Sub-Processors and International Data Transfers
List of third-party sub-processors used by Nova for data processing
1. Introduction
This document lists the sub-processors that DWEET LTD ("we," "us," or "our") may engage to process personal data in connection with Nova, our AI-powered hiring platform. We select sub-processors based on their security standards, data protection practices, and ability to provide adequate safeguards for international data transfers.
All sub-processors are contractually bound to process personal data only as instructed by us and in accordance with applicable data protection laws, including the GDPR and UK GDPR.
2. Changes to Sub-Processors
We may update this list from time to time as we engage new sub-processors or discontinue existing relationships. We will:
- Provide 15 days' notice of any material changes to this list
- Update this page with any additions or removals
- Notify customers via email for significant changes affecting data processing
If you object to a new sub-processor, you may terminate your agreement with us within 30 days of notification.
3. Categories of Sub-Processors
3.1 Essential Service Providers
Sub-processors necessary for Nova's core functionality and data processing capabilities.
3.2 Infrastructure and Hosting
Cloud infrastructure providers that host and store data for Nova.
3.3 Support and Operational Services
Sub-processors that assist with customer support, analytics, and business operations.
4. Current Sub-Processors
4.1 Primary Infrastructure and AI Processing
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
Amazon Web Services (AWS) | UK (eu-west-2 London) | Primary hosting, database, storage | UK Adequate Jurisdiction |
OpenAI L.L.C. | United States | AI model processing for candidate scoring and interview questions | Standard Contractual Clauses (SCCs), Zero data retention policy |
Google LLC (Gemini) | United States | Alternative AI model processing | Standard Contractual Clauses (SCCs), Zero data retention policy |
4.2 Task Processing and Automation
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
Trigger.dev (API Hero Ltd) | United Kingdom | Background job processing and task automation | UK Adequate Jurisdiction |
4.3 Search and Data Enhancement
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
Exa Labs Inc. | United States | Web search functionality for company research | Standard Contractual Clauses (SCCs) |
4.4 Monitoring and Analytics
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
Datadog, Inc. | United States | Application monitoring, logging, and error tracking | Standard Contractual Clauses (SCCs) |
PostHog Inc. | United States | Product analytics and user behavior tracking (anonymized) | Standard Contractual Clauses (SCCs) |
Sentry, Inc. | United States | Error tracking and system optimization | Standard Contractual Clauses (SCCs) |
4.5 Authentication and Security
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
Auth0, Inc. (Okta) | United States | User authentication and identity management | Standard Contractual Clauses (SCCs) |
4.6 Payment Processing
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
Stripe, Inc. | United States | Payment processing and billing management | Standard Contractual Clauses (SCCs) |
4.7 Development and Collaboration
Sub-Processor | Location | Services Provided | Data Transfer Safeguards |
---|---|---|---|
GitHub, Inc. (Microsoft) | United States | Code repository and development tools (metadata only) | Standard Contractual Clauses (SCCs) |
5. Data Processing Details
5.1 Data Categories Processed
Sub-processors may have access to the following categories of personal data:
- Candidate Information: Names, contact details, resume content, application data
- Customer Account Data: User names, email addresses, company information
- Usage Analytics: Platform interaction data (anonymized where possible)
- Technical Data: Log files, error reports, system metrics
5.2 Processing Purposes
Sub-processors process personal data for the following purposes:
- Service Delivery: Providing Nova's core AI-powered hiring functionality
- Platform Operation: Hosting, monitoring, and maintaining system availability
- Customer Support: Responding to technical issues and support requests
- Security: Detecting and preventing unauthorized access or system abuse
- Analytics: Understanding platform usage to improve services (anonymized)
6. International Data Transfer Safeguards
6.1 UK/EEA Transfers
For transfers outside the UK and European Economic Area, we implement appropriate safeguards:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK International Data Transfer Addendum (IDTA) for UK GDPR compliance
- Additional technical and organizational measures including encryption and access controls
6.2 AI Provider Specific Safeguards
Our AI processing partners (OpenAI and Google) operate under strict data processing terms:
- Zero data retention policies - no training on customer data
- Dedicated enterprise processing environments with enhanced security
- Encrypted data transmission using TLS 1.3
- Limited processing scope restricted to specific AI inference operations
6.3 Risk Assessment and Monitoring
We continuously assess the adequacy of transfer safeguards:
- Regular security reviews of sub-processor practices
- Monitoring of legal developments affecting international transfers
- Incident response procedures for any transfer-related security events
- Alternative providers identified for critical services
7. Sub-Processor Security Requirements
All sub-processors must demonstrate:
7.1 Technical Safeguards
- Encryption in transit and at rest using industry-standard protocols
- Access controls with role-based permissions and multi-factor authentication
- Network security including firewalls and intrusion detection
- Regular security testing and vulnerability assessments
7.2 Organizational Measures
- ISO 27001 or equivalent security management frameworks
- Staff training on data protection and security requirements
- Incident response procedures with mandatory breach notification
- Business continuity planning and disaster recovery capabilities
7.3 Compliance Obligations
- GDPR and UK GDPR compliance with documented data protection measures
- Contractual obligations to process data only on our instructions
- Audit rights allowing us to verify compliance with security requirements
- Data deletion capabilities upon termination of services
8. Your Rights and Recourse
8.1 Objection Rights
You may object to specific sub-processors by:
- Contacting us at andreas@dweet.com with your concerns
- Providing 30 days' notice if you wish to terminate due to sub-processor changes
- Requesting alternative arrangements where technically feasible
8.2 Data Subject Rights
For data processed by sub-processors:
- Access requests will be facilitated through our systems
- Correction and deletion requests will be implemented across all sub-processors
- Portability requests will include data held by relevant sub-processors
9. Notification and Updates
9.1 Change Notification Process
We will notify customers of sub-processor changes through:
- Email notification to primary account contacts
- Platform notification within the Nova dashboard
- Website updates with revised effective dates
- RSS feed available for automated monitoring
9.2 Emergency Changes
In exceptional circumstances requiring immediate sub-processor changes:
- Immediate notification will be provided
- Explanation of circumstances requiring the emergency change
- Enhanced monitoring of the new sub-processor relationship
- Right to terminate remains available
10. Contact Information
For questions about our sub-processors or data processing practices:
Data Protection Officer: Andreas Asprou
Email: andreas@dweet.com
General Inquiries: nova@dweet.com
This document is reviewed and updated regularly to ensure accuracy and compliance with applicable data protection laws. The most current version is always available at this URL.
Document Version: 1.0
© 2025 DWEET LTD. All rights reserved.