Sub-Processors
Third-party service providers that process your data when you use our platform.
Posted: May 9, 2025
A sub-processor is a third-party data processor engaged by Provider, including entities from within Provider, who has access to or processes customer content containing personal information. Provider uses sub-processors to assist it in providing the software services as described in the Terms of Service (the "Agreements"). Defined terms used herein shall have the same meaning as defined in the respective Agreement.
Due Diligence
Provider evaluates the security, privacy and confidentiality practices of proposed sub-processors that will or may have access to or otherwise process customer content and enters into Data Protection Agreements with each such sub-processor. Provider provides notice of new sub-processors via this advisory, with updates to the list of sub-processors that are utilized. Provider undertakes to keep this list updated regularly.
Contractual Safeguards
This advisory does not give customers any additional rights or remedies and should not be construed as a binding agreement. The information herein is only provided to illustrate Provider's engagement process for sub-processors as well as to provide the actual list of third-party sub-processors used by Provider as of the date of this advisory (which Provider may use in the delivery and support of its software services).
Current Sub-Processors
The following is a list of our current sub-processors, including their names, locations, and the services they provide:
| # | Sub-Processor | Service / Purpose | Typical personal-data elements | Processing location |
|---|---|---|---|---|
| 1 | Supabase Inc. | Postgres database, user authentication, object storage | Names, email addresses, hashed passwords, profile data, uploaded files | USA |
| 2 | Stripe, Inc. | Payment processing, invoicing, subscription management | Name, email, billing address, card details (tokenised), transaction history | USA |
| 3 | Vercel Inc. | Hosting (Next.js), serverless functions, CDN, logging | All traffic metadata, IPs, request bodies, error logs | USA |
| 4 | Amazon Web Services, Inc. (AWS KMS) | Envelope-key encryption / decryption | Encrypted secrets & API keys (indirect) | USA |
| 5 | Google LLC (Google Cloud Generative AI – "Gemini") | Large-language-model (LLM) inference | User prompts & generated content (may contain personal data) | USA |
| 6 | OpenAI OpCo, LLC | LLM inference (ChatGPT / GPT-4o API) | User prompts & generated content (may contain personal data) | USA |
| 7 | Upstash Inc. | Serverless Redis (rate-limiting cache) | IP addresses, request counters, timestamp metadata | USA |
| 8 | Slack Technologies, LLC (Salesforce group) | Optional message notifications / alerts | Any data the app posts to Slack (may include user name, email, prompt snippets) | USA |
Data Security and Processing Locations
All our sub-processors are required to maintain appropriate security measures to protect your data. They are contractually bound to process your data only in accordance with our instructions and applicable data protection laws.
While we primarily store and process data in the United States, some of our sub-processors may transfer data internationally. In such cases, we ensure that appropriate safeguards are in place to protect your data, such as Standard Contractual Clauses approved by the European Commission.
Compliance with Privacy Laws
Our agreements with sub-processors require them to comply with applicable privacy and data protection laws, including:
- General Data Protection Regulation (GDPR)
- California Consumer Privacy Act (CCPA)
- Other applicable U.S. state privacy laws
Contact Information
If you have any questions or concerns about our sub-processors or how we handle your data, please contact our Data Protection Officer at:
White Shoe AI
Email: privacy@white-shoe.ai