1. Overview
This page lists the third-party sub-processors that DWEET LTD (“Dweet”, “we”) uses to provide Nova. Details of data categories, legal bases, security measures, transfer mechanisms and AI training posture are set out in: Those documents take precedence for any data protection or transfer questions. This page is incorporated by reference into our Terms of Service and Data Processing Agreement and forms part of our description of processing and international data transfers.2. Changes and notifications
We may add or remove sub-processors as we operate and improve Nova.- We aim to provide at least 7 days’ notice for material changes to this list, except in emergencies.
- We update this page when sub-processors are added or removed.
- To subscribe to change notifications, email
privacy@dweet.com.
3. Current sub-processors
3.1 Primary infrastructure and AI processing
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Amazon Web Services (AWS) | United Kingdom | Primary cloud hosting for Nova. | Candidate and application data, user account data, configuration data, file attachments, logs and backups. | Data stored in the UK. Transfers from the EEA to the UK rely on the EU adequacy decision for the UK; SCCs are used only where adequacy no longer applies or is otherwise required. (Amazon Web Services, Inc.) |
| Vercel Inc. | United Kingdom with global points of presence | Application hosting for Nova web application. | User requests and session data in transit, application runtime data, and deployment metadata. No persistent storage of candidate or application data. | Primary region is the UK. Transfers from the EEA to the UK rely on the EU adequacy decision for the UK; SCCs are used for locations outside the UK/EEA where required. Vercel DPA and trust centre. (Vercel) |
| OpenAI, L.L.C. | United States | AI inference. | Text derived from candidate and job data, and system metadata needed to operate the service. | EU Standard Contractual Clauses and UK IDTA where required; OpenAI DPA and trust portal. (OpenAI) |
| Google Cloud | European Union and United States | AI inference and embeddings. | Text and embeddings derived from candidate and job data, and system metadata needed to operate the service. | EU Standard Contractual Clauses and UK IDTA where required; Google Cloud Data Processing Addendum. (Google Cloud) |
| Mistral AI | European Union | Text extraction from resume documents. | Resume and CV content (documents submitted for processing), extracted text and structured data derived from candidate documents. | Processing in the EEA; Mistral AI’s standard API terms include GDPR provisions. Mistral does not use customer data for model training. (Mistral AI) |
| Fireworks AI, Inc. | United States and European Union | AI inference and embeddings. | Text and embeddings derived from candidate and job data, and system metadata needed to operate the service. Data is processed transiently and not stored. | EU Standard Contractual Clauses and UK IDTA where required; Fireworks AI DPA and trust portal. (Fireworks AI) |
| Baseten Labs, Inc. | United States and European Union | AI inference and embeddings. | Text and embeddings derived from candidate and job data, and system metadata needed to operate the service. Data is processed transiently and not stored. | EU Standard Contractual Clauses and UK IDTA where required; Baseten DPA and trust portal. (Baseten) |
| Together AI, Inc. | United States and European Union | AI inference and embeddings. | Text and embeddings derived from candidate and job data, and system metadata needed to operate the service. Data is processed transiently and not stored. | EU Standard Contractual Clauses and UK IDTA where required; Together AI privacy policy and SOC 2 compliance. (Together AI) |
| OpenRouter, Inc. | United States and European Union | AI inference provider management. | Text derived from candidate and job data, and system metadata needed to operate the service. | EU Standard Contractual Clauses and UK IDTA where required; OpenRouter DPA and trust portal. (OpenRouter) |
Note: For Third-Party AI Services, we configure providers so that Customer Personal Data is not used to train their own general models, as described in our AI Terms and DPA.
3.2 Task processing and automation
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Trigger.dev (API Hero Ltd) | European Union (Germany) and United States | Background job processing for data synchronisation, scoring and notifications. | Candidate and application data required to execute background jobs, and associated job metadata and logs. | Processing can be configured in an EU region. Operational and log data may be stored in the United States. International transfers are subject to Trigger.dev’s GDPR commitments and appropriate safeguards, including EU Standard Contractual Clauses and, where relevant, the UK Addendum, as described in their GDPR guidance and security portal. (security.trigger.dev) |
3.3 Search and data enhancement (optional)
Used only where the relevant feature is enabled.| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Exa Labs Inc. | United States | Web search to support company and market research features. | Company names, role titles and similar business-context terms derived from customer configuration; no candidate CV content by default. | Appropriate safeguards for international transfers under GDPR and UK GDPR (for example EU Standard Contractual Clauses and the UK Addendum) as required by our DPA Annex IV and Exa’s data protection terms. (Exa) |
| OpenCage Data | Europe | Geocoding and reverse geocoding of location strings. | Location strings from job and candidate records (for example city, region, country). | EU Standard Contractual Clauses and UK IDTA / EU adequacy where required. (opencagedata.com) |
3.4 Monitoring and analytics
These providers receive telemetry, logs and analytics data that may include limited personal data where necessary to operate, secure, and improve Nova.| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Datadog, Inc. | Europe | Application and infrastructure monitoring (metrics and logs). | System and application metrics, service health indicators, and logs that may include personal data and portions of application content. | EU Standard Contractual Clauses and UK IDTA via Datadog DPA, plus any additional locations and safeguards disclosed in Datadog’s data protection terms. (trust.datadoghq.com) |
| PostHog Inc. | Europe | Product analytics for Nova web UI usage. For authenticated users, analytics operates under legitimate interests without separate consent. For visitors on public pages, consent is requested. | Nova user interaction data (e.g. page views, clicks, feature usage) associated with user accounts; no candidate content. | Processing in EEA/UK only (no restricted transfer) under PostHog’s EU hosting. |
| Sentry, Inc. | Europe | Error tracking and performance monitoring for Nova applications. | Error events, technical diagnostic data and limited context fields that may incidentally include personal data (e.g. user identifiers, email addresses). No CV or resume content. | EU Standard Contractual Clauses and UK IDTA where required under Sentry DPA. |
3.5 Payment processing
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Stripe, Inc. | European Union, United Kingdom and United States | Payment processing, subscription billing and invoicing for Nova customers. | Billing contact details, payment method identifiers (e.g. tokenised card data), invoice and transaction metadata. | EU Standard Contractual Clauses and UK IDTA via Stripe DPA. |
3.6 Development and collaboration
These tools are used for internal development and deployment workflows and handle limited customer-related metadata only.| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Flightcontrol | United States | Deployment management for Nova. | Deployment metadata, minimal customer personal data in logs. | Flightcontrol states that it does not store or process Nova end-user data. Any personal data Flightcontrol processes (for example account and billing data) is handled under Flightcontrol’s own GDPR framework and transfer safeguards as described in its privacy policy and security documentation. (trustcenter.flightcontrol.dev) |
| GitHub, Inc. (Microsoft) | European Union and United States | Source code hosting, issue tracking and development tooling. | Source code and configuration; limited customer personal data may appear in commits, issues or support artefacts. | EU Standard Contractual Clauses and UK IDTA via Microsoft/GitHub DPA. |
3.7 Email delivery
| Sub-processor | Location of processing | Purpose / services | Categories of personal data processed | Transfer mechanism (if applicable) |
|---|---|---|---|---|
| Resend, Inc. | United States and European Union | Transactional email delivery for product emails such as invites, notifications and account messages. | Recipient email addresses, names (where provided), email content required to deliver transactional messages. | Appropriate safeguards for international transfers (including EU Standard Contractual Clauses and, where applicable, the UK IDTA) as set out in Resend’s DPA. (resend.com/legal/dpa) |