Subprocessors
Last updated 2026-05-04
We use the following third parties to process customer data on our behalf. Each one is bound by contractual data-processing terms that are at least as protective as the commitments we make to you in our Privacy Policy. If we add, remove, or change a subprocessor, we update this page and notify customers under active contracts.
| Subprocessor | Purpose | Data they touch | Region |
|---|---|---|---|
| Hetzner | Primary infrastructure hosting (compute, storage, networking) | All workspace data, conversations, files, agent state, audit logs | US (Ashburn, Virginia) by default. EU regions available on Enterprise contracts. |
| Microsoft Azure | Cloud infrastructure services and Azure OpenAI Service inference | Prompts and outputs sent to OpenAI models hosted on Azure when an agent uses them. Azure does not train on customer prompts or outputs per its terms. | US |
| OpenAI | Foundation model inference | Prompts and outputs sent to GPT models when an agent uses them. OpenAI does not train on API data per its policies. | US |
| Anthropic | Foundation model inference | Prompts and outputs sent to Claude models when an agent uses them. Anthropic does not train on API data per its policies. | US |
| Google (Vertex AI) | Foundation model inference | Prompts and outputs sent to Gemini models when an agent uses them. Google does not train on Vertex AI customer data per its terms. | US (global routing for Gemini 3) |
| Auth0 (by Okta) | Authentication and identity | Email, name, hashed credentials, login metadata | US |
| Stripe | Payment processing and subscription billing | Billing email, payment method, transaction records. We do not store full card numbers. | US, with global processing footprint |
| Resend | Transactional email delivery | Recipient email and message contents for system emails (signup confirmations, billing receipts, contact-form replies, security alerts). | US |
| Cloudflare | CDN, DDoS protection, DNS | Public-traffic metadata. No application data persisted. | Global edge network |
Notification of changes
Customers under active contracts will be notified by email at least thirty days before a new subprocessor begins processing personal data, unless an emergency change is needed for security or availability. You may object to a new subprocessor by writing to [email protected] within thirty days, in which case we will work with you in good faith to find a workable solution.
Cross-border transfers
Data processed outside the customer's home jurisdiction relies on standard contractual safeguards (EU Standard Contractual Clauses, UK IDTA addendum, or successor frameworks). EU-resident customers on Enterprise contracts can request EU-region processing.
Questions
For data-processing questions or to request a copy of our DPA, email [email protected].
