About this list
When CyberHire acts as a Processor under the Data Processing Addendum (DPA), it engages a small number of Sub-processors to help run the platform. This page is the authoritative list.
Every Sub-processor is bound by a written contract that includes Article 28 UK GDPR terms equivalent to those in our DPA, technical and organisational measures no weaker than those set out in Annex II of the DPA, and - for Sub-processors outside the United Kingdom - an appropriate international transfer mechanism (UK adequacy regulations, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or the EU-US Data Privacy Framework with UK Extension, as applicable).
Current Sub-processors
| Sub-processor | Purpose | Data categories | Location |
|---|---|---|---|
| Fly.io Operated by Fly.io, Inc. | Hosting of the application, APIs, and ephemeral Linux challenge environments (virtual machines provisioned per Candidate attempt). | All Customer Data processed by the platform. | Primary region: London (LHR). Fly.io operates regions globally; challenge VMs may be provisioned in other regions depending on Candidate location and capacity. |
| MongoDB Atlas Operated by MongoDB, Inc. | Primary database for the platform (accounts, Assessments, Results, integrity signals, audit logs). | All persistent Customer Data except files. | United Kingdom or European Economic Area. |
| Supabase Operated by Supabase, Inc. | Object storage for profile pictures, branding assets, email template images, and Proctor-mode webcam snapshots. | Profile pictures, Customer branding, webcam snapshots (where Proctor mode is enabled). | European Economic Area. |
| Postmark Operated by ActiveCampaign, LLC. | Transactional email delivery (invitations, notifications, password resets, security alerts). | Recipient name, email address, message content. | United States. |
| Stripe Operated by Stripe Payments UK, Ltd. (UK Customers) / Stripe Payments Europe, Ltd. (EU Customers). | Subscription billing and payment processing. Stripe acts as an independent Controller of payment-card data; see Stripe's Privacy Policy. | Billing contact, company, VAT number, subscription events. Full card data is handled by Stripe directly - CyberHire never receives or stores it. | United Kingdom / Ireland with sub-processor infrastructure in the United States. |
| Anthropic Operated by Anthropic, PBC. | AI-assisted Challenge generation (the Claude API). Engaged only when a Customer chooses to generate a Challenge using AI. | Prompt text (which may include a Controller-supplied job spec) and generated output. Anthropic's enterprise API terms exclude inputs and outputs from model training by default. | United States. |
| Google Operated by Google Ireland Limited. | Single sign-on via OAuth 2.0 / OIDC. Only engaged where an Admin User or Candidate chooses to sign in with Google. Google acts as an independent Controller of the data it receives; see Google's Privacy Policy. | Email, name, profile picture, provider identifier. | Global; processed under Google's own safeguards. |
| Microsoft Operated by Microsoft Ireland Operations Limited. | Single sign-on via OAuth 2.0 / OIDC. Only engaged where an Admin User or Candidate chooses to sign in with Microsoft. Microsoft acts as an independent Controller of the data it receives; see Microsoft's Privacy Statement. | Email, name, profile picture, provider identifier. | Global; processed under Microsoft's own safeguards. |
Not Sub-processors
The following are worth calling out because they look like Sub-processors but are not:
- DB-IP Lite - the geolocation database we use to derive a Candidate's approximate city from their IP address. This is a static database embedded in our application; no data is sent to DB-IP at runtime. DB-IP receives no Customer Data.
- Google Fonts / webfont CDNs - our marketing site loads Poppins and JetBrains Mono from
fonts.googleapis.com. No personal data is sent beyond the standard HTTP request (IP and User-Agent of the visitor's browser, going directly to Google). This is incidental to using a webfont and is disclosed in the Cookies Policy. - Google Analytics 4 - runs on the marketing site only (
cyber-hire.com), and only where a visitor has consented via the cookie banner. It does not process Customer Data in the Processor sense (it does not see Candidate answers, Assessments, or Results). CyberHire is the Controller for marketing-site visitor analytics; Google acts as CyberHire's processor under the Google Analytics Data Processing Terms. Disclosed in the Privacy Policy and Cookies Policy.
Updates to this list
We will update this page whenever a Sub-processor is added, removed, or materially changed. The "Last updated" date at the top of this page reflects the most recent change.
Under section 9 of the DPA, Customers will receive at least 30 days' advance notice of a new or replacement Sub-processor (by email to the primary admin, or by in-product notice), and may object on reasonable data-protection grounds.
Subscribe to changes
To receive email notifications when this list changes, email [email protected] with the subject line Subscribe sub-processor updates.
Contact
Questions about our use of Sub-processors? Contact our Data Protection Officer, Michael Carthy, at [email protected].