Sub-processor List
Zelvar uses the following third-party sub-processors to deliver our services. We conduct due diligence on all sub-processors and require them to maintain appropriate security standards.
| Vendor | Purpose | Data Processed | Region | Certifications |
|---|---|---|---|---|
| Supabase | Database, authentication, and storage | All candidate and recruiter data, authentication tokens, uploaded files | US-East-1 (AWS) | SOC 2 Type II, ISO 27001 |
| Anthropic (Claude) | AI screening analysis and transcript processing | Call transcript text only — no PII beyond what candidates share verbally | United States | SOC 2 Type II |
| Retell AI | Voice calling infrastructure and AI agent hosting | Audio recordings (90-day retention), call metadata | United States | SOC 2 Type II |
| Twilio | SMS message delivery | Phone numbers, message content | United States | SOC 2 Type II, ISO 27001, HIPAA eligible |
| SendGrid (Twilio) | Transactional email delivery | Email addresses, email content | United States | SOC 2 Type II, ISO 27001 |
| n8n | Workflow automation and trigger orchestration | Trigger events only — no PII stored in n8n | EU / United States | ISO 27001 (in progress) |
| Netlify | Application hosting and CDN delivery | No personal data — static assets only | United States | SOC 2 Type II |
| Cloudflare | DNS, domain registration, and DDoS protection | No personal data — DNS resolution only | Global | SOC 2 Type II, ISO 27001, PCI DSS |
Last updated: April 4, 2026.
We notify clients of material sub-processor changes 30 days in advance via email. If you have questions about our sub-processors, contact [email protected].