Legal

Sub-processors

Last updated 2026-06-03

The vetted infrastructure providers that process data on our behalf, each under a data processing agreement with Standard Contractual Clauses. This list forms Annex III of our DPA.

1. Notice of changes

We give at least 30 days' notice before adding or replacing a sub-processor that processes customer personal data, and customers may object on reasonable data-protection grounds. To receive these notices, email privacy@customsos.com to subscribe.

2. Active sub-processors

  • Supabase— managed PostgreSQL for all application records (account, project, document metadata, client records, run results). United States. Safeguard: SCCs.
  • Cloudflare R2— object storage for uploaded documents and thumbnails. United States / global edge. Safeguard: SCCs.
  • Google LLC (Gemini)— AI models for document extraction and validation, accessed via the Vercel AI Gateway and configured for no training or retention on customer content. United States. Safeguard: SCCs.
  • Vercel— web and app hosting, edge network, AI Gateway, and cookieless product analytics. United States. Safeguard: SCCs.
  • Inngest— durable background workflow execution for validation and related runs. United States. Safeguard: SCCs.
  • Resend— transactional email (verification, password reset, invitations, security notices). United States. Safeguard: SCCs.
  • Upstash (Redis)— cache and rate-limit storage. United States. Safeguard: SCCs.
  • Cloudflare Turnstile— bot and abuse protection on authentication flows. United States / global edge. Safeguard: SCCs.
  • Better Auth (managed infrastructure)— authentication and session management. United States. Safeguard: SCCs.
  • Google (OAuth)— “Sign in with Google” identity. United States. Safeguard: SCCs.

3. How this relates to our DPA

This list is incorporated as Annex III of our Data Processing Agreement. For how we handle personal data overall, see our Privacy Policy.