To deliver the Hirex platform, we engage a limited set of third-party sub-processors. Each one is bound by appropriate data protection terms, including, where applicable, the European Commission's Standard Contractual Clauses for international transfers, and is contractually obligated to handle customer data with the same standards we apply ourselves.
Change notifications. We notify customers at least 30 days before adding or replacing a sub-processor that processes customer personal data. Customers may object during the notification period; if the parties cannot resolve the objection, the customer may terminate the affected portion of the Services without penalty.
Core sub-processors
These are engaged for all customer tenants.
Hosting and infrastructure
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | All customer data | Ireland (eu-west-1) |
| Heroku, a Salesforce company | Platform-as-a-Service (application and worker hosting) | All customer data | AWS Ireland |
| Heroku Postgres | Primary relational database | Candidates, users, applications, all structured PII | AWS Ireland |
| Heroku Redis | Cache and queue | Session state and ephemeral background work | AWS Ireland |
| Cloudflare R2 | Object storage | Résumés, attachments, interview recordings, audit archives | European Union |
| Cloudflare | CDN, Web Application Firewall, DDoS protection, bot management, edge TLS termination | IPs, network metadata, bot detection signals | Global edge network |
AI and machine learning
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| OpenAI | CV evaluation, criteria generation, content generation | Candidate and job data sent at the time of feature use | United States |
| Anthropic | Candidate evaluation, content generation | Candidate and job data sent at the time of feature use | United States |
| Google (Gemini API) | Résumé parsing | Uploaded CV content | United States |
| Deepgram | Speech-to-text transcription of one-way video interviews (where enabled) | Interview audio | United States |
| Exa.ai | AI-assisted candidate sourcing | Search queries | United States |
Customer data is not used to train any AI provider's models. All four LLM providers operate on zero-data-retention terms where supported on their enterprise tier. Transfers are covered by Standard Contractual Clauses (Module 2) and documented Transfer Impact Assessments. See our Responsible AI page for detail.
Email and customer communications
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Mailgun (Sinch) | Transactional and candidate email delivery | Recipient addresses, email content | United States |
| Intercom | In-app and pre-sale support chat | User identity, support conversation content | United States |
Calendar and interview scheduling
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Nylas | Calendar and email sync for interview scheduling | Calendar events, attendees, scheduling metadata | United States |
Analytics and observability
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Sentry | Application error monitoring | Stack traces, user/context identifiers | United States |
| Scout APM | Application performance monitoring | Request and query telemetry | United States |
| BetterStack (Logtail) | Centralized log aggregation | Application logs | United States |
| PostHog | Product analytics | Feature usage events, properties, session info | United States |
| Google BigQuery | Reporting and analytics warehouse | Aggregated, pseudonymized analytics | United States |
Payments
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| Stripe | Subscription billing | Billing contact, payment method (Stripe stores card data, Hirex does not) | United States |
Network
| Vendor | Purpose | Data processed | Region |
|---|---|---|---|
| QuotaGuard | Static-IP egress proxy for outbound API calls | Network metadata only | United States |
Customer-enabled integrations
The following are engaged only when a customer explicitly enables the corresponding integration in their tenant. Where engaged, the customer is the data controller and is responsible for the contractual relationship with the integration provider. Hirex passes data to these providers strictly on the customer's documented instruction.
Change notifications
We notify customers at least 30 days in advance of:
- adding a new sub-processor that processes customer personal data
- replacing an existing sub-processor with a different one
- material changes to the purpose or scope of an existing sub-processor's processing
Notifications are published on this page. Customers also receive advance notice through the contact details in their agreement.
How to read this list
Each vendor named in the Core sub-processors tables is engaged for all customer tenants by default. Engagement of an integration in the "Customer-enabled" section requires the customer's explicit configuration.
Where data is transferred outside the European Economic Area (the United States, in particular), the transfer is governed by the European Commission's Standard Contractual Clauses (Decision (EU) 2021/914, Module 2: Controller-to-Processor) and supplementary safeguards documented in our Transfer Impact Assessments. Summaries are available to customers on request under NDA.
For details on our hosting, encryption, and security practices, see our Security page. For details on our AI use, see our Responsible AI page. For our Data Processing Addendum, see the DPA.
Contact
- Sub-processor questions: [email protected]
- Data Protection Officer: Burak Yılmaz ([email protected])
- Sub-processor change notifications: published on this page; customers receive advance notice per their agreement.
