Sub-processors · Picked.ai

Trust · Sub-processors

Every vendor. Every region. Every purpose.

The full list, kept current. Changes are notified to customers 30 days in advance. Subscribe to the change log to stay informed.

Subscribe to change notifications →Download as PDF

Current sub-processors

17 vendors. London-default. Zero-retention where it matters.

Sub-processor

Purpose

Region

Retention

Notes

Vercel

Web hosting

London (lhr1)

Logs 30 days

Frontend rendering, edge cache

Supabase

Postgres database

London (eu-west-2)

Per-artefact policy

Row-level security per organisation

Cloudflare R2

File storage

EU

Per-artefact policy

CV uploads, interview audio, assessment artefacts

WorkOS

Auth (hiring managers)

EU

Session lifetime

Magic link, Google SSO, SAML, SCIM

Anthropic

LLM (reasoning)

US, EU routing

Zero retention

Opus 4.7 ranking, Sonnet 4.6 conversation, Haiku 4.5 triage. Prompt caching enabled.

OpenAI

Whisper API only (transcription)

US, EU routing

Zero retention

Speech-to-text. No reasoning, no scoring.

Deepgram

Interview speech-to-text

US, processing only

No retention (processing)

Primary interview transcription. Candidate voice audio. No reasoning, no scoring.

ElevenLabs

Interview text-to-speech

US, processing only

Session only

Voices the interviewer's prompts, not candidate data.

LiveKit Cloud

Real-time voice / video

EU

Session only

Interview transport. Recordings stored in our R2.

Persona

Identity verification

EU

12 months

Anti-fraud, candidate-consented

Inngest

Background jobs / workers

EU

Job lifetime

AI pipeline orchestration, Stripe processing

Upstash

Rate-limit store (anti-abuse)

EU

Day-keyed counters

Hashed identifiers only (SHA-256). No raw candidate PII.

Resend

Transactional email

EU

30 days log

Magic links, candidate notifications, manager nudges

Stripe

Billing

EU, US

Per legal requirement

Metered usage, spend caps, multi-currency

PostHog

Analytics

EU cloud

365 days

Reverse-proxied. No candidate PII.

Brandfetch

Company profile enrichment

US (AWS)

No candidate PII

Work-email domain lookup at org signup. Public company data only, no candidate personal data.

Braintrust

Eval / observability

US

No PII

Prompt and model evaluation. Hashed candidate IDs only.

Sentry

Error monitoring

EU

90 days

Stack traces. No candidate PII.

Vanta

Compliance tooling

US

Per audit cycle

Added at M3 (Q4 2026), pre-SOC 2

Drata

Continuous compliance monitoring

US

Per audit cycle

SOC 2 monitoring platform

Holistic AI

Independent bias auditor

UK

Per audit

Annual audit under NYC LL144 and internal cadence

Changes

Three rules on changing this list.

01

Notification. New sub-processors are announced 30 days before activation. Customers can object during the window.

02

Removal. Sub-processor removals are immediate but communicated within 7 days. The migration is invisible to the customer.

03

Audit. Material changes (new region, new data type) trigger a DPIA refresh and customer-side notification regardless of the 30-day rule.

Stay current

Subscribe and we email you the day a change is announced.

One email per change. No marketing. Unsubscribe in one click. We use Resend for this and the same EU posture as the rest of the stack.

Subscribe →

Privacy

GDPR Article 22. Single-jurisdiction London residency. No training on candidate data.

Read →

TRUST · SECURITY

Security

Infrastructure, encryption, access, audit trail. SOC 2 Type II in progress.

Read →

TRUST · COMPLIANCE

Compliance

Eight frameworks across four jurisdictions. Per-framework posture.

Read →

Last reviewed · 22 May 2026 · v1.0

Still on the legal review?

We'll send you the file.

Pre-filled vendor security questionnaire (SIG Lite), DPA, sub-processor list, SOC 2 letter, model card, latest bias audit. One zip. Reply within one business day.

Request the legal pack →Email legal@picked.ai ↗

Operated by Neuroworx Ltd · ICO #09910326623