Subprocessor List
Last updated: February 2026
About This List
CV Score uses carefully selected third-party service providers ("subprocessors") to help operate our Service. This page provides transparency about who processes your data on our behalf.
All subprocessors are bound by Data Processing Agreements (DPAs) requiring them to:
- Process data only for the specified purposes
- Implement appropriate security measures
- Maintain confidentiality
- Delete or return data upon termination
- Comply with applicable data protection laws
Current Subprocessors
OpenAI, LLC
United StatesPurpose
AI-powered CV analysis and evaluation
Data Processed
CV text content only (no user identifiers, no email, no account information)
Safeguards
Standard Contractual Clauses (SCCs), Data Processing Agreement
OpenAI does not use API inputs for model training. Your CV data is not retained after processing is complete.
Supabase, Inc.
United States (AWS infrastructure)Purpose
Authentication, database, and file storage services
Data Processed
Account information (email, authentication data), CV documents, evaluation results
Safeguards
Standard Contractual Clauses (SCCs), Data Processing Agreement, SOC 2 Type II
Supabase provides our backend infrastructure including PostgreSQL database and S3-compatible file storage. Data is encrypted at rest and in transit.
Polar
To be confirmedPurpose
Payment processing
Data Processed
Email address, payment transaction details (we do not receive full card numbers)
Safeguards
PCI DSS compliance, Data Processing Agreement
Polar handles all payment card processing. We only receive confirmation of successful transactions and the email associated with payment.
Infrastructure Providers
Our subprocessors use the following infrastructure providers:
| Provider | Used By | Purpose | Certifications |
|---|---|---|---|
| Amazon Web Services (AWS) | Supabase | Cloud computing, database hosting, file storage | SOC 1/2/3, ISO 27001, PCI DSS |
| Microsoft Azure | OpenAI | AI model inference | SOC 1/2/3, ISO 27001, PCI DSS |
Data Flow Summary
How your data flows through our systems:
You upload a CV
Encrypted at rest with AES-256
CV text is extracted
PDF parsing happens server-side
AI evaluation
Your name/email NOT included
Results stored
Linked to your account
International Transfer Safeguards
Since some subprocessors are located in the United States, we implement the following safeguards for international data transfers:
Standard Contractual Clauses (SCCs)
EU-approved contractual terms ensuring adequate protection for personal data transferred outside the EEA.
Applies to: All US-based subprocessors
UK International Data Transfer Agreement (IDTA)
UK-approved addendum to SCCs for transfers from the UK.
Applies to: All US-based subprocessors
Supplementary Measures
Additional technical and organizational measures including encryption, access controls, and data minimization.
Applies to: All subprocessors
Note: The UK has adequacy status from the EU (renewed December 2025, valid until December 2031), so UK-EU data transfers require no additional safeguards.
Changes to Subprocessors
We may add or replace subprocessors from time to time. When we make material changes:
- We will update this list with at least 30 days' notice before the change takes effect
- We will update the "Last updated" date at the top of this page
- For enterprise customers with DPAs, we will provide direct notification as specified in your agreement
If you have concerns about a new subprocessor, please contact us at privacy@cvscore.net within the notice period.
Questions
If you have questions about our subprocessors or data processing practices, please contact: privacy@cvscore.net