Subprocessors

Last updated 2026-05-04

We use the following third parties to process customer data on our behalf. Each one is bound by contractual data-processing terms that are at least as protective as the commitments we make to you in our Privacy Policy. If we add, remove, or change a subprocessor, we update this page and notify customers under active contracts.

SubprocessorPurposeData they touchRegion
HetznerPrimary infrastructure hosting (compute, storage, networking)All workspace data, conversations, files, agent state, audit logsUS (Ashburn, Virginia) by default. EU regions available on Enterprise contracts.
Microsoft AzureCloud infrastructure services and Azure OpenAI Service inferencePrompts and outputs sent to OpenAI models hosted on Azure when an agent uses them. Azure does not train on customer prompts or outputs per its terms.US
OpenAIFoundation model inferencePrompts and outputs sent to GPT models when an agent uses them. OpenAI does not train on API data per its policies.US
AnthropicFoundation model inferencePrompts and outputs sent to Claude models when an agent uses them. Anthropic does not train on API data per its policies.US
Google (Vertex AI)Foundation model inferencePrompts and outputs sent to Gemini models when an agent uses them. Google does not train on Vertex AI customer data per its terms.US (global routing for Gemini 3)
Auth0 (by Okta)Authentication and identityEmail, name, hashed credentials, login metadataUS
StripePayment processing and subscription billingBilling email, payment method, transaction records. We do not store full card numbers.US, with global processing footprint
ResendTransactional email deliveryRecipient email and message contents for system emails (signup confirmations, billing receipts, contact-form replies, security alerts).US
CloudflareCDN, DDoS protection, DNSPublic-traffic metadata. No application data persisted.Global edge network

Notification of changes

Customers under active contracts will be notified by email at least thirty days before a new subprocessor begins processing personal data, unless an emergency change is needed for security or availability. You may object to a new subprocessor by writing to [email protected] within thirty days, in which case we will work with you in good faith to find a workable solution.

Cross-border transfers

Data processed outside the customer's home jurisdiction relies on standard contractual safeguards (EU Standard Contractual Clauses, UK IDTA addendum, or successor frameworks). EU-resident customers on Enterprise contracts can request EU-region processing.

Questions

For data-processing questions or to request a copy of our DPA, email [email protected].