🔔 Subscribe to Updates
Receive notifications when we add or change sub-processors. Email privacy@virvell.ai with subject "Sub-processor Updates Subscription"
What are Sub-Processors?
Sub-processors are third-party service providers that Virvell engages to process customer data on our behalf. Under our Data Processing Agreement (DPA), we maintain full transparency about all sub-processors who may have access to your data.
We ensure that all sub-processors:
- Enter into written agreements with data protection obligations substantially similar to our DPA
- Implement appropriate technical and organizational security measures
- Process data only as instructed by Virvell and our customers
- Comply with applicable data protection laws (GDPR, PIPEDA, CCPA, etc.)
Current Sub-Processors
The certifications listed below are held by our sub-processors (third-party vendors), not by Virvell directly. Virvell's own compliance program is detailed on our Compliance page.
Anthropic, PBC
Core ServiceService Provided: Large-language-model API (Claude) for transcript analysis and report generation
Data Processed: Conversation transcripts, derived summaries, behavioral signals
Location: United States
Purpose: Powering AI-driven conversation analysis and report generation
Security: SOC 2 Type II certified, enterprise-grade encryption. Customer data is not used for model training. Standard API retention applies per Anthropic's published data retention policy.
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) and equivalent safeguards via Anthropic's DPA
Privacy Policy: anthropic.com/legal/privacy
ElevenLabs Inc.
Core ServiceService Provided: Conversational voice AI — outbound call orchestration, voice synthesis, and speech-to-text
Data Processed: Voice recordings, conversation transcripts, phone numbers, call metadata
Location: United States
Purpose: Conducting AI-powered phone interviews and producing transcripts
Security: SOC 2 Type II certified, encrypted call handling
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via ElevenLabs' DPA
Privacy Policy: elevenlabs.io/privacy-policy
Telnyx LLC
CommunicationService Provided: SIP telephony termination for outbound voice calls (operated as the carrier behind the ElevenLabs voice agent)
Data Processed: Phone numbers, call metadata (call start/end, duration, routing information)
Location: United States
Purpose: Carrier-grade telephony connectivity for AI-conducted interviews
Security: SOC 2 Type II certified, encrypted SIP trunking
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Telnyx's DPA
Privacy Policy: telnyx.com/legal/privacy-policy
Stripe, Inc.
PaymentService Provided: Payment processing and subscription management
Data Processed: Payment information, billing addresses, subscription details
Location: United States
Purpose: Processing customer payments and managing subscriptions
Security: PCI DSS Level 1 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Stripe's DPA
Privacy Policy: stripe.com/privacy
Salesforce (Heroku)
InfrastructureService Provided: Cloud hosting infrastructure and database management
Data Processed: All customer data stored in the Virvell platform
Location: United States (US region)
Purpose: Hosting the Virvell application and securely storing data
Security: SOC 2 Type II, ISO 27001, GDPR compliant
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Salesforce's DPA
Privacy Policy: salesforce.com/privacy
Amazon Web Services, Inc. (S3)
InfrastructureService Provided: Object storage for voice recordings and supporting artifacts (engaged when the customer's deployment configures the S3 bucket)
Data Processed: Voice recordings, transcripts, related call artifacts
Location: United States (us-east-1)
Purpose: Durable, encrypted storage of recording artifacts produced during reference and screening calls
Security: SOC 2, ISO 27001, server-side encryption (AES-256)
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via the AWS GDPR DPA
Privacy Policy: aws.amazon.com/privacy
Twilio Inc. (SendGrid)
CommunicationService Provided: Transactional email delivery
Data Processed: Email addresses, notification content, delivery metadata
Location: United States
Purpose: Sending automated emails (reports, notifications, alerts)
Security: SOC 2 Type II, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Twilio's DPA
Privacy Policy: twilio.com/privacy
Customer.io, Inc.
CommunicationService Provided: Lifecycle and transactional email orchestration
Data Processed: Customer name, email address, account event metadata
Location: United States
Purpose: Triggered communications (onboarding, retention, product updates) tied to customer activity
Security: SOC 2 Type II certified, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Customer.io's DPA
Privacy Policy: customer.io/legal/privacy-policy
Functional Software, Inc. (Sentry)
MonitoringService Provided: Application error monitoring and performance telemetry
Data Processed: Stack traces, scrubbed request context, environment metadata (PII is filtered before transmission)
Location: United States
Purpose: Diagnosing application errors and maintaining service reliability
Security: SOC 2 Type II, ISO 27001 certified
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Sentry's DPA
Privacy Policy: sentry.io/privacy
Certn Inc.
Background ChecksService Provided: Criminal-record, education-verification, and employment-verification background checks
Data Processed: Candidate name, date of birth, address, government-issued identifiers, declared employment and education history
Location: Canada
Purpose: Conducting customer-requested background checks attached to a reference-check workflow
Security: SOC 2 Type II certified, encryption in transit and at rest
Transfer Mechanism: Adequacy decision (Canada is recognized as providing adequate protection under EU GDPR Art. 45); PIPEDA-governed processing
Privacy Policy: certn.co/privacy-policy
Greenhouse Software, Inc.
IntegrationService Provided: Applicant tracking system (ATS) — engaged only when the customer connects their Greenhouse account to Virvell
Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's Greenhouse environment
Location: United States
Purpose: Synchronizing candidate records and reference-check status with the customer's ATS
Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via Greenhouse's DPA
Privacy Policy: greenhouse.com/privacy-policy
BambooHR LLC
IntegrationService Provided: HRIS / ATS — engaged only when the customer connects their BambooHR account to Virvell
Data Processed: Candidate name, email address, application metadata pulled from or written back to the customer's BambooHR environment
Location: United States
Purpose: Synchronizing candidate records and reference-check status with the customer's HRIS/ATS
Security: SOC 2 Type II certified, customer-managed scoped credentials, encryption in transit and at rest
Transfer Mechanism: EU Standard Contractual Clauses (SCCs) via BambooHR's DPA
Privacy Policy: bamboohr.com/privacy
Adding New Sub-Processors
When we engage a new sub-processor, we:
- Notify customers via email at least 30 days before authorization
- Update this page with full details about the new sub-processor
- Provide objection period of 10 business days as outlined in our DPA
- Ensure compliance with the same data protection standards as existing sub-processors
✉️ How to Object to a New Sub-Processor
Enterprise customers have the right to object to new sub-processors for reasonable and explained grounds. To exercise this right:
- Send written objection to privacy@virvell.ai
- Include your reasons for objection
- Submit within 10 business days of receiving notification
We will work in good faith to resolve your concerns or provide alternative service delivery methods.
Data Protection Safeguards
All sub-processors are contractually required to:
- Process data only on Virvell's documented instructions
- Implement appropriate security measures (encryption, access controls, monitoring)
- Assist with data subject rights requests (access, deletion, portability)
- Notify Virvell immediately of any data breaches
- Delete or return data upon termination of services
- Allow audits and inspections of their data processing activities
International Data Transfers
Some sub-processors are located outside your jurisdiction. For transfers from the EU/EEA, UK, or Switzerland, we rely on:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- UK Addendum for UK GDPR compliance
- Swiss Addendum for Swiss FADP compliance
- Additional safeguards including encryption and data minimization
See our Data Processing Agreement for full details on cross-border transfer mechanisms.
Questions About Sub-Processors?
Contact our privacy team:
- Privacy inquiries: privacy@virvell.ai
- Security questions: security@virvell.ai
- DPA requests: legal@virvell.ai
Related Documents:
Data Processing Agreement |
Privacy Policy |
Security & Compliance