The register below is the full list of sub-processors Ishavi engages to deliver the platform. It is incorporated by reference into the customer Data Processing Agreement (Annex B). New sub-processors are notified to subscribers thirty days before they go live.
| Name | Service | Data processed | Location | Status |
|---|---|---|---|---|
| WorkOS | Identity, SSO, SAML, directory sync | Recruiter email, organisation name, SSO claims | United States (us-east-1) | Active · DPA signed · SOC 2 Type II |
| Supabase | Managed Postgres + Auth backing store | All structured customer data: tenants, jobs, interview metadata, scorecards | ap-south-1 (Mumbai) | Active · DPA signed · SOC 2 Type II |
| Cloudflare | R2 object storage + CDN + DNS | Interview audio recordings, transcripts, model output artefacts; static assets | Global edge; R2 bucket region: WEUR / ENAM as tenant requires | Active · DPA signed · ISO 27001, SOC 2 Type II |
| Resend | Transactional email delivery | Recipient email, message content (invite links, appeal updates, audit notifications) | United States (us-east-1) | Active · DPA signed · SOC 2 Type II |
| Sentry | Error monitoring + performance traces | Stack traces, request paths, user IDs (no payloads); PII scrubbing enabled | United States (us-east-1) | Active · DPA signed · SOC 2 Type II |
| OpenAI | Whisper (speech-to-text), GPT (scoring fallback), TTS (interviewer voice) | Interview audio frames, transcript chunks, system + user prompts, model outputs | United States | Active · Enterprise DPA signed · zero-retention API mode · SOC 2 Type II |
| Anthropic | Claude family for conversation orchestration and follow-up generation | Conversation context, rubric grounding, system + user prompts, model outputs | United States | Active · Commercial DPA signed · zero-retention API mode · SOC 2 Type II |
| Google AI Studio | Gemini family for rubric-anchored scorecard composition | Transcript excerpts, rubric definitions, model outputs | United States | Active · Cloud DPA signed · SOC 2 Type II, ISO 27001 |
| Vercel | Frontend application hosting + edge functions | Request headers, IP addresses (truncated), routing metadata | iad1 (us-east-1) primary; multi-region edge | Active · DPA signed · SOC 2 Type II |
| Oracle Cloud Infrastructure | Backend API host (Mumbai region) | All transit and processing of customer requests routed through this host | ap-south-1 (Mumbai) | Active · Master Services Agreement · ISO 27001, SOC 2 Type II |
When Ishavi adds, removes, or substitutes a sub-processor, we publish the change here and notify the sub-processor mailing list at least 30 calendar days before the change takes effect. Customers may object to a new sub-processor in writing within that window; if we cannot resolve the objection through reasonable steps, the customer may terminate the affected portion of the service per the terminating provisions of the DPA.
Emergency replacements (security incident, vendor outage, regulatory order) are notified after the fact within five business days, with a written explanation of why prior notice was not possible.