Primary subprocessors
These vendors are required to deliver the core service. Customer Data is processed by them as part of normal operation.
| Vendor | Activity | Data category | Location |
|---|---|---|---|
| Supabase Inc. | Managed Postgres, authentication, object storage, edge functions | All Customer Data and account data | Standard region (region-flexible) · KSA-resident option on Pro tier and above |
| Vercel Inc. | Web application hosting (Next.js), edge serving, static assets | Account data, page-render telemetry; Customer Data passes through but is not persisted | Global edge with primary compute in Customer's selected region |
| Hetzner Online GmbH | Workflow orchestration host (n8n) for ingestion, extraction routing, notifications | Customer Data in flight during extraction; not persisted long-term | Standard region (Germany) · KSA-host option on Pro tier and above |
| Anthropic PBC | Large-language-model inference for document classification, field extraction, journal-entry proposal, AI Inbox, narrative generation | Document text and extracted fields submitted as model prompts; responses returned for processing | Provider US/EU regions per their API; Customer Data is not used for model training under our agreement |
| Mistral AI SAS | Optical character recognition (OCR) and layout extraction on uploaded PDFs | Page-image submissions; OCR text returned for downstream processing | France (EU) · Customer Data is not used for model training under our agreement |
| Resend, Inc. | Transactional email delivery (account, billing, trial-end notifications) | Recipient email address, subject and body of transactional emails | EU region |
Secondary subprocessors
These vendors support observability and product analytics. They do not host or persist Customer documents. Customers can opt out of product analytics for their entire workspace.
| Vendor | Activity | Data category | Location |
|---|---|---|---|
| Sentry GmbH (Functional Software, Inc.) | Error monitoring and performance traces for the application | Error stack traces, request URLs (with PII redaction at source), user ID hash | EU region (Frankfurt) |
| Better Stack (BetterStack Ltd.) | Application logs aggregation and alerting | Application log lines; Customer Data fields are scrubbed before shipping | EU region |
| PostHog Inc. | Product analytics — pseudonymised event-level usage data (opt-out per workspace) | Pseudonymised user ID, event name, timestamp, page path; no document content, no keystrokes | EU region (self-hosted equivalent available on request) |
| Cloudflare, Inc. | DNS, DDoS mitigation, edge caching for public marketing surfaces (only) | IP address, request headers; no Customer Data | Global edge |
Planned subprocessors (not yet enabled)
These vendors are not currently processing data. They are listed here so existing Customers have advance notice before they go live.
| Vendor | Activity | Data category | Location |
|---|---|---|---|
| Stripe Payments Europe Ltd. / Stripe Payments UAE LLC | Subscription billing, payment processing, tax (planned, post-Verith Holdings incorporation) | Billing contact, card last-four, VAT number, invoice metadata | Stripe regions per service; not yet enabled |
Notification of changes
We notify active Customers of subprocessor additions or replacements at least 30 days in advance, by email to the workspace's billing-contact address and by updating the "Last updated" date on this page. Customers with a Data Processing Addendum in place can object on reasonable grounds; if we cannot accommodate the objection, the Customer may terminate the subscription with respect to the affected service for a pro-rata refund of pre-paid fees.
To request the current Data Processing Addendum or our security questionnaire response pack, contact us via the contact page.