Legal · Subprocessors
Subprocessors.
Every external provider that touches customer data, and why they’re in our stack. All are contractually bound by equivalent data protection obligations.
Last reviewed 2026-04-18
We’ll email account holders 30 days before adding or changing a subprocessor, so you have time to object on reasonable grounds. See our DPA for the full process.
| Subprocessor | Purpose | Region | DPA |
|---|---|---|---|
| Supabase | Primary database + file storage | US | View DPA → |
| Vercel | Application hosting + CDN + serverless functions | US (global edge) | View DPA → |
| Cloudflare R2 | Object storage (lab PDFs, exports) | US + global | View DPA → |
| SendGrid (Twilio) | Transactional email delivery | US | View DPA → |
| Stripe | Payment processing (Pro + Full Service) | US + global | View DPA → |
| Anthropic | LLM inference for draft generation | US | View DPA → |
| Vercel AI Gateway | Unified LLM routing + observability | US (global edge) | View DPA → |
| Cloudflare Turnstile | Bot protection on signup + contact forms | Global | View DPA → |