Sub-processors
Third-party service providers that process data on our behalf
Version 1.1 · Last updated: April 26, 2026
Legally binding version
The German version of this document is the legally authoritative text. Translations into other languages are provided for convenience only; in case of any conflict or discrepancy, the German version prevails.
In accordance with GDPR Article 28 and the Swiss Federal Data Protection Act (FADP), we disclose the third-party providers that CHW-Services GmbH engages to deliver the preparAItor service. Each provider has been carefully selected and is bound by a data processing agreement that meets our security and compliance standards.
This list covers both processors (where we act as the controller for individual end users) and sub-processors (where we act as a processor for business customers under a Data Processing Addendum). The obligations under GDPR Article 28 and FADP Article 9 apply analogously in both arrangements.
We will notify customers of material changes to this list (additions, replacements, or significant scope changes) at least 30 days before they take effect. Business customers with a Data Processing Addendum (DPA) can object to new sub-processors during the notice period by contacting admin@preparaitor.ch.
| Sub-processor | Purpose | Data Categories | Location |
|---|---|---|---|
| Google LLC (Firebase) | Authentication, database (Firestore), file storage, App Check | Account data, CV content, generated documents, usage data | europe-west6 (Zurich, Switzerland) |
| Google LLC (Vertex AI / Gemini) | AI document generation, content analysis, web grounding for company enrichment, interview practice (including short-lived processing of audio input during voice interview sessions; voice recordings are not stored, only encrypted transcripts). Google does not use customer data to train its models. | CV content, job postings, company data, interview audio (transient) and transcripts | europe-west3 (Frankfurt, Germany) |
| Google LLC (Cloud KMS) | Encryption key management for field-level encryption of sensitive data | Encryption keys only (no personal data) | europe-west6 (Zurich, Switzerland) |
| Google LLC (Cloud Run) | Document PDF/DOCX generation and heavy processing | Document content during generation | europe-west6 (Zurich, Switzerland) |
| Google LLC (reCAPTCHA Enterprise) | Bot detection and fraud prevention via Firebase App Check on every API request | IP address, device fingerprint, interaction signals | Global infrastructure — transfer safeguards: Google Cloud DPA with SCCs |
| Stripe, Inc. | Payment processing, subscription management, customer portal, webhook handling | Payment details, billing address, customer ID, transaction metadata | European data centers (primary), with fallback to the United States |
| Brevo SAS (formerly Sendinblue) | Transactional email delivery (account confirmation, password reset, billing notifications, document ready notifications) | Email address, display name, email content | European Union (France) |
| Microsoft Corporation | OneDrive cloud file synchronization (optional, only when user explicitly connects their OneDrive account) | Generated documents, OAuth tokens (encrypted) | European data centers (primary) |
| Google LLC (Google Drive) | Google Drive cloud file synchronization (optional, only when user explicitly connects their Google account) | Generated documents, OAuth tokens (encrypted) | User's Google Drive region — transfer safeguards: Google Cloud DPA with SCCs |
Transfer Safeguards
- • Standard Contractual Clauses (SCCs) executed with all providers where applicable
- • Data Processing Agreements (DPAs) in place with every provider
- • Encryption in transit (HTTPS/TLS) and at rest
- • Field-level encryption via Google Cloud KMS for sensitive personal data
- • Data localization to European data centers where technically feasible
- • Regular security and compliance audits
- • Transfer Impact Assessment (TIA) conducted for all cross-border data flows per Schrems II requirements
- • No third-party analytics or telemetry services in use (no Google Analytics, no error-tracking SDKs, no marketing pixels)
- • Compliance with Swiss FADP and EU GDPR
Changelog
- April 26, 2026—Version 1.1 — Clarified controller vs. processor role. Specified that voice interview audio is processed transiently by Vertex AI and not stored. Added explicit statement that no analytics or telemetry services are used.
- April 10, 2026—Version 1.0 — Initial publication.
For questions about our sub-processors, to request a DPA, or to object to sub-processor changes, contact us at admin@preparaitor.ch.
See also: Privacy Policy · Terms of Service