Subprocessors (Public List)
Last updated on September 10, 2025
Contact: [email protected]
This page discloses third‑party service providers that process personal data on behalf of Documentation.AI to deliver, secure, and support our Services. We require each subprocessor to use personal data only to provide contracted services, implement appropriate security measures, and comply with applicable law.
Change management: We will update this page and, where required, provide prior notice (typically 30 days) before adding or replacing a subprocessor, except for emergency replacements (we will notify promptly thereafter). To raise an objection where permitted by contract, email [email protected] with "Subprocessor Objection" in the subject.
Current subprocessors
Vendor | Purpose | Categories of data | Data location(s) | Key safeguards |
|---|---|---|---|---|
Render.com | Application hosting & runtime | Account/workspace data processed by the app; logs; service metadata | Region as configured (e.g., USA/EU) | Encryption in transit; access controls; isolation |
Vercel, Inc. | Front‑end hosting, serverless/edge functions, CDN | IP addresses; request headers; logs; static/app content in transit (transient) | Global POPs and selected regions | TLS; isolation; access controls |
Supabase | Managed Postgres DB & object storage | Account profiles; workspace content; metadata; access tokens (as configured) | Region as configured (e.g., USA/EU) | Encryption at rest/in transit; role‑based access |
MeiliSearch | Application search indexing & query | Search indices built from workspace content (as configured); search queries; pseudonymous IDs | Region as configured (e.g., USA/EU) | Encryption at rest/in transit; access controls |
Cloudflare, Inc. | CDN, DDoS protection, edge caching | IP addresses; request headers; content in transit (transient) | Global POPs | TLS; DDoS mitigation |
Clerk.com | Authentication & identity management | Names; emails; auth factors; session/device metadata | USA/EU (per service configuration) | Access controls; encryption in transit |
Intercom | Customer support & in‑app messaging | Name; email; support messages; usage/ticket metadata | USA/EU | Access controls; encryption in transit |
Stripe, Inc. | Payment processing & invoicing | Billing name; email; payment method token; last 4 digits; transaction metadata | USA/EU | PCI DSS Level 1; tokenization (we do not store full card numbers) |
PostHog | Product analytics (events) | Event data (feature usage, clicks); pseudonymous IDs; coarse IP | USA/EU (cloud region as selected) | PII filters configurable; opt‑out controls |
Framer.com | Marketing website hosting/CMS | Site visitor telemetry; contact form submissions (if enabled) | USA/EU | Encryption in transit; access controls |
Trigger.dev | Background jobs & workflow orchestration | Job payload |
Notes
Marketing vs product: Framer processes website visitor/contact data; the rest primarily support the product.
Regionality: Where supported, we select regions to align with our hosting footprint; exact regions may change as we scale.
AI models: We use model providers as configured to fulfill user requests. By default, we do not permit model providers to train on customer content.