🔔 Subscribe to Updates
Receive notifications when we add or change sub-processors. Email privacy@virvell.ai with subject "Sub-processor Updates Subscription"
What are Sub-Processors?
Sub-processors are third-party service providers that Virvell engages to process customer data on our behalf. Under our Data Processing Agreement (DPA), we maintain full transparency about all sub-processors who may have access to your data.
We ensure that all sub-processors:
- Enter into written agreements with data protection obligations substantially similar to our DPA
- Implement appropriate technical and organizational security measures
- Process data only as instructed by Virvell and our customers
- Comply with applicable data protection laws (GDPR, PIPEDA, CCPA, etc.)
Current Sub-Processors
The certifications listed below are held by our sub-processors (third-party vendors), not by Virvell directly. Virvell's own compliance program is detailed on our Compliance page.
Anthropic, PBC
Core ServiceService Provided: Large-language-model API (Claude) for transcript analysis and report generation
Data Processed: Conversation transcripts, derived summaries, behavioral signals
Location: United States
Purpose: Powering AI-driven conversation analysis and report generation
Security: SOC 2 Type II certified, enterprise-grade encryption. Customer data is not used for model training. Standard API retention applies per Anthropic's published data retention policy.
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) and equivalent safeguards via Anthropic's DPA
Privacy Policy: anthropic.com/legal/privacy
Date Added: Prior to May 25, 2026
ElevenLabs Inc.
Core ServiceService Provided: Conversational voice AI — outbound call orchestration, voice synthesis, and speech-to-text
Data Processed: Voice recordings, conversation transcripts, phone numbers, call metadata
Location: United States
Purpose: Conducting AI-powered phone interviews and producing transcripts
Security: SOC 2 Type II certified, encrypted call handling
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via ElevenLabs' DPA
Privacy Policy: elevenlabs.io/privacy-policy
Date Added: Prior to May 25, 2026
Telnyx LLC
CommunicationService Provided: SIP telephony termination for outbound voice calls and direct telephony services.
Data Processed: Phone numbers, call metadata (call start/end, duration, routing information)
Location: United States
Purpose: Carrier-grade telephony connectivity for AI-conducted interviews
Security: SOC 2 Type II certified, encrypted SIP trunking
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Telnyx's DPA
Privacy Policy: telnyx.com/legal/privacy-policy
Date Added: Prior to May 25, 2026
Stripe, Inc.
PaymentService Provided: Payment processing and subscription management
Data Processed: Payment information, billing addresses, subscription details
Location: United States
Purpose: Processing customer payments and managing subscriptions
Security: PCI DSS Level 1 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Stripe's DPA
Privacy Policy: stripe.com/privacy
Date Added: Prior to May 25, 2026
Salesforce (Heroku)
InfrastructureService Provided: Cloud hosting infrastructure and database management
Data Processed: All customer data stored in the Virvell platform
Location: United States (US region)
Purpose: Hosting the Virvell application and securely storing data
Security: SOC 2 Type II, ISO 27001, GDPR compliant
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Salesforce's DPA
Privacy Policy: salesforce.com/privacy
Date Added: Prior to May 25, 2026
Amazon Web Services, Inc. (S3)
InfrastructureService Provided: Object storage for voice recordings and supporting artifacts, when configured for the Virvell deployment.
Data Processed: Voice recordings, transcripts, related call artifacts
Location: United States (us-east-1)
Purpose: Durable, encrypted storage of recording artifacts produced during reference and screening calls
Security: SOC 2, ISO 27001, server-side encryption (AES-256)
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via the AWS GDPR DPA
Privacy Policy: aws.amazon.com/privacy
Date Added: Prior to May 25, 2026
Twilio Inc. (SendGrid)
CommunicationService Provided: Transactional email delivery
Data Processed: Email addresses, notification content, delivery metadata
Location: United States
Purpose: Sending automated emails (reports, notifications, alerts)
Security: SOC 2 Type II, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Twilio's DPA
Privacy Policy: twilio.com/privacy
Date Added: Prior to May 25, 2026
Customer.io, Inc.
CommunicationService Provided: Lifecycle and transactional email orchestration
Data Processed: Customer name, email address, account event metadata
Location: United States
Purpose: Triggered communications (onboarding, retention, product updates) tied to customer activity
Security: SOC 2 Type II certified, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Customer.io's DPA
Privacy Policy: customer.io/legal/privacy-policy
Date Added: Prior to May 25, 2026
Functional Software, Inc. (Sentry)
MonitoringService Provided: Application error monitoring and performance telemetry
Data Processed: Stack traces, scrubbed request context, environment metadata (PII is filtered before transmission)
Location: United States
Purpose: Diagnosing application errors and maintaining service reliability
Security: SOC 2 Type II, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Sentry's DPA
Privacy Policy: sentry.io/privacy
Date Added: Prior to May 25, 2026
Certn Inc.
Background ChecksService Provided: Criminal-record, education-verification, and employment-verification background checks
Data Processed: Candidate name, date of birth, address, government-issued identifiers, declared employment and education history
Location: Canada; per Certn's privacy policy, data may also be stored in the United States, United Kingdom, and Australia
Purpose: Conducting customer-requested background checks attached to a reference-check workflow
Security: SOC 2 Type II certified, encryption in transit and at rest
Transfer Mechanism: Adequacy decision (Canada is recognized as providing adequate protection under EU GDPR Art. 45); PIPEDA-governed processing
Privacy Policy: certn.co/privacy-policy
Date Added: Prior to May 25, 2026
Greenhouse Software, Inc.
IntegrationService Provided: Applicant tracking system (ATS) — engaged only when the customer connects their Greenhouse account to Virvell
Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's Greenhouse environment
Location: United States
Purpose: Synchronizing candidate records and reference-check status with the customer's ATS
Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Greenhouse's DPA
Privacy Policy: greenhouse.com/privacy-policy
Date Added: Prior to May 25, 2026
BambooHR LLC
IntegrationService Provided: HRIS / ATS — engaged only when the customer connects their BambooHR account to Virvell
Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's BambooHR environment
Location: United States
Purpose: Synchronizing candidate records and reference-check status with the customer's HRIS/ATS
Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via BambooHR's DPA
Privacy Policy: bamboohr.com/privacy
Date Added: Prior to May 25, 2026
Ashby, Inc.
IntegrationService Provided: Applicant tracking system (ATS) — engaged only when the customer connects their Ashby account to Virvell
Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's Ashby environment
Location: United States
Purpose: Synchronizing candidate records and reference-check status with the customer's ATS
Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Ashby's DPA
Privacy Policy: ashbyhq.com/privacy
Date Added: May 25, 2026
Quo (operated by OpenPhone Technologies Inc.)
CommunicationService Provided: SMS and voice messaging for candidate and customer outreach
Data Processed: Phone numbers, message content, message metadata
Location: United States
Purpose: Transactional and lifecycle SMS communications with candidates and customers
Security: SOC 2 Type II certified, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via OpenPhone's DPA
Privacy Policy: openphone.com/privacy
Date Added: May 25, 2026
Zapier, Inc.
AutomationService Provided: Workflow automation receiving event-triggered webhooks for lifecycle automation (signup, check-completion, day-7 inactive, day-30 winback)
Data Processed: User email, account event metadata, reference-check completion status
Location: United States
Purpose: Triggering lifecycle automation workflows on customer events
Security: SOC 2 Type II certified, encryption in transit
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Zapier's DPA
Privacy Policy: zapier.com/privacy
Date Added: May 25, 2026
Calendly LLC
Demo BookingService Provided: Meeting scheduling and demo booking
Data Processed: Prospect name, email address, calendar availability metadata
Location: United States
Purpose: Scheduling sales demos and customer meetings via embedded booking widget
Security: SOC 2 Type II certified, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Calendly's DPA
Privacy Policy: calendly.com/privacy
Date Added: May 25, 2026
Google LLC
Analytics & AdvertisingService Provided: Web analytics (Google Analytics 4), advertising attribution (Google Ads), and tag management (Google Tag Manager)
Data Processed: Visitor IP address (anonymized), user agent, page URL, referrer, interaction events; no candidate or reference PII
Location: United States
Purpose: Site analytics, advertising attribution, and conversion tracking on marketing and product pages
Security: SOC 2 Type II certified, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Google's DPA
Privacy Policy: policies.google.com/privacy
Date Added: May 25, 2026
Microsoft Corporation
Session AnalyticsService Provided: Anonymized session recording and behavior analytics (Microsoft Clarity)
Data Processed: Anonymized visitor session data, click events, page interactions, scroll patterns; PII is masked by Clarity's default content masking
Location: United States
Purpose: Understanding user behavior on candidate-facing pages to improve usability
Security: SOC 2 Type II certified, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Microsoft's DPA
Privacy Policy: privacy.microsoft.com/privacystatement
Date Added: May 25, 2026
Cloudflare, Inc.
Web AnalyticsService Provided: Privacy-focused web analytics beacon
Data Processed: Visitor IP, user agent, referrer, page URL (aggregated, no cross-site tracking)
Location: United States (with global edge presence)
Purpose: Lightweight visitor analytics without third-party cookies
Security: SOC 2 Type II certified, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Cloudflare's DPA
Privacy Policy: cloudflare.com/privacypolicy
Date Added: May 25, 2026
Adding New Sub-Processors
When we engage a new sub-processor, we:
- Notify customers via email at least 30 days before authorization
- Update this page with full details about the new sub-processor
- Provide objection period of 5 business days as outlined in our DPA
- Ensure compliance with the same data protection standards as existing sub-processors
✉️ How to Object to a New Sub-Processor
Enterprise customers have the right to object to new sub-processors for reasonable and explained grounds. To exercise this right:
- Send written objection to privacy@virvell.ai
- Include your reasons for objection
- Submit within 5 business days of receiving notification
We will work in good faith to resolve your concerns or provide alternative service delivery methods.
Data Protection Safeguards
All sub-processors are contractually required to:
- Process data only on Virvell's documented instructions
- Implement appropriate security measures (encryption, access controls, monitoring)
- Assist with data subject rights requests (access, deletion, portability)
- Notify Virvell immediately of any data breaches
- Delete or return data upon termination of services
- Allow audits and inspections of their data processing activities
International Data Transfers
Some sub-processors are located outside your jurisdiction. For transfers from the EU/EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK Addendum for UK GDPR compliance
- Swiss Addendum for Swiss FADP compliance
- Additional safeguards including encryption and data minimization
See our Data Processing Agreement for full details on cross-border transfer mechanisms.
Questions About Sub-Processors?
Contact our privacy team:
- Privacy inquiries: privacy@virvell.ai
- Security questions: security@virvell.ai
- DPA requests: legal@virvell.ai
Related Documents:
Data Processing Agreement |
Privacy Policy |
Security & Compliance