Why this page exists
We list every subprocessor because GDPR Art. 28(2) requires it, but also because we think you deserve to know exactly who else can touch your data. Each one has a Data Processing Agreement (or equivalent contract) in place with MEDTIP GmbH and is bound to use your data only to deliver the service.
Before we add a new subprocessor that handles personal data, you will be notified by e-mail and an in-app banner at least 14 days before the change takes effect. This page is updated at the same time. If you object and we cannot operate without the new subprocessor, you can export your data and close your account before the change applies.
Current subprocessors
As of the last-updated date above, MEDTIP GmbH uses the following subprocessors to deliver CVVia. "Mechanism" describes the legal basis for any transfer outside the EU.
| Subprocessor | Service | Data category | Jurisdiction | Mechanism |
|---|---|---|---|---|
| IONOS SE | Infrastructure hosting (VPS, primary database, Firebase Storage replica) | All application data, logs | Germany (Frankfurt) | German law + DPA |
| Google Ireland Ltd. | Firebase Authentication, Google Workspace (hello@cvvia.ai mailbox) | Email, password hash, Firebase UID, inbox messages | Ireland (EU) | GCP DPA + EU SCCs |
| Google LLC | Firebase Storage, Custom Search API, Gemini LLM | Uploaded documents, public job-search queries, AI prompts | United States (EU regions available) | SCCs + EU-US Data Privacy Framework |
| Cloudflare Inc. | DNS, R2 object storage for off-site backups | DNS queries, client IPs, encrypted backup files | EU region for R2, global for DNS | DPA + SCCs + DPF |
| Resend Inc. | Transactional e-mail delivery | Name, email address, message text from the contact form | EU region (Ireland infrastructure) | DPA + EU SCCs |
| Functional Software Inc. (Sentry) | Error and exception monitoring | Stack traces, request metadata (personal data scrubbed before send) | EU ingest (Germany) | Sentry DPA + EU residency |
| OpenAI Ireland Ltd. | Large language model API — CV tailoring, cover letters, ATS scoring, interview prep, embeddings | Prompt text including CV / profile / answers | Ireland (compute may extend to United States) | OpenAI Ireland DPA + EU SCCs |
| Anthropic PBC | Large language model API — alternative provider | Same as OpenAI when configured | United States | Anthropic DPA + SCCs |
| Microsoft Corporation | Text-to-speech endpoint for interview-prep voice playback | Interview question text only — no microphone audio sent | United States | Best-effort feature with documented risk; browser fallback available |
How we change this list
Before adding a new subprocessor that handles personal data, we commit to:
- Notify users at least 14 days in advance by email to the account address and via an in-app banner.
- Update this page to reflect the change before it goes live.
- Honor objections — if you do not want your data flowing through a new subprocessor and we cannot operate without it, you may export your data via Settings → Download my data and close your account before the change applies, with a pro-rated refund where applicable.
- Remove processors that no longer hold a DPA with us, or that we have stopped using, and note the removal here.
Questions or copies of the DPAs
If you would like more detail on how a specific subprocessor handles your data, the country where their compute runs, or a copy of an underlying Data Processing Agreement where it is shareable, write to privacy@cvvia.ai. We respond within 30 days.