Data Processing Details
Sub-processors, retention periods, cross-border transfers, and legal bases. Last reviewed: 2026-05-05. For the high-level user-facing policy, see /privacy.
Sub-processors
InTransparency engages the following sub-processors to deliver the service. We commit to inform users of any changes to this list with 30 days' notice via product update or email.
| Provider | Role | Location | Data types | Safeguards | DPA |
|---|---|---|---|---|---|
| Vercel Inc. | Application hosting + CDN + Web Analytics | EU (Frankfurt) + US (failover) | Request metadata, IP addresses, page views | EU-US DPF + SCC | view |
| Neon Inc. | Managed Postgres database (primary data store) | EU (Frankfurt) | All user-submitted data | EU region only · AES-256 at rest · TLS in transit | view |
| Cloudflare, Inc. | R2 object storage (uploaded files), Turnstile (bot protection) | EU + global edge | Uploaded documents, project files, R2 access logs | EU-US DPF + SCC | view |
| Anthropic, PBC | Claude API (AI matching, parsing, project analysis) | US | Project descriptions, search queries, profile text passed for AI processing | SCC · Zero data retention contractual flag · No use for model training | view |
| Resend Inc. | Transactional email (verification, notifications, magic links) | US | Email address, message content of system emails | EU-US DPF + SCC | view |
| Stripe Inc. | Payment processing for Premium subscriptions | US (with EU representative) | Email, billing address, payment method (tokenized) | PCI-DSS Level 1 · EU-US DPF + SCC · Stripe is an independent controller for fraud prevention | view |
Cross-border data transfers
Personal data is primarily stored in the European Union (Neon Frankfurt region). Where a sub-processor is established outside the EEA — currently Anthropic, Resend, Stripe, and Cloudflare for parts of its infrastructure — transfers rely on:
- EU-US Data Privacy Framework certification, where the provider is certified.
- Standard Contractual Clauses (SCC) Module 2 (controller → processor), as fallback and complement.
- Supplementary measures: encryption in transit and at rest, contractual prohibitions on government access requests without prior notice (where legally permitted), data minimization before transfer.
For Anthropic specifically, project content sent for AI processing is governed by zero-data-retention terms — content is not stored on their side and is not used to train their models.
Retention periods
| Data category | Retention | Legal basis |
|---|---|---|
| Active account profile + projects | For the lifetime of the account | Contract performance (Art. 6.1.b GDPR) |
| Account after deletion request | Erased within 30 days | Right to erasure (Art. 17 GDPR) |
| AuditLog (compliance + AI traceability) | 7 years from event | Legal obligation (Art. 5.2 + AI Act Art. 12) |
| Behavior analytics (page views, clicks, scroll depth) | 90 days then aggregated · only with analytics consent | Consent (Art. 6.1.a GDPR) |
| Profile views (recruiter activity log shown to students) | 180 days | Legitimate interest (transparency to data subject) |
| Email logs (Resend bounce/delivery) | 30 days | Legitimate interest (deliverability monitoring) |
| Stripe billing records | 10 years | Legal obligation (Italian fiscal law DPR 600/1973) |
| Backups (Neon point-in-time recovery) | 7 days | Legitimate interest (disaster recovery) |
| Authentication tokens (NextAuth JWT) | 30 days from last activity, then revoked | Contract performance |
Legal bases per processing activity
| Purpose | Legal basis | Detail |
|---|---|---|
| Account creation and platform use | Art. 6.1.b — Contract performance | Required to provide the service. |
| AI matching between students and opportunities | Art. 6.1.b — Contract performance | Core platform function. Students can opt out via "indexInSearchEngines" + "profilePublic" controls. Each match is logged in MatchExplanation for AI Act Art. 22 transparency. |
| Marketing emails (newsletter, product updates) | Art. 6.1.a — Consent | Opt-in only. Withdrawal via account settings or unsubscribe link. |
| Behavior analytics (page views, clicks, heatmaps) | Art. 6.1.a — Consent | Cookie banner gates everything. No tracking happens without analytics consent. |
| Audit log and security monitoring | Art. 6.1.c + Art. 6.1.f — Legal obligation + legitimate interest | GDPR Art. 5.2 accountability, AI Act Art. 12 traceability, fraud prevention. |
| Bot protection (Cloudflare Turnstile) | Art. 6.1.f — Legitimate interest | Necessary to protect the platform from automated abuse. Turnstile is privacy-preserving by design and does not set tracking cookies. |
| Tax and accounting records | Art. 6.1.c — Legal obligation | Italian fiscal law requires retention of billing records for 10 years. |
Automated decision-making (AI Act Art. 22 GDPR)
Our matching engine ranks candidates against open positions. While the platform surfaces matches, every decision to contact a candidate is taken by a human recruiter — there is no fully automated decision-making with legal or similarly significant effects on data subjects. Each match is accompanied by a structured explanation (visible to the student via the student dashboard) and persisted in the AuditLog for 7 years.
Public-facing details on the matching algorithm are available in our algorithm registry.
Security measures
- AES-256 encryption at rest (Neon, AWS-KMS managed keys)
- TLS 1.2+ for all in-transit traffic
- Application-level AES-256-GCM encryption for sensitive secrets (TOTP secrets, MFA backup codes via bcrypt)
- Bcrypt cost-10 password hashing
- Two-factor authentication (TOTP) available for all accounts
- Role-based access control + per-request audit logging
- Rate limiting on authentication, AI, and public endpoints
- HSTS, CSP, X-Frame-Options DENY, SameSite cookies
- Cloudflare Turnstile bot protection on registration and login
Data subject rights & how to exercise them
- Access (Art. 15): download your data via /dashboard/student/privacy → Export.
- Rectification (Art. 16): edit your profile in the dashboard at any time.
- Erasure (Art. 17): account deletion via settings → Delete account. Erasure executed within 30 days; backups purged within 7 days thereafter.
- Portability (Art. 20): same export endpoint returns machine-readable JSON.
- Objection (Art. 21): opt out of marketing emails in settings; revoke analytics consent via the cookie banner (re-open it from the footer).
- Complaint to supervisory authority: Garante per la protezione dei dati personali — garanteprivacy.it.
Contact
Privacy enquiries: info@in-transparency.com. We respond within 30 days as required by GDPR.
This document is informational and forms part of our overall privacy framework with the high-level Privacy Policy and the Terms of Service. If you are signing a Data Processing Agreement (DPA), please request the latest version at the contact above.