Sub-processors
Vendors that process AI-Guardian customer or account data on our behalf. Each is bound by a written Data Processing Agreement aligned with GDPR Art. 28.
Effective: May 15, 2026
Current sub-processors
We use a small, stable set of vendors. Any change to this list is published here at least 30 days before the new sub-processor starts processing personal data (see “Change notification” below).
| Vendor | Purpose | Data scope | Region | DPA |
|---|---|---|---|---|
Supabase Supabase, Inc. | Authentication, Postgres database, edge functions. | Account data (email, hashed password), anonymised detection metadata (category / severity / platform), audit log rows. | EU (Frankfurt) for EU tenants. | DPA → |
Vercel Vercel Inc. | Web hosting and CDN. | Request metadata (IP, user-agent) for static + server-rendered pages. No detection content. | Global edge; primary compute in `iad1`/`fra1`. | DPA → |
Cloudflare Cloudflare, Inc. | DNS and edge security (DDoS, bot management). | Request metadata only; no application payloads. | Global edge. | DPA → |
Resend Resend, Inc. | Transactional email (security notifications, invites). | Recipient email + message body for outbound transactional emails. Optional — environments without `RESEND_API_KEY` send no email at all. | US (configurable to EU on request). | DPA → |
Change notification
Material changes to this list (adding a new sub-processor, relocating an existing one to a new region, or replacing a vendor) are announced at least 30 days in advance:
- On this page, with the effective date bumped.
- On the changelog, under the “Legal & sub-processors” heading.
- By email to the named privacy contact on every active Enterprise account.
Enterprise customers may object to a new sub-processor by replying to that email within the 30-day window; in that case we’ll work with you on a mitigation or, if neither party can find a workable path, terminate the affected service for a pro-rated refund.
Related
- Privacy Policy — full disclosure of personal-data handling.
- Data Processing Agreement — the processor obligations these vendors are bound to under GDPR Art. 28.
- Trust Center — security posture, compliance index, and the change log of policy updates.
Contact
Privacy / DPO: legal@guardianai.app.