This page lists the third-party sub-processors that Verilo, LLC engages to provide the Verilo platform. Each sub-processor is bound by data protection obligations consistent with our Data Processing Agreement.
Current Sub-Processors
| Sub-Processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) aws.amazon.com | File storage (S3) | Interview audio recordings, anonymized audio copies | US (us-east-1) |
| Supabase supabase.com | Database hosting (PostgreSQL) | Submission metadata, assessment reports, organization settings, user preferences | US |
| Clerk clerk.com | Authentication & user management | User names, email addresses, organization membership | US |
| OpenAI openai.com | Report summary generation (GPT-4o-mini) | Anonymized transcript segments only (no PII) | US |
| Vercel vercel.com | Application hosting & CDN | Request metadata, server logs (no interview content in logs) | US (Global CDN) |
| Resend resend.com | Transactional email | Email addresses, notification content (no interview data) | US |
Data Handling Notes
OpenAI (GPT-4o-mini)
Verilo uses OpenAI's GPT-4o-mini model exclusively for generating narrative summaries from anonymized transcript data. No raw audio recordings, candidate names, or other personally identifiable information are sent to OpenAI. All transcripts are processed through our PII anonymization pipeline before any data reaches OpenAI's systems. Under OpenAI's Data Processing Agreement, customer data submitted via the API is not used for model training.
AWS S3
All interview audio is stored exclusively in AWS S3. No audio data is transmitted to any other sub-processor. Access to audio files is controlled via time-limited presigned URLs that expire after one hour. Original audio files are automatically deleted 14 days after upload. Anonymized audio copies are stored in a separate, fully isolated bucket with no metadata linking back to any organization or candidate.
Supabase
All application data is stored in Supabase-hosted PostgreSQL. Data is isolated by organization (multi-tenant architecture with org_id scoping). Supabase provides encryption at rest and in transit.
Change Notification Process
When we add or replace a sub-processor, we will:
- Update this page with the new sub-processor details at least 30 days before the change takes effect.
- Notify affected clients via email or dashboard notification.
- Provide a 30-day objection period during which clients may raise concerns about the new sub-processor.
- If a client objects and the parties cannot resolve the concern, the client may terminate the service agreement in accordance with the Terms of Service.
To subscribe to sub-processor change notifications, contact us at privacy@verilo.co.
For questions about our sub-processors or data processing practices, see our Data Processing Agreement or contact privacy@verilo.co.