Sub-processors
Last updated: January 2025
This page lists the sub-processors that Marxel uses to process personal data on behalf of our customers. This list forms Annex 1 of our Data Processing Agreement.
We will provide at least 14 days' notice before engaging any new sub-processor. If you have questions or wish to object to a sub-processor, contact us at hello@marxel.co.
Authorised Sub-processors
The following sub-processors are authorised to process personal data on behalf of our customers:
| Sub-processor | Purpose | Location | Data Processed | Evidence |
|---|---|---|---|---|
| Vercel Inc. | Application hosting and delivery | United States / global infrastructure | Application traffic, logs, and customer data in transit | Vercel DPA |
| Railway Corporation | Database hosting where configured | United States / selected infrastructure region | Application database records and customer data at rest | Railway DPA |
| UploadThing | CV file upload and file storage | United States / global infrastructure | Uploaded files, filenames, file URLs, and file metadata | UploadThing Privacy |
| OpenAI, L.L.C. | AI-powered parsing, OCR fallback, evaluation, and embeddings | United States | Candidate data submitted to AI features | OpenAI DPA |
| Sentry | Error monitoring, performance monitoring, and session replay | United States / European Union | Error events, diagnostics, masked replay data, and operational metadata | Sentry DPA |
| Resend Inc. | Transactional email delivery | United States | Email addresses, names, and email content | Resend Privacy |
| Stripe Inc. | Payment processing and subscription management | United States / global infrastructure | Billing data and subscription metadata, not CV content | Stripe DPA |
| PostHog Inc. | Product analytics and masked session replay when enabled with consent | United States / European Union | Usage events, product analytics metadata, and masked replay data | PostHog DPA |
| Google LLC | Google OAuth authentication and website analytics when enabled | United States / global infrastructure | OAuth profile data, email addresses, IP addresses, and analytics events | Google API Services User Data Policy |
| Upstash, Inc. | Redis-backed caching and rate limiting when configured | United States / selected infrastructure region | Cache keys, cached AI outputs, and rate-limit metadata | Upstash Trust |
Transfer Safeguards
We rely on provider data processing terms, transfer mechanisms such as Standard Contractual Clauses where applicable, and supplementary safeguards appropriate to each service.
For transfers from the UK, we also rely on the UK International Data Transfer Agreement (IDTA) or UK Addendum to the EU SCCs where applicable.
Notification of Changes
We will update this page and provide at least 14 days' notice before engaging any new sub-processor.
If you wish to be notified of changes by email, please contact us at hello@marxel.co to subscribe to sub-processor updates.
Objection Process
If you have reasonable data protection grounds to object to a new sub-processor:
- Notify us within 14 days of receiving notice of the change
- Explain your objection with reference to specific data protection concerns
- We will work with you to find a mutually acceptable solution
- If no resolution is reached, you may terminate the affected service with no penalty
Contact
For questions about our sub-processors or to request a copy of the safeguards in place:
Email: hello@marxel.co
See also our Data Processing Agreement, Privacy Notice, and Terms of Service or contact us with any questions.