Subprocessor List
Every third-party service that touches customer data: who, what for, where, and under what safeguard.
Version 1.0 · effective 18 July 2026
01Current subprocessors
We keep this list deliberately short and current. Changes are announced to account holders by email with an objection window before a new subprocessor handles customer data.
| Service | Purpose | Location & safeguard |
|---|---|---|
| Neon (Postgres) | Primary database for customer project data | United Kingdom (AWS London) |
| Cloudflare (R2, DNS, email routing) | File storage, encrypted backups, network | UK/EU jurisdiction controls; global network |
| Vercel | Application hosting for the product front end | US company; UK Addendum/SCCs; edge delivery |
| Hetzner | Platform infrastructure (Obedience Cloud servers) | Germany (EEA) |
| Clerk | Authentication and account management | US company; UK Addendum/SCCs |
| Anthropic | AI processing (assistive drafting) | US; commercial API terms, no training on customer data |
| OpenAI | AI processing (assistive drafting, embeddings) | US; commercial API terms, no training on customer data |
| PostHog (EU Cloud) | Consent-gated product analytics | EEA (Frankfurt) |
| Resend | Transactional email | US company; UK Addendum/SCCs |
02A note on Stripe
Stripe processes payments as an independent controller of payment data under its own terms, so it is listed here for completeness rather than as a plain subprocessor.