Sub-processors
Third-party service providers that process data on our behalf
Version 1.0 · Last updated: April 10, 2026
Legally binding version
The German version of this document is the legally authoritative text. Translations into other languages are provided for convenience only; in case of any conflict or discrepancy, the German version prevails.
In accordance with GDPR Article 28 and the Swiss Federal Data Protection Act (FADP), we disclose the sub-processors that CHW-Services engages to deliver the preparAItor service. Each sub-processor has been carefully selected and is bound by a data processing agreement that meets our security and compliance standards.
We will notify customers of material sub-processor changes (additions, replacements, or significant scope changes) at least 30 days before they take effect. Business customers with a Data Processing Addendum (DPA) can object to new sub-processors during the notice period by contacting admin@preparaitor.ch.
| Sub-processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Google LLC (Firebase) | Authentication, database (Firestore), file storage, App Check | Account data, CV content, generated documents, usage data | europe-west6 (Zurich, Switzerland) |
| Google LLC (Vertex AI / Gemini) | AI document generation, content analysis, web grounding for company enrichment, interview practice. Google does not use customer data to train its models. | CV content, job postings, company data | europe-west3 (Frankfurt, Germany) |
| Google LLC (Cloud KMS) | Encryption key management for field-level encryption of sensitive data | Encryption keys only (no personal data) | europe-west6 (Zurich, Switzerland) |
| Google LLC (Cloud Run) | Document PDF/DOCX generation and heavy processing | Document content during generation | europe-west6 (Zurich, Switzerland) |
| Google LLC (reCAPTCHA Enterprise) | Bot detection and fraud prevention via Firebase App Check on every API request | IP address, device fingerprint, interaction signals | Global infrastructure — transfer safeguards: Google Cloud DPA with SCCs |
| Stripe, Inc. | Payment processing, subscription management, customer portal, webhook handling | Payment details, billing address, customer ID, transaction metadata | European data centers (primary), with fallback to the United States |
| Brevo SAS (formerly Sendinblue) | Transactional email delivery (account confirmation, password reset, billing notifications, document ready notifications) | Email address, display name, email content | European Union (France) |
| Microsoft Corporation | OneDrive cloud file synchronization (optional, only when user explicitly connects their OneDrive account) | Generated documents, OAuth tokens (encrypted) | European data centers (primary) |
| Google LLC (Google Drive) | Google Drive cloud file synchronization (optional, only when user explicitly connects their Google account) | Generated documents, OAuth tokens (encrypted) | User's Google Drive region — transfer safeguards: Google Cloud DPA with SCCs |
Transfer Safeguards
- • Standard Contractual Clauses (SCCs) executed with all sub-processors where applicable
- • Data Processing Agreements (DPAs) in place with every sub-processor
- • Encryption in transit (HTTPS/TLS) and at rest
- • Field-level encryption via Google Cloud KMS for sensitive personal data
- • Data localization to European data centers where technically feasible
- • Regular security and compliance audits
- • Transfer Impact Assessment (TIA) conducted for all cross-border data flows per Schrems II requirements
- • Compliance with Swiss FADP and EU GDPR
For questions about our sub-processors, to request a DPA, or to object to sub-processor changes, contact us at admin@preparaitor.ch.
See also: Privacy Policy · Terms of Service