picked.
Log inPost a role
Trust · Sub-processors
Every vendor. Every region. Every purpose.
The full list, kept current. Changes are notified to customers 30 days in advance. Subscribe to the change log to stay informed.
Subscribe to change notifications →Download as PDF
Current sub-processors
17 vendors. London-default. Zero-retention where it matters.
Sub-processor
Purpose
Region
Retention
Notes
Vercel
Web hosting
London (lhr1)
Logs 30 days
Frontend rendering, edge cache
Supabase
Postgres database
London (eu-west-2)
Per-artefact policy
Row-level security per organisation
Cloudflare R2
File storage
EU
Per-artefact policy
CV uploads, interview audio, assessment artefacts
WorkOS
Auth (hiring managers)
EU
Session lifetime
Magic link, Google SSO, SAML, SCIM
Anthropic
LLM (reasoning)
US, EU routing
Zero retention
Opus 4.7 ranking, Sonnet 4.6 conversation, Haiku 4.5 triage. Prompt caching enabled.
OpenAI
Whisper API only (transcription)
US, EU routing
Zero retention
Speech-to-text. No reasoning, no scoring.
LiveKit Cloud
Real-time voice / video
EU
Session only
Interview transport. Recordings stored in our R2.
Persona
Identity verification
EU
12 months
Anti-fraud, candidate-consented
Inngest
Background jobs / workers
EU
Job lifetime
AI pipeline orchestration, Stripe processing
Resend
Transactional email
EU
30 days log
Magic links, candidate notifications, manager nudges
Stripe
Billing
EU, US
Per legal requirement
Metered usage, spend caps, multi-currency
PostHog
Analytics
EU cloud
365 days
Reverse-proxied. No candidate PII.
Braintrust
Eval / observability
US
No PII
Prompt and model evaluation. Hashed candidate IDs only.
Sentry
Error monitoring
EU
90 days
Stack traces. No candidate PII.
Vanta
Compliance tooling
US
Per audit cycle
Added at M3 (Q4 2026), pre-SOC 2
Drata
Continuous compliance monitoring
US
Per audit cycle
SOC 2 monitoring platform
Holistic AI
Independent bias auditor
UK
Per audit
Annual audit under NYC LL144 and internal cadence
Changes
Three rules on changing this list.
01
Notification. New sub-processors are announced 30 days before activation. Customers can object during the window.
02
Removal. Sub-processor removals are immediate but communicated within 7 days. The migration is invisible to the customer.
03
Audit. Material changes (new region, new data type) trigger a DPIA refresh and customer-side notification regardless of the 30-day rule.
Stay current
Subscribe and we email you the day a change is announced.
One email per change. No marketing. Unsubscribe in one click. We use Resend for this and the same EU posture as the rest of the stack.
Subscribe →
Related
TRUST · PRIVACY
Privacy
GDPR Article 22. Single-jurisdiction London residency. No training on candidate data.
Read →
TRUST · SECURITY
Security
Infrastructure, encryption, access, audit trail. SOC 2 Type II in progress.
Read →
TRUST · COMPLIANCE
Compliance
Eight frameworks across four jurisdictions. Per-framework posture.
Read →
Last reviewed · 22 May 2026 · v1.0
Still on the legal review?
We'll send you the file.
Pre-filled vendor security questionnaire (SIG Lite), DPA, sub-processor list, SOC 2 letter, model card, latest bias audit. One zip. Reply within one business day.
Request the legal pack Email legal@picked.ai
Operated by Neuroworx Ltd · ICO #09910326623
picked.
The AI-native replacement for inbound hiring. For the hiring manager, not HR.
© 2026 Picked · Made in London · Three finalists in forty-eight hours.
Sub-processors · Picked.ai