Legal · Sub-processors
Sub-processors
Last updated:
A sub-processor is a third party we use to help deliver DoraPilot. When you put data into the service, some of that data flows through the companies listed below. This page is the single source of truth — if it's not on this list, we're not using it.
What "sub-processor" means
Under GDPR Article 28 and DORA Article 30, we are the processor of your data and you are the controller. Any third party that processes your data on our behalf is a sub-processor. We are required to keep an up-to-date list of them, notify you of changes, and pass through equivalent data-protection obligations.
Current and planned sub-processors
We mark each entry as Current (in production today) or Planned (announced before paid signups open). Anything not on this list does not have access to your data.
| Provider | Status | Function | Data | Location | Certifications | DPA |
|---|---|---|---|---|---|---|
| Vercel Inc. | Current | Hosting of the marketing site and Next.js application edge runtime. | Visitor request metadata (IP, user agent), no DORA assessment content stored. | EU — Frankfurt (fra1) region; failover to Dublin (dub1). | SOC 2 Type II, ISO 27001, ISO 27018. | Link |
| Supabase Inc. | Planned | Primary database, authentication and storage for the DoraPilot application. | Account data, assessment content, vendor records, audit trail. | EU — Frankfurt region (eu-central-1). | SOC 2 Type II, HIPAA-ready. | Link |
| Anthropic Ireland Ltd. | Planned | Large language model (Claude) for drafting questionnaire responses and policy text. | Prompt content sent for inference (assessment questions and existing evidence summaries). No persistent storage at Anthropic. | EU endpoints — content processed within the EU. Zero-retention enterprise configuration. | SOC 2 Type II. | Link |
| Resend Inc. | Planned | Transactional email delivery (sign-in links, notifications, waitlist confirmations). | Recipient email address, email content metadata. | EU region. | SOC 2 Type II. | Link |
| Plausible Insights OÜ | Planned | Privacy-friendly product analytics — page views, conversion events. No cookies, no personal identifiers. | Aggregated event metadata only. | EU — Germany. | GDPR-aligned by design (no personal data collected). | Link |
| Sentry / Functional Software, Inc. | Planned | Application error monitoring and performance tracing. | Error stack traces, request metadata. Personal data scrubbed before transmission. | EU region (Frankfurt). | SOC 2 Type II, ISO 27001. | Link |
How we choose sub-processors
- EU-resident processing by default. Each provider must offer an EU region for the data we send them. Where the provider is headquartered outside the EU, we use their EU entity (e.g. Anthropic Ireland Ltd.) and configure EU endpoints.
- SOC 2 Type II or ISO 27001 as a minimum. We do not contract sub-processors that cannot produce a current independent assurance report.
- Written DPA before integration. A signed Article 28 data processing agreement is in place before any production data flows.
- Substitutability assessed.For every sub-processor we maintain a documented view of what it would take to replace them, in line with DORA Article 28's substitutability requirement.
How we notify you of changes
When we add, remove or replace a sub-processor that processes customer data, we:
- Update this page at least 30 days before the change takes effect.
- Email the change to the technical contact on each account (Pro and Partner plans) or post it in our changelog (Free and Starter plans).
- Provide an objection window: if you reasonably object on data-protection grounds, you can terminate the affected service with a pro-rata refund of unused fees.
Subscribe to changes by emailing paulo@myneatflow.com with the subject "Subprocessor updates".
How we handle international transfers
We do not transfer customer data outside the European Economic Area as part of the standard service. Where a sub-processor is headquartered outside the EEA (the US, in practice), we contract with the provider's EU entity and process data in EU regions. We rely on the EU–US Data Privacy Framework and Standard Contractual Clauses as fallback safeguards.
Contact
For questions about this list, change-notification settings, or any sub-processor-related concern: paulo@myneatflow.com. For data-subject requests, see our Privacy notice.