Subprocessors

Subprocessors include cloud hosting and object storage, database/authentication infrastructure, payment processing, email delivery, monitoring/error tracking, analytics if enabled, support tools if enabled, and LLM or AI infrastructure providers when customer-enabled scans require them.

Before paid launch, the vendor list must name each production vendor, service, purpose, data category, processing region where available, default or optional use, transfer mechanism where applicable, date added, and update notice process.

The production registry should include US-region VPS hosting for the web application, AWS for worker infrastructure and object storage in US regions including us-east-1 where applicable, Supabase for US-region database/authentication, Stripe for billing when paid checkout is enabled, the transactional email provider, monitoring/error tracking providers, AI/LLM providers used for semantic judging or customer-enabled AI workflows, analytics providers if enabled, and support tools if enabled.

Do not list a vendor as a subprocessor unless it processes customer account data, target configuration, scan data, evidence, support data, billing metadata, operational logs, or other customer data for the hosted service.

The current hosted service posture is United States regional hosting for VPS, Supabase, and AWS infrastructure. The AWS worker region is planned as us-east-1 where applicable.

This page should be updated with exact vendor legal names, service names, and regions before paid checkout is enabled or before customer production data is accepted under a signed agreement.

AI/LLM providers are used only where configured or required for enabled AI judging, semantic evaluation, or customer-enabled AI workflows. Data sent to those providers should be bounded to the service purpose and minimized or redacted where supported.

Customer credentials should not be sent to AI/LLM providers. Raw evidence should not be sent unless a signed agreement or explicit customer configuration permits the workflow and the provider is listed for that use.

Customer-facing vendor claims must stay aligned with the production deployment and signed vendor agreements.

Vendor additions that materially change customer data processing are logged before the vendor is used for production customer data.

Enterprise customers may receive notice of material subprocessor changes through the DPA, account email, or a published update page. Self-serve customers can review this page for current vendor categories and material changes.

Customers with strict vendor, region, or data-residency requirements need a signed agreement before sending sensitive production data.