Your candidate data stays in Europe.
HireSift processes candidate data exclusively within the EU — from upload through AI analysis to storage. No data flow to the US, no Schrems II uncertainty, no compromises on privacy.
Last updated: April 2026
All data stays within the EU
Every step that touches candidate data — from first upload to final deletion.
Candidate data in Frankfurt
CVs, extracted profiles, and matching results are stored on AWS servers in Frankfurt. Database and file storage operated via Supabase in region eu-central-1.
AI inference in Paris & Belgium
Default provider is Mistral AI — Europe’s leading AI champion, fully hosted in France. Optional Vertex AI in region europe-west4 (Belgium). Both on EU infrastructure, with no US detour.
Web application in Frankfurt
The HireSift platform runs on Vercel Serverless Functions in region fra1 (Frankfurt). Every API request and database query happens exclusively in Germany.
No US cloud providers
We deliberately do not send candidate data to US cloud providers. Only two active LLM paths: Mistral AI (France) and Vertex AI (Belgium). Modern generative AI, entirely within Europe.
No model training on your data
Neither Mistral AI nor Vertex AI retains transmitted data or uses it for model training — contractually guaranteed in each provider’s service terms.
EU law
Candidate data is subject exclusively to EU law (GDPR). HireSift is operated by a European company based in Vienna — no US jurisdiction, no CLOUD Act exposure, no DPF dependency for candidate data.
Where your data is actually processed
Transparency is not optional — it is the core of our offering. Here is every physical location.
EU — Candidate data
EU — Mail and payments
Sub-processors in detail
The complete list of services we use to operate HireSift. Every provider is bound by Data Processing Agreements under Art. 28 GDPR.
| Provider | Purpose | Location | Transfer Basis |
|---|---|---|---|
Supabase | Database & file storage (including CVs) | EU — Frankfurt (AWS eu-central-1) | GDPR-compliant, no third-country transfer |
Vercel | Web application hosting & serverless functions | EU — Frankfurt (fra1) | GDPR-compliant, no third-country transfer |
Mistral AI | Default AI for CV extraction (Document AI / OCR + annotations) | EU — Paris, France | GDPR-compliant, no third-country transfer, no model training on customer data |
Vertex AI | Alternative AI models (Gemini, Claude) for scoring & re-extraction | EU — Belgium (europe-west4) | GDPR-compliant, no third-country transfer |
Mailgun | Inbound parsing and outbound sending of application and transactional emails | EU — Ireland (api.eu.mailgun.net) | GDPR-compliant, no third-country transfer |
Mixpanel | Product analytics for service improvement | EU — Frankfurt (eu.mixpanel.com) | GDPR-compliant, no third-country transfer |
Stripe | Payment processing & subscription management | EU — Ireland (Stripe Technology Company Ltd.) | DPA with EU contracting party; internal cross-border flows under SCCs |
Candidate data (CVs, extracted profiles, match scores, application emails and their attachments) is processed and stored exclusively within the EU. Not a single provider in this data path sits outside the European Economic Area.
Answers to enterprise audit questions
The most common questions from vendor audits, security reviews, and privacy assessments.
Documents & Resources
Everything in one place: legal documents for direct review and download, plus links to the public policies. Enterprise buyers additionally receive the security questionnaire and custom DPA variants on request.
Legal documents (GDPR & EU AI Act)
Subprocessor list
All deployed providers with processing location and legal basis. Annex 2 to the DPA.
Technical and Organizational Measures (TOMs)
Security measures under GDPR Art. 32: encryption, access controls, backup, incident response. Annex 1 to the DPA.
Data Protection Impact Assessment (DPIA)
Risk analysis for AI-driven CV screening under GDPR Art. 35 and the EU AI Act (high-risk system under Annex III 4a).
Data Processing Agreement (DPA) — Template
Standard DPA under GDPR Art. 28 for review. Individual signing on request: hello@hiresift.ai
More pages
Evaluating whether HireSift would pass your vendor audit?
DPA, TOMs, DPIA, subprocessor list and data-subject-rights process are available above for direct download. For individual questions, enterprise tailoring, or security questionnaires, just get in touch.