Compliance

Sub-Processors

Last updated: May 25, 2026

🔔 Subscribe to Updates

Receive notifications when we add or change sub-processors. Email privacy@virvell.ai with subject "Sub-processor Updates Subscription"

What are Sub-Processors?

Sub-processors are third-party service providers that Virvell engages to process customer data on our behalf. Under our Data Processing Agreement (DPA), we maintain full transparency about all sub-processors who may have access to your data.

We ensure that all sub-processors:

Current Sub-Processors

The certifications listed below are held by our sub-processors (third-party vendors), not by Virvell directly. Virvell's own compliance program is detailed on our Compliance page.

Anthropic, PBC

Core Service

Service Provided: Large-language-model API (Claude) for transcript analysis and report generation

Data Processed: Conversation transcripts, derived summaries, behavioral signals

Location: United States

Purpose: Powering AI-driven conversation analysis and report generation

Security: SOC 2 Type II certified, enterprise-grade encryption. Customer data is not used for model training. Standard API retention applies per Anthropic's published data retention policy.

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) and equivalent safeguards via Anthropic's DPA

Privacy Policy: anthropic.com/legal/privacy

Date Added: Prior to May 25, 2026

ElevenLabs Inc.

Core Service

Service Provided: Conversational voice AI — outbound call orchestration, voice synthesis, and speech-to-text

Data Processed: Voice recordings, conversation transcripts, phone numbers, call metadata

Location: United States

Purpose: Conducting AI-powered phone interviews and producing transcripts

Security: SOC 2 Type II certified, encrypted call handling

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via ElevenLabs' DPA

Privacy Policy: elevenlabs.io/privacy-policy

Date Added: Prior to May 25, 2026

Telnyx LLC

Communication

Service Provided: SIP telephony termination for outbound voice calls and direct telephony services.

Data Processed: Phone numbers, call metadata (call start/end, duration, routing information)

Location: United States

Purpose: Carrier-grade telephony connectivity for AI-conducted interviews

Security: SOC 2 Type II certified, encrypted SIP trunking

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Telnyx's DPA

Privacy Policy: telnyx.com/legal/privacy-policy

Date Added: Prior to May 25, 2026

Stripe, Inc.

Payment

Service Provided: Payment processing and subscription management

Data Processed: Payment information, billing addresses, subscription details

Location: United States

Purpose: Processing customer payments and managing subscriptions

Security: PCI DSS Level 1 certified

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Stripe's DPA

Privacy Policy: stripe.com/privacy

Date Added: Prior to May 25, 2026

Salesforce (Heroku)

Infrastructure

Service Provided: Cloud hosting infrastructure and database management

Data Processed: All customer data stored in the Virvell platform

Location: United States (US region)

Purpose: Hosting the Virvell application and securely storing data

Security: SOC 2 Type II, ISO 27001, GDPR compliant

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Salesforce's DPA

Privacy Policy: salesforce.com/privacy

Date Added: Prior to May 25, 2026

Amazon Web Services, Inc. (S3)

Infrastructure

Service Provided: Object storage for voice recordings and supporting artifacts, when configured for the Virvell deployment.

Data Processed: Voice recordings, transcripts, related call artifacts

Location: United States (us-east-1)

Purpose: Durable, encrypted storage of recording artifacts produced during reference and screening calls

Security: SOC 2, ISO 27001, server-side encryption (AES-256)

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via the AWS GDPR DPA

Privacy Policy: aws.amazon.com/privacy

Date Added: Prior to May 25, 2026

Twilio Inc. (SendGrid)

Communication

Service Provided: Transactional email delivery

Data Processed: Email addresses, notification content, delivery metadata

Location: United States

Purpose: Sending automated emails (reports, notifications, alerts)

Security: SOC 2 Type II, ISO 27001 certified

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Twilio's DPA

Privacy Policy: twilio.com/privacy

Date Added: Prior to May 25, 2026

Customer.io, Inc.

Communication

Service Provided: Lifecycle and transactional email orchestration

Data Processed: Customer name, email address, account event metadata

Location: United States

Purpose: Triggered communications (onboarding, retention, product updates) tied to customer activity

Security: SOC 2 Type II certified, encryption in transit and at rest

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Customer.io's DPA

Privacy Policy: customer.io/legal/privacy-policy

Date Added: Prior to May 25, 2026

Functional Software, Inc. (Sentry)

Monitoring

Service Provided: Application error monitoring and performance telemetry

Data Processed: Stack traces, scrubbed request context, environment metadata (PII is filtered before transmission)

Location: United States

Purpose: Diagnosing application errors and maintaining service reliability

Security: SOC 2 Type II, ISO 27001 certified

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Sentry's DPA

Privacy Policy: sentry.io/privacy

Date Added: Prior to May 25, 2026

Certn Inc.

Background Checks

Service Provided: Criminal-record, education-verification, and employment-verification background checks

Data Processed: Candidate name, date of birth, address, government-issued identifiers, declared employment and education history

Location: Canada; per Certn's privacy policy, data may also be stored in the United States, United Kingdom, and Australia

Purpose: Conducting customer-requested background checks attached to a reference-check workflow

Security: SOC 2 Type II certified, encryption in transit and at rest

Transfer Mechanism: Adequacy decision (Canada is recognized as providing adequate protection under EU GDPR Art. 45); PIPEDA-governed processing

Privacy Policy: certn.co/privacy-policy

Date Added: Prior to May 25, 2026

Greenhouse Software, Inc.

Integration

Service Provided: Applicant tracking system (ATS) — engaged only when the customer connects their Greenhouse account to Virvell

Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's Greenhouse environment

Location: United States

Purpose: Synchronizing candidate records and reference-check status with the customer's ATS

Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Greenhouse's DPA

Privacy Policy: greenhouse.com/privacy-policy

Date Added: Prior to May 25, 2026

BambooHR LLC

Integration

Service Provided: HRIS / ATS — engaged only when the customer connects their BambooHR account to Virvell

Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's BambooHR environment

Location: United States

Purpose: Synchronizing candidate records and reference-check status with the customer's HRIS/ATS

Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via BambooHR's DPA

Privacy Policy: bamboohr.com/privacy

Date Added: Prior to May 25, 2026

Ashby, Inc.

Integration

Service Provided: Applicant tracking system (ATS) — engaged only when the customer connects their Ashby account to Virvell

Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's Ashby environment

Location: United States

Purpose: Synchronizing candidate records and reference-check status with the customer's ATS

Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Ashby's DPA

Privacy Policy: ashbyhq.com/privacy

Date Added: May 25, 2026

Quo (operated by OpenPhone Technologies Inc.)

Communication

Service Provided: SMS and voice messaging for candidate and customer outreach

Data Processed: Phone numbers, message content, message metadata

Location: United States

Purpose: Transactional and lifecycle SMS communications with candidates and customers

Security: SOC 2 Type II certified, encryption in transit and at rest

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via OpenPhone's DPA

Privacy Policy: openphone.com/privacy

Date Added: May 25, 2026

Zapier, Inc.

Automation

Service Provided: Workflow automation receiving event-triggered webhooks for lifecycle automation (signup, check-completion, day-7 inactive, day-30 winback)

Data Processed: User email, account event metadata, reference-check completion status

Location: United States

Purpose: Triggering lifecycle automation workflows on customer events

Security: SOC 2 Type II certified, encryption in transit

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Zapier's DPA

Privacy Policy: zapier.com/privacy

Date Added: May 25, 2026

Calendly LLC

Demo Booking

Service Provided: Meeting scheduling and demo booking

Data Processed: Prospect name, email address, calendar availability metadata

Location: United States

Purpose: Scheduling sales demos and customer meetings via embedded booking widget

Security: SOC 2 Type II certified, encryption in transit and at rest

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Calendly's DPA

Privacy Policy: calendly.com/privacy

Date Added: May 25, 2026

Google LLC

Analytics & Advertising

Service Provided: Web analytics (Google Analytics 4), advertising attribution (Google Ads), and tag management (Google Tag Manager)

Data Processed: Visitor IP address (anonymized), user agent, page URL, referrer, interaction events; no candidate or reference PII

Location: United States

Purpose: Site analytics, advertising attribution, and conversion tracking on marketing and product pages

Security: SOC 2 Type II certified, ISO 27001 certified

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Google's DPA

Privacy Policy: policies.google.com/privacy

Date Added: May 25, 2026

Microsoft Corporation

Session Analytics

Service Provided: Anonymized session recording and behavior analytics (Microsoft Clarity)

Data Processed: Anonymized visitor session data, click events, page interactions, scroll patterns; PII is masked by Clarity's default content masking

Location: United States

Purpose: Understanding user behavior on candidate-facing pages to improve usability

Security: SOC 2 Type II certified, ISO 27001 certified

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Microsoft's DPA

Privacy Policy: privacy.microsoft.com/privacystatement

Date Added: May 25, 2026

Cloudflare, Inc.

Web Analytics

Service Provided: Privacy-focused web analytics beacon

Data Processed: Visitor IP, user agent, referrer, page URL (aggregated, no cross-site tracking)

Location: United States (with global edge presence)

Purpose: Lightweight visitor analytics without third-party cookies

Security: SOC 2 Type II certified, ISO 27001 certified

Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Cloudflare's DPA

Privacy Policy: cloudflare.com/privacypolicy

Date Added: May 25, 2026

Adding New Sub-Processors

When we engage a new sub-processor, we:

  1. Notify customers via email at least 30 days before authorization
  2. Update this page with full details about the new sub-processor
  3. Provide objection period of 5 business days as outlined in our DPA
  4. Ensure compliance with the same data protection standards as existing sub-processors

✉️ How to Object to a New Sub-Processor

Enterprise customers have the right to object to new sub-processors for reasonable and explained grounds. To exercise this right:

  1. Send written objection to privacy@virvell.ai
  2. Include your reasons for objection
  3. Submit within 5 business days of receiving notification

We will work in good faith to resolve your concerns or provide alternative service delivery methods.

Data Protection Safeguards

All sub-processors are contractually required to:

International Data Transfers

Some sub-processors are located outside your jurisdiction. For transfers from the EU/EEA, UK, or Switzerland, we rely on:

See our Data Processing Agreement for full details on cross-border transfer mechanisms.

Questions About Sub-Processors?

Contact our privacy team:

Related Documents:
Data Processing Agreement | Privacy Policy | Security & Compliance

See responsible AI screening in action

Book a 15-minute demo to see how Virvell keeps humans in the loop while automating pre-screens, reference checks, and background verification.

Book a Demo