Nova Documentation
Legal

Sub-Processors and International Data Transfers

List of third-party sub-processors used by Nova for data processing

1. Introduction

This document lists the sub-processors that DWEET LTD ("we," "us," or "our") may engage to process personal data in connection with Nova, our AI-powered hiring platform. We select sub-processors based on their security standards, data protection practices, and ability to provide adequate safeguards for international data transfers.

All sub-processors are contractually bound to process personal data only as instructed by us and in accordance with applicable data protection laws, including the GDPR and UK GDPR.

2. Changes to Sub-Processors

We may update this list from time to time as we engage new sub-processors or discontinue existing relationships. We will:

  • Provide 15 days' notice of any material changes to this list
  • Update this page with any additions or removals
  • Notify customers via email for significant changes affecting data processing

If you object to a new sub-processor, you may terminate your agreement with us within 30 days of notification.

3. Categories of Sub-Processors

3.1 Essential Service Providers

Sub-processors necessary for Nova's core functionality and data processing capabilities.

3.2 Infrastructure and Hosting

Cloud infrastructure providers that host and store data for Nova.

3.3 Support and Operational Services

Sub-processors that assist with customer support, analytics, and business operations.

4. Current Sub-Processors

4.1 Primary Infrastructure and AI Processing

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
Amazon Web Services (AWS)UK (eu-west-2 London)Primary hosting, database, storageUK Adequate Jurisdiction
OpenAI L.L.C.United StatesAI model processing for candidate scoring and interview questionsStandard Contractual Clauses (SCCs), Zero data retention policy
Google LLC (Gemini)United StatesAlternative AI model processingStandard Contractual Clauses (SCCs), Zero data retention policy

4.2 Task Processing and Automation

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
Trigger.dev (API Hero Ltd)United KingdomBackground job processing and task automationUK Adequate Jurisdiction

4.3 Search and Data Enhancement

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
Exa Labs Inc.United StatesWeb search functionality for company researchStandard Contractual Clauses (SCCs)

4.4 Monitoring and Analytics

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
Datadog, Inc.United StatesApplication monitoring, logging, and error trackingStandard Contractual Clauses (SCCs)
PostHog Inc.United StatesProduct analytics and user behavior tracking (anonymized)Standard Contractual Clauses (SCCs)
Sentry, Inc.United StatesError tracking and system optimizationStandard Contractual Clauses (SCCs)

4.5 Authentication and Security

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
Auth0, Inc. (Okta)United StatesUser authentication and identity managementStandard Contractual Clauses (SCCs)

4.6 Payment Processing

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
Stripe, Inc.United StatesPayment processing and billing managementStandard Contractual Clauses (SCCs)

4.7 Development and Collaboration

Sub-ProcessorLocationServices ProvidedData Transfer Safeguards
GitHub, Inc. (Microsoft)United StatesCode repository and development tools (metadata only)Standard Contractual Clauses (SCCs)

5. Data Processing Details

5.1 Data Categories Processed

Sub-processors may have access to the following categories of personal data:

  • Candidate Information: Names, contact details, resume content, application data
  • Customer Account Data: User names, email addresses, company information
  • Usage Analytics: Platform interaction data (anonymized where possible)
  • Technical Data: Log files, error reports, system metrics

5.2 Processing Purposes

Sub-processors process personal data for the following purposes:

  • Service Delivery: Providing Nova's core AI-powered hiring functionality
  • Platform Operation: Hosting, monitoring, and maintaining system availability
  • Customer Support: Responding to technical issues and support requests
  • Security: Detecting and preventing unauthorized access or system abuse
  • Analytics: Understanding platform usage to improve services (anonymized)

6. International Data Transfer Safeguards

6.1 UK/EEA Transfers

For transfers outside the UK and European Economic Area, we implement appropriate safeguards:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • UK International Data Transfer Addendum (IDTA) for UK GDPR compliance
  • Additional technical and organizational measures including encryption and access controls

6.2 AI Provider Specific Safeguards

Our AI processing partners (OpenAI and Google) operate under strict data processing terms:

  • Zero data retention policies - no training on customer data
  • Dedicated enterprise processing environments with enhanced security
  • Encrypted data transmission using TLS 1.3
  • Limited processing scope restricted to specific AI inference operations

6.3 Risk Assessment and Monitoring

We continuously assess the adequacy of transfer safeguards:

  • Regular security reviews of sub-processor practices
  • Monitoring of legal developments affecting international transfers
  • Incident response procedures for any transfer-related security events
  • Alternative providers identified for critical services

7. Sub-Processor Security Requirements

All sub-processors must demonstrate:

7.1 Technical Safeguards

  • Encryption in transit and at rest using industry-standard protocols
  • Access controls with role-based permissions and multi-factor authentication
  • Network security including firewalls and intrusion detection
  • Regular security testing and vulnerability assessments

7.2 Organizational Measures

  • ISO 27001 or equivalent security management frameworks
  • Staff training on data protection and security requirements
  • Incident response procedures with mandatory breach notification
  • Business continuity planning and disaster recovery capabilities

7.3 Compliance Obligations

  • GDPR and UK GDPR compliance with documented data protection measures
  • Contractual obligations to process data only on our instructions
  • Audit rights allowing us to verify compliance with security requirements
  • Data deletion capabilities upon termination of services

8. Your Rights and Recourse

8.1 Objection Rights

You may object to specific sub-processors by:

  1. Contacting us at andreas@dweet.com with your concerns
  2. Providing 30 days' notice if you wish to terminate due to sub-processor changes
  3. Requesting alternative arrangements where technically feasible

8.2 Data Subject Rights

For data processed by sub-processors:

  • Access requests will be facilitated through our systems
  • Correction and deletion requests will be implemented across all sub-processors
  • Portability requests will include data held by relevant sub-processors

9. Notification and Updates

9.1 Change Notification Process

We will notify customers of sub-processor changes through:

  • Email notification to primary account contacts
  • Platform notification within the Nova dashboard
  • Website updates with revised effective dates
  • RSS feed available for automated monitoring

9.2 Emergency Changes

In exceptional circumstances requiring immediate sub-processor changes:

  • Immediate notification will be provided
  • Explanation of circumstances requiring the emergency change
  • Enhanced monitoring of the new sub-processor relationship
  • Right to terminate remains available

10. Contact Information

For questions about our sub-processors or data processing practices:

Data Protection Officer: Andreas Asprou
Email: andreas@dweet.com

General Inquiries: nova@dweet.com


This document is reviewed and updated regularly to ensure accuracy and compliance with applicable data protection laws. The most current version is always available at this URL.

Document Version: 1.0

© 2025 DWEET LTD. All rights reserved.