Sub-processor register
The complete list of companies whose code touches your data, what they do, where they are, and what international-transfer basis covers them.
Last updated: 2026-05-06
A “sub-processor” is any third party we use to deliver the service. Per GDPR Article 28, you have the right to know the full list and what each one does. Per the LinkedIn API Terms of Use, the same disclosure rule applies for any party that touches LinkedIn-sourced data.
Active sub-processors
| Company | Role | Data accessed | Location | International-transfer basis |
|---|---|---|---|---|
| Anthropic | LLM provider — runs Claude models that produce drafts | Drafting prompts (your CV materials + the JD) at request time. Not stored beyond the request unless explicitly traced for debugging (LangFuse, on our own infrastructure). | EU region where available; US fallback otherwise. Trained-on-data prohibition contractually in place. | EU SCCs (Standard Contractual Clauses, Module 2 Controller-to-Processor) for any US-region traffic |
| Stripe | Payment processor — handles subscriptions and invoices | Email, name, payment method, billing address, subscription status. Never sees your CV/letter/application data. Never sees LinkedIn-imported data. | Ireland (EU) for EU customers | None required (intra-EU) |
| Cloudflare | DNS for redirect-only domains (omoikane.nl, .tech, .careers, .gr) | Public DNS metadata for the redirect domains only. The customer surface (omoikane.coach) bypasses Cloudflare’s proxy entirely. | Global; redirect-domain DNS only | Public DNS records — no personal data crosses; SCCs apply if/when proxy mode is enabled |
| gigahost.no AS | (1) Hosting provider for the application servers (notrf01dmz0{1,2}) — encrypted-at-rest application data. (2) Edge anycast VPS at the Norway (Trondheim) POP — sees in-flight customer traffic for the duration of a single TLS connection only; persists no data. | All application data at rest (encrypted at rest); in-transit customer traffic at the NO edge POP. No application-level access on the storage hosts. | Norway (EEA) | None required (Norway is in the EEA) |
| iFog GmbH | Edge anycast VPS at the Switzerland (Zürich) POP — runs HAProxy and terminates TLS before re-encrypting over IPsec to the EEA storage layer. Sees in-flight customer traffic for the duration of a single TLS connection only; persists no data. | In-transit customer traffic at the CH edge POP. No data at rest. | Switzerland | Switzerland adequacy decision (Commission Decision 2000/518/EC) — no SCCs required |
First-party infrastructure (not a sub-processor)
The third host in our YugabyteDB cluster (the Leiden quorum witness, nllei01dmz01) runs on operator-managed infrastructure in Leiden, the Netherlands. Because it is not a third party, it is not a sub-processor under GDPR Art. 28; we mention it here for transparency about where your data physically lives. It carries the same encryption-at-rest and IPsec-in-transit posture as the gigahost.no hosts.
Edge network and TLS termination
User traffic to omoikane.coach reaches a two-VPS anycast pool inside the EEA + Switzerland that runs HAProxy and terminates TLS at the edge before re-encrypting over IPsec to our EEA-only storage layer. No user data is persisted on the edge nodes — they hold session state for the duration of a single connection only. Locations: Switzerland (Zürich, iFog GmbH) and Norway (Trondheim, gigahost.no AS).
Because both edge VPS sites are inside the EEA-or-adequate jurisdictions (Switzerland adequacy decision; Norway intra-EEA), no Standard Contractual Clauses are required for the in-transit leg.
LinkedIn integration
When you opt into the LinkedIn data import, LinkedIn Ireland Unlimited Company is the source of the data, not a sub-processor of ours. Once data lands on our infrastructure, the sub-processors above are the only parties that see it.
LinkedIn’s role and obligations to you for the data they hold are governed by LinkedIn’s own privacy policy. Our obligations begin the moment the data enters our systems and are governed by our privacy policy together with:
- The LinkedIn API Terms of Use (linkedin.com/legal/l/api-terms-of-use)
- The LinkedIn DMA Portability API Additional Terms (linkedin.com/legal/l/portability-api-terms)
- The LinkedIn BD Data Processing Agreement (legal.linkedin.com/bd-dpa) incorporated by reference into the Portability Terms at §3.3
Removed / former sub-processors
None as of the Last updated date above.
Things we explicitly do NOT use
- No analytics platform (no Google Analytics, no Plausible, no Umami, no Matomo, no Fathom)
- No advertising platform
- No customer-data platform (no Segment, no Rudderstack)
- No email marketing platform (no Mailchimp, no Klaviyo, no Customer.io)
- No third-party error trackers (we run our own — Loki + Grafana on our own infrastructure)
- No “AI training partner” — your data is not licensed to anyone for any model-training purpose, ours or theirs
- No third-party identity provider for your account (Authentik, our own self-hosted IdP, is the only consumer of your authentication credentials)
Notification
If we add a sub-processor, you get an email at least 30 days before they go live, identifying who they are, what data they will see, where they are located, and what international-transfer basis covers them. You can export and delete during the notice window if you object.
Contact
For sub-processor questions or DPA requests: privacy@omoikane.coach.