States | Deployment orchestration and environment telemetry for Nova. | Deployment metadata (service names, environment IDs), minimal customer personal data in logs/metadata. | Flightcontrol states that it does not store or process Nova end-user data and primarily operates within the customer’s own cloud account. Any personal data Flightcontrol processes (for example account and billing data) is handled under Flightcontrol’s own GDPR framework and transfer safeguards as described in its privacy policy and security documentation. (trustcenter.flightcontrol.dev) |
| GitHub, Inc. (Microsoft) | European Union and United States | Source code hosting, issue tracking and development tooling. | Source code and configuration; limited customer personal data may appear in commits, issues or support artefacts. | EU Standard Contractual Clauses and UK IDTA via Microsoft/GitHub DPA. |
3.7 Email delivery
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Resend, Inc. | United States and European Union | Transactional email delivery for product emails such as invites, notifications and account messages. | Recipient email addresses, names (where provided), email content required to deliver transactional messages. | Appropriate safeguards for international transfers (including EU Standard Contractual Clauses and, where applicable, the UK IDTA) as set out in Resend’s DPA. (resend.com/legal/dpa) |
3.8 Document conversion (optional)
Used only when using talent pool discovery features.
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Modal.com | Europe (Modal eu compute region; control plane in us-east-1) | Serverless compute for CV and document conversion (e.g. PDF→Markdown). | PDF and document content submitted for conversion, which may include candidate CVs and attachments. Nova does not configure persistent volumes for this workflow, and Modal retains function inputs/outputs only briefly, with app logs/metadata handled as described in their security and privacy documentation. | Appropriate safeguards for international transfers (including EU Standard Contractual Clauses and, where applicable, the UK IDTA) as set out in Modal’s DPA. See also Modal’s region selection and control plane documentation (trust.modal.com, Modal region selection docs). |