Sub-processors
Third-party services that process personal data on behalf of pick.me + Outsor. We update this list whenever we change a provider — and notify existing customers at least 14 days before a new sub-processor handles their data.
What "sub-processor" means. Under GDPR (Art. 28), a sub-processor is any third-party service we use to process personal data that customers entrust to us — hosting, AI analysis, email delivery, error monitoring, etc. Each one is contractually bound to the same data protection standards we sign with you in the DPA.
Your right to object. If you object to a new sub-processor, email info@archie-recruitment.com within 14 days of the change. We will work with you on alternatives or, if no agreement is possible, you may terminate the contract for that reason.
| Provider | Purpose | Location | Safeguards |
|---|---|---|---|
| Google Cloud / Firebase by Google LLC | Application hosting, Firestore database, Cloud Storage (CV files), Firebase Authentication, Cloud Functions All customer data lives here. | EU europe-west region | Standard Contractual Clauses, Google Cloud DPA, ISO 27001 + 27018, encryption in transit + at rest DPA |
| Anthropic by Anthropic PBC | Claude AI for CV parsing, candidate analysis, CV translation, vacancy generation Only CV content + job-context fields sent. No PII volunteered. | US API endpoints; EU residency available on request | Standard Contractual Clauses, Anthropic Commercial Terms, data is NOT used to train models Commercial Terms |
| Resend by Resend Inc. | Transactional email delivery (partner submission alerts, partnership accept, Q&A replies, billing notices) Recipient email + subject + body. | US Routes through SES (AWS) | Standard Contractual Clauses, SOC 2 Type II, encryption in transit DPA |
| Plausible Analytics by Plausible Insights OÜ | Privacy-friendly website analytics (cookieless). Aggregated, anonymous pageview metrics. No personal identifiers, no fingerprints, no cookies. IP processed transiently for geolocation then discarded. | EE / EU Hosted in EU (Germany / Estonia) | GDPR-by-design, no data leaves the EU Data Policy |
| GitHub by Microsoft Corporation | Source code hosting + CI/CD Repository is private. No customer data lands here. | US | Standard Contractual Clauses, ISO 27001 DPA |
| Recruitment agencies (our paying B2B customers) | Receive candidate data submitted by partner agencies through the Outsor inbox. Process under their own privacy policies. Acts as controller for the data they manage in their workspace. | Varies (mostly EU) | Each agency signs the pick.me Data Processing Agreement at sign-up See DPA |
Services we do NOT use
For transparency — sometimes asked, never used at pick.me + Outsor:
- Google Analytics / GA4 / Tag Manager
- Meta Pixel / Facebook Login
- HubSpot / Salesforce CRM (we use a custom internal CRM)
- Mixpanel / Amplitude / Heap (no product analytics)
- Stripe / payment processors (we bill via B2B invoice, Net 14)
- OpenAI / other generative AI providers (Claude only)
- Twilio / Vonage / other SMS providers