Subprocessors
Who has access to your data.
We do not hide our vendor list. Every third-party company that processes your data on our behalf is below — what it is used for, what data it touches, and a link to its privacy policy.
| Service | Used for | Data it touches | Privacy policy |
|---|---|---|---|
| Anthropic | Generates the written explanations of audit findings | Numeric account summaries and finding evidence, sent when an audit's findings are explained. No tokens, no PII, no ad creative. | Privacy policy → |
| Supabase | Authentication and Postgres database hosting | Email, name, and login/session events; all application data at rest, with Meta access tokens stored as encrypted fields. | Privacy policy → |
| Upstash | Redis caching | Short-lived cached audit and session data. No long-term storage. | Privacy policy → |
| Stripe | Billing — active when billing ships | Billing details, payment method, invoice records. | Privacy policy → |
| Sentry | Error monitoring | Error stack traces. Filtered for PII and tokens before send. | Privacy policy → |
| PostHog | Product analytics | Usage events — page views and actions such as audits run — with associated device and IP metadata. No ad data, no audit contents. | Privacy policy → |
| Resend | Transactional and digest email delivery | Your email address and the contents of the emails we send you — sign-in links, audit-ready notices, and 'what changed' digests. | Privacy policy → |
| Cloudflare | DNS, CDN, DDoS protection, and frontend hosting (Pages) | Request metadata and IP addresses for routing, hosting, and abuse protection. | Privacy policy → |
Anthropic
Privacy policy →- Used for
- Generates the written explanations of audit findings
- Data it touches
- Numeric account summaries and finding evidence, sent when an audit's findings are explained. No tokens, no PII, no ad creative.
Supabase
Privacy policy →- Used for
- Authentication and Postgres database hosting
- Data it touches
- Email, name, and login/session events; all application data at rest, with Meta access tokens stored as encrypted fields.
Upstash
Privacy policy →- Used for
- Redis caching
- Data it touches
- Short-lived cached audit and session data. No long-term storage.
Stripe
Privacy policy →- Used for
- Billing — active when billing ships
- Data it touches
- Billing details, payment method, invoice records.
Sentry
Privacy policy →- Used for
- Error monitoring
- Data it touches
- Error stack traces. Filtered for PII and tokens before send.
PostHog
Privacy policy →- Used for
- Product analytics
- Data it touches
- Usage events — page views and actions such as audits run — with associated device and IP metadata. No ad data, no audit contents.
Resend
Privacy policy →- Used for
- Transactional and digest email delivery
- Data it touches
- Your email address and the contents of the emails we send you — sign-in links, audit-ready notices, and 'what changed' digests.
Cloudflare
Privacy policy →- Used for
- DNS, CDN, DDoS protection, and frontend hosting (Pages)
- Data it touches
- Request metadata and IP addresses for routing, hosting, and abuse protection.
We notify customers by email at least 30 days before adding a new subprocessor. To get those notifications, reach out to nachiket@nachiketpai.com. For how we secure your data, see the security page.
We update this list when it changes. Last updated: May 22, 2026