Subprocessors
Who else handles your data.
We do not hide our vendor list. Every company that processes your data on our behalf is below. We add a vendor only when we have a Data Processing Agreement in place.
Clerk
Legal & DPA →- Purpose
- User authentication and session management
- Data shared
- Email, name, login events
- Location
- United States
Stripe
Legal & DPA →- Purpose
- Payment processing
- Data shared
- Billing details, payment method, invoice records
- Location
- United States
Anthropic
Legal & DPA →- Purpose
- LLM for generating finding explanations
- Data shared
- Numeric account summaries and finding evidence. No PII, no tokens, no ad creative.
- Location
- United States
Resend
Legal & DPA →- Purpose
- Transactional and digest email
- Data shared
- Email address, email content sent on your behalf
- Location
- United States
Railway
Legal & DPA →- Purpose
- Backend hosting and managed Postgres
- Data shared
- All application data at rest and in transit
- Location
- United States
Vercel
Legal & DPA →- Purpose
- Frontend hosting
- Data shared
- Request logs. No application data persisted.
- Location
- United States
Sentry
Legal & DPA →- Purpose
- Error monitoring
- Data shared
- Error stack traces. Filtered for PII and tokens before send.
- Location
- United States
PostHog
Legal & DPA →- Purpose
- Product analytics
- Data shared
- Page views, feature usage events. No PII captured.
- Location
- United States
We notify customers by email at least 30 days before adding a new subprocessor. To get those notifications, reach out to [email protected].