Sub-processors
Last updated: April 21, 2026
A sub-processor is a third party we engage to process Customer Content on our behalf. We are responsible under our Data Processing Agreement for ensuring that each sub-processor provides protection for Customer Content consistent with our DPA.
Change notifications. We will announce material changes to this list — new AI Providers, new regions, or new categories of sub-processor — at least 30 days before the change takes effect, to the email address of your account administrator. You can object to a new sub-processor within 30 days by emailing legal@docsflow.app; if we cannot reasonably accommodate your objection, your remedy is to terminate the Service for the affected data.
No training on Customer Content. Every AI Provider in this list is engaged under API terms that contractually prohibit training foundation or generative models on Customer Content.
Infrastructure
| Sub-processor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|
| Vercel, Inc. | Web application hosting, serverless compute, CDN. | Request metadata, session tokens, Customer Content in transit. | United States (global edge). | View |
| Supabase, Inc. | Managed PostgreSQL database, object storage, row-level security enforcement. | Account data, workspace metadata, encrypted Customer Content, audit logs. | United States (primary). EU region on Scale, Enterprise, and Custom plans. | View |
| Vercel Blob (Vercel, Inc.) | Encrypted document storage. | Uploaded files (encrypted at rest with AES-256 and an additional workspace-scoped key). | United States. | View |
Authentication
| Sub-processor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|
| Clerk, Inc. | User authentication, session management, and multi-factor authentication. | Email, name, authentication tokens, device metadata. | United States. | View |
AI Provider
| Sub-processor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|
| OpenAI, LLC | Language-model inference and embeddings (enterprise API with zero-retention and no-training terms). | Prompts, relevant document excerpts, embeddings. | United States. | View |
| Anthropic, PBC | Language-model inference (commercial API with no-training terms). | Prompts, relevant document excerpts. | United States. | View |
| Google LLC (Generative AI) | Language-model inference and embeddings (Vertex AI / Gemini API, no-training terms). | Prompts, relevant document excerpts, embeddings. | United States. | View |
Payments
| Sub-processor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|
| Stripe, Inc. | Subscription billing and payment processing. | Billing contact, card details (held by Stripe, not DocsFlow), invoice history. | United States, Ireland. | View |
| Sub-processor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|
| Resend, Inc. | Transactional email (account, billing, security notifications). | Email address, message content (templated transactional notifications). | United States. | View |
Analytics
| Sub-processor | Purpose | Data processed | Region | DPA |
|---|---|---|---|---|
| Vercel Analytics (Vercel, Inc.) | Aggregate product usage analytics (no cross-site tracking). | Page views, aggregate usage metrics. No Customer Content. | United States. | View |
Subscribe to change notifications
To receive email notice when this list changes, send an email to legal@docsflow.app with the subject "Subprocessor notifications" and the account email you'd like subscribed.