Skip to main content

Subprocessor List

Last updated: February 2026

About This List

CV Score uses carefully selected third-party service providers ("subprocessors") to help operate our Service. This page provides transparency about who processes your data on our behalf.

All subprocessors are bound by Data Processing Agreements (DPAs) requiring them to:

  • Process data only for the specified purposes
  • Implement appropriate security measures
  • Maintain confidentiality
  • Delete or return data upon termination
  • Comply with applicable data protection laws

Current Subprocessors

OpenAI, LLC

United States

Purpose

AI-powered CV analysis and evaluation

Data Processed

CV text content only (no user identifiers, no email, no account information)

Safeguards

Standard Contractual Clauses (SCCs), Data Processing Agreement

OpenAI does not use API inputs for model training. Your CV data is not retained after processing is complete.

View Privacy Policy →

Supabase, Inc.

United States (AWS infrastructure)

Purpose

Authentication, database, and file storage services

Data Processed

Account information (email, authentication data), CV documents, evaluation results

Safeguards

Standard Contractual Clauses (SCCs), Data Processing Agreement, SOC 2 Type II

Supabase provides our backend infrastructure including PostgreSQL database and S3-compatible file storage. Data is encrypted at rest and in transit.

View Privacy Policy →

Polar

To be confirmed

Purpose

Payment processing

Data Processed

Email address, payment transaction details (we do not receive full card numbers)

Safeguards

PCI DSS compliance, Data Processing Agreement

Polar handles all payment card processing. We only receive confirmation of successful transactions and the email associated with payment.

View Privacy Policy →

Infrastructure Providers

Our subprocessors use the following infrastructure providers:

Provider Used By Purpose Certifications
Amazon Web Services (AWS) Supabase Cloud computing, database hosting, file storage SOC 1/2/3, ISO 27001, PCI DSS
Microsoft Azure OpenAI AI model inference SOC 1/2/3, ISO 27001, PCI DSS

Data Flow Summary

How your data flows through our systems:

1

You upload a CV

Data: PDF file To: Supabase Storage

Encrypted at rest with AES-256

2

CV text is extracted

Data: Text content only To: Our backend server

PDF parsing happens server-side

3

AI evaluation

Data: CV text (no identifiers) To: OpenAI API

Your name/email NOT included

4

Results stored

Data: Scores and recommendations To: Supabase Database

Linked to your account

International Transfer Safeguards

Since some subprocessors are located in the United States, we implement the following safeguards for international data transfers:

Standard Contractual Clauses (SCCs)

EU-approved contractual terms ensuring adequate protection for personal data transferred outside the EEA.

Applies to: All US-based subprocessors

UK International Data Transfer Agreement (IDTA)

UK-approved addendum to SCCs for transfers from the UK.

Applies to: All US-based subprocessors

Supplementary Measures

Additional technical and organizational measures including encryption, access controls, and data minimization.

Applies to: All subprocessors

Note: The UK has adequacy status from the EU (renewed December 2025, valid until December 2031), so UK-EU data transfers require no additional safeguards.

Changes to Subprocessors

We may add or replace subprocessors from time to time. When we make material changes:

  • We will update this list with at least 30 days' notice before the change takes effect
  • We will update the "Last updated" date at the top of this page
  • For enterprise customers with DPAs, we will provide direct notification as specified in your agreement

If you have concerns about a new subprocessor, please contact us at privacy@cvscore.net within the notice period.

Questions

If you have questions about our subprocessors or data processing practices, please contact: privacy@cvscore.net