Overview
Overview
To provide the Services, we rely on a small set of third-party vendors (sub-processors) that process personal data on our behalf. This page is the authoritative, current list. It is referenced by our Privacy Policy and our Data Processing Agreement.
We keep this list short on purpose. We do not share data with advertising networks, data brokers, or anyone not named here.
The full table of vendors, their purpose, and their operating region appears below.
How We Vet Sub-Processors
How We Vet Sub-Processors
Before we engage a vendor, we confirm it is necessary to operate a specific part of the Services and that it offers data-protection commitments at least as strong as our own.
Where a vendor holds relevant certifications (for example SOC 2 Type II for infrastructure providers, or PCI DSS Level 1 for our payments processor), we rely on those as part of our assessment.
Notification of Changes
Notification of Changes
When we intend to add or replace a sub-processor, we update this page. Customers under a Data Processing Agreement receive advance notice and may object on reasonable data-protection grounds.
[TODO: confirm the advance-notice window for sub-processor changes with the studio owner (keep it consistent with the figure stated in the DPA at /legal/dpa) before publishing.]
International Transfers
International Transfers
Our sub-processors operate in the USA. Where personal data of EEA or UK data subjects is transferred, the transfer relies on the EU Standard Contractual Clauses and, where applicable, the UK Addendum, as described in our Privacy Policy and DPA.
Contact
Contact
Questions about our sub-processors or requests for their data-protection terms: [email protected].
Current Sub-Processor List
| Provider | Category | Purpose | Region |
|---|---|---|---|
| Vercel | Infrastructure | Web hosting and edge delivery | USA |
| Neon | Infrastructure | Serverless Postgres database | USA |
| Stripe | Payments | Payment processing and subscription billing | USA |
| Plaid | Banking | Read-only bank connection for Quarter | USA |
| SimpleFIN | Banking | Read-only bank connection for Quarter (legacy path, being phased out) | USA |
| AWS SES | Transactional and notification email delivery | USA | |
| PostHog | Analytics | Product analytics (self-hosted option available) | USA |
| Inngest | Background jobs | Background job orchestration | USA |
| Cloudflare R2 | Storage | Object storage for generated documents (e.g. Quarter voucher PDFs) | USA |
Questions about this policy?
Email [email protected] and we will respond within 30 days. For security reports use [email protected].