About this list
This page lists the third-party sub-processors Fuzu Ltd engages to process personal data on its behalf in connection with the Service. It is the authoritative, current version of the list that appears as Annex III of the Fuzu Data Processing Addendum (DPA), and it is read together with the Fuzu Privacy Policy. The list was compiled from the Fuzu codebase in May 2026.
Self-hosted infrastructure components running inside Fuzu's own cluster (including PostgreSQL, Redis, Elasticsearch, Sidekiq, the Flipper feature-flag store, and the Ahoy first-party server-side analytics layer) are not listed separately as Sub-processors — they run on the cloud-hosting Sub-processor listed in row 1 of the table and are governed by that relationship. Social-login providers (Google, Facebook, and LinkedIn OAuth for the Fuzu brand, and Microsoft Azure AD B2C for the Barona white-label brand) are not Sub-processors of Fuzu — they act as independent controllers or identity providers under their own terms when a User chooses to use them.
Current sub-processors
| Sub-processor | Service provided | Processing location | Transfer mechanism |
|---|---|---|---|
Amazon Web Services (AWS), orchestrated via Porter | Infrastructure hosting, database, file/object storage (Amazon S3) of all platform and personal data | EU — eu-west-1 (Ireland) | Processing within the EEA; EU Standard Contractual Clauses with supplementary measures for any out-of-region support access |
SparkPost (Bird) | SMTP delivery of transactional and notification emails on Fuzu's behalf | United States (default endpoint); EEA endpoint available | EU Standard Contractual Clauses; EU–US Data Privacy Framework where the provider is certified |
Customer.io | Lifecycle and marketing email automation; synchronisation of user profile attributes and behavioural events | United States (Fuzu brand) | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Africa's Talking | Sending SMS notifications and authentication and verification codes | Kenya and other African markets | EU Standard Contractual Clauses or local-law equivalent (including Kenya Data Protection Act 2019) |
3G DirectPay (DPO Group) | Processing payments for paid features, including card payments, bank transfer, and mobile money services (M-PESA, MTN, Tigo) | East Africa | EU Standard Contractual Clauses or local-law equivalent |
PostHog | Aggregated product analytics for Service improvement (consent-gated; enabled per brand) | EU — Frankfurt | Processing within the EEA; EU Standard Contractual Clauses for any out-of-region support access |
Google (Google Analytics, Tag Manager, Google Ads) | Web analytics, tag management, and advertising and conversion measurement (consent-gated) | United States | EU Standard Contractual Clauses; EU–US Data Privacy Framework |
Rollbar | Application error monitoring and diagnostics (error context may include user identifier and email) | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
New Relic | Application performance monitoring (APM) and diagnostics | EU data centre | Processing within the EEA; EU Standard Contractual Clauses for any out-of-region support access |
Intercom | Customer support messaging and helpdesk (employer and recruiter areas of the Service; consent-gated) | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Textkernel B.V. | CV, resume, and vacancy parsing — extraction of structured personal data from uploaded CVs | Netherlands (EEA) | Processing within the EEA; no transfer mechanism required |
Anthropic (Claude API) | Large language model analysis of candidate profiles and job data for recommendation-quality analysis and campaign-assistance features. Anthropic's commercial terms exclude prompt and response data from model training by default. | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Jina AI | Text-embedding generation for the campaign-assistance feature (semantic search over job and campaign text) | Global | EU Standard Contractual Clauses where processed outside the EEA |
Scaleway (S.A.S) | Text-embedding generation (Qwen3-Embedding-8B open-weights model) via the Generative APIs service, supporting semantic search and retrieval-augmented generation (RAG) features across the Service | France | Processing within the EEA; no transfer mechanism required. French processor under French law; no non-EEA parent or CLOUD Act exposure |
Cloudinary | Image hosting, transformation, and delivery (profile photos and other images) | United States and global CDN | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Cloudflare | Content delivery network, edge caching, DDoS protection, and web application firewall for inbound traffic | Global edge network | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
Slack (Salesforce) | Internal operational notifications via webhook limited to lead generation flow (for example, meeting bookings containing employer name and contact details) | United States | EU Standard Contractual Clauses; Data Privacy Framework where applicable |
MGM Trade Limited | DevOps consultancy, cloud infrastructure maintenance and development | Bulgaria | Processing within the EEA; no transfer mechanism required |
Syndicode Inc | Software development, platform maintenance | United States | Team operates in EEA; no transfer mechanism required |
Trail Openers Oy | Software development, platform maintenance | Finland | Processing within the EEA; no transfer mechanism required |
Categories not currently engaged
Categories not currently engaged. For transparency, the following categories of service have been checked against the Fuzu codebase and no Sub-processor is currently engaged in any of them:
- Dedicated identity-verification or KYC providers (such as Onfido, Veriff, or Smile Identity). Identity-related processing for Fuzu Atlas engagements, where it occurs, is handled internally or against the relevant government registry (for example, the Nigeria National Commission for Persons with Disabilities (NCPWD) registry for disability-status validation). Where Fuzu engages a dedicated identity-verification Sub-processor in the future, the list above will be updated in accordance with Clause 9.2 of the DPA.
- Third-party push-notification vendors. Push notifications are delivered through the open Web Push standard using self-managed VAPID keys, not through a third-party push provider.
- Alternative payment providers (such as Stripe, Paystack, Flutterwave, or Pesapal). Payments are processed exclusively through 3G DirectPay.
- Alternative analytics and monitoring providers (such as Hotjar, Mixpanel, Segment, Amplitude, Sentry, or Datadog). Analytics, monitoring, and observability are limited to the Sub-processors listed above.
Changes and notifications
Fuzu gives business customers at least thirty (30) days' prior notice before adding or replacing a sub-processor, and customers may object on reasonable data-protection grounds, as set out in Clause 9.2 of the DPA. Questions about this list can be sent to privacy@fuzu.com.