Sub-processors
How to read this list
For each sub-processor we disclose: name, the service we use them for, the region where data is processed, the categories of data they receive, and a link to their own privacy policy. This list is the single source of truth — referenced from our Privacy Policy and DPA (when applicable, Phase 2).
Active sub-processors
| Sub-processor | Service | Region | Data types | Privacy policy |
|---|---|---|---|---|
| Supabase | Postgres database + Auth | EU (eu-west-1) | account_email, session_tokens, audit_data, usage_events | link → |
| Vercel | Hosting + Edge Network | EU central (fra1 Frankfurt) | ip_address, user_agent, request_logs | link → |
| Inngest | Workflow Runtime | US-east + EU | workflow_state, event_payloads | link → |
| Resend | Transactional Email | US-east | account_email, email_content | link → |
| Anthropic | Claude API (audit + tracking) | US | prompt_text, response_text, site_content | link → |
| OpenAI | GPT-5 API (citation tracking) | US | prompt_text, response_text | link → |
| Google AI | Gemini API (citation tracking) | US + EU | prompt_text, response_text | link → |
| Perplexity | Sonar API (citation tracking) | US | prompt_text, response_text | link → |
| xAI | Grok API (citation tracking) | US | prompt_text, response_text | link → |
| Browserbase | Headless Chrome (site crawling) | US | target_urls, rendered_html | link → |
| PostHog | Product Analytics (consent-gated) | EU (eu.i.posthog.com) | anonymized_events | link → |
| Google Analytics 4 | Web Analytics (consent-gated, Consent Mode v2) | US (Google LLC; SCCs) | usage_events, client_id, ip_address | link → |
| Cloudflare Turnstile | Bot Mitigation | Global edge | ip_address, browser_fingerprint | link → |
Planned sub-processors
These will be added before paid-tier launch (Phase 1). Listed here in advance for transparency.
| Sub-processor | Service | Region | Data types | Privacy policy |
|---|---|---|---|---|
| Stripe | Payments + Billing (paid tiers) | Global (DPA available) | name, billing_email, payment_method | link → |
International transfers
Several sub-processors (LLM providers, payment processor) operate primarily in the US. When data crosses jurisdictions we rely on Standard Contractual Clauses (SCCs) approved by the European Commission. The DPA we offer paid customers (Phase 2) embeds these SCCs.
Notification of changes
We commit to notify customers at least 30 days in advance of:
- Adding a new sub-processor
- Changing the region of an existing sub-processor
- Materially expanding the data types a sub-processor receives
Notification methods: email to the account billing contact, in-app banner, and update to this page. The diff history of this list is available on request to dpo@findrix.ai.
Customer right to object
On Pro and Business tiers, customers have a contractual right to object to a new sub-processor within the 30-day notice window. If the objection cannot be resolved (e.g. the sub-processor is essential to the Service), the customer may terminate without penalty.
Contact
Sub-processor questions: dpo@findrix.ai
