1. Purpose
This Subprocessor Policy describes TheSHFTApp LLC's ("TheSHFTApp") use of third-party Subprocessors to process Personal Information in connection with the delivery of Services. This Policy fulfills TheSHFTApp's transparency obligations under applicable data protection laws, including GDPR, UK GDPR, and CCPA.
2. Definition
A "Subprocessor" is a third-party entity engaged by TheSHFTApp that processes Personal Information on behalf of TheSHFTApp in order to provide the Services. This Policy does not cover third parties that process data as independent data controllers (e.g., payment processors operating under their own terms with users) or third-party tools used for purely internal purposes that do not process user Personal Information.
3. Current Subprocessors
The following table identifies the Subprocessors TheSHFTApp currently engages to process Personal Information in connection with the Services. Business Customers and users will be notified of material changes as described below.
| Subprocessor | Entity | Category | Purpose | Personal Data Processed | Data Location |
|---|---|---|---|---|---|
| Vercel | Vercel Inc. | Cloud Hosting & Infrastructure | Platform hosting, server-side rendering, CDN delivery, serverless functions | IP address, request data, session data | United States |
| Supabase | Supabase Inc. | Database & Backend Services | Primary database storage, user authentication, real-time subscriptions, file storage, row-level security | Account data, profile data, resume data, AI inputs/outputs, application data, all User Data | United States |
| Google โ Authentication | Google LLC | Identity & Authentication | Google OAuth sign-in, account identity verification | Name, email address, profile photo, Google account identifier | United States |
| Google โ Analytics | Google LLC | Analytics | Platform usage analytics, session tracking, user behavior analysis | IP address (anonymized), device information, usage events, page views | United States (processed globally) |
| Google โ Gemini AI | Google LLC | AI Model Provider | AI-powered career content generation, resume optimization, coaching, ATS analysis, and related AI features | AI inputs (prompts, resume text, job descriptions), AI outputs, conversation context | United States |
| OpenRouter | OpenRouter Inc. | AI Model Routing | Routing and proxying of AI model requests to multiple AI providers; enables access to various large language models for AI-powered features | AI inputs (prompts, resume text, user queries), AI outputs | United States |
| Square | Block Inc. (Square) | Payment Processing | Subscription billing, one-time payments, AI credit purchases, payment method management, transaction processing | Billing name, billing address, payment card data (tokenized), transaction records | United States |
Notes on AI Model Providers
TheSHFTApp uses OpenRouter as its primary AI routing layer, which may direct requests to one or more large language model providers depending on feature requirements and availability. Gemini (Google) is a primary AI model used through direct integration. The specific models in active use may evolve as the Platform develops. Personal data transmitted to AI model providers is limited to the minimum necessary to generate the requested AI Output and is subject to contractual data use restrictions.
Notes on Supabase
Supabase serves as the primary data store for the Platform and processes the broadest range of User Data. All data stored in Supabase is encrypted at rest and subject to row-level security controls.
Notes on Square
Square processes payment transactions as an independent data controller for purposes of payment fraud prevention and regulatory compliance, in addition to its role as a Subprocessor for TheSHFTApp's billing operations. Full payment card numbers are handled exclusively by Square and are not transmitted to or stored by TheSHFTApp.
4. Subprocessor Obligations
TheSHFTApp contractually requires each Subprocessor to:
- Process Personal Information only for authorized purposes;
- Implement appropriate technical and organizational security measures;
- Maintain confidentiality;
- Assist TheSHFTApp in fulfilling its data protection obligations;
- Notify TheSHFTApp of Security Incidents;
- Delete or return Personal Information upon termination; and
- Comply with applicable data protection laws.
5. Changes to Subprocessors
5.1 Notification. TheSHFTApp will provide at least thirty (30) days' advance notice before engaging a new Subprocessor or materially changing a Subprocessor's processing activities, via update to this Policy.
5.2 Notification Method. Updates are announced via the TheSHFTApp legal pages, email notification to Enterprise Customers, and/or in-app notifications as appropriate.
5.3 Objections. As described in the Data Processing Addendum, Enterprise Customers may object to new Subprocessors within fourteen (14) days of notice.
6. International Transfers
Where Subprocessors process Personal Information outside the EEA, UK, or Switzerland, TheSHFTApp ensures appropriate transfer mechanisms are in place, including Standard Contractual Clauses (SCCs) or equivalent safeguards.
7. Contact
Subprocessor inquiries: privacy@theshftapp.com