Vendor / Sub-processor Assessments — Completed
Last full sweep: July 14, 2026 · Reviewer: Security Lead · Approver: CEO
All vendors below have a signed DPA (or equivalent ToS provision) and were assessed with the Vendor Risk Assessment Template. Full completed forms are archived in the Company 1Password vault "Compliance / Vendors".
| Vendor | Purpose | Data class | Residency | Certifications | L × I | Decision | Next review |
| --- | --- | --- | --- | --- | :-: | --- | --- |
| Supabase | Postgres, Auth, Storage, Realtime | Confidential (PII, job data, invoices) | AWS us-east-1 | SOC 2 Type II, HIPAA, ISO 27001 | 2 × 5 = 10 | ✅ Approved | 2027-07-14 |
| Cloudflare | CDN, WAF, DNS, Workers hosting | Confidential (in-transit) | Global anycast | SOC 2 Type II, ISO 27001, PCI DSS | 2 × 4 = 8 | ✅ Approved | 2027-07-14 |
| Stripe | Payment processing, Connect payouts | Restricted (card, bank) — tokenized only | US / EU | PCI DSS L1, SOC 1/2, ISO 27001 | 2 × 5 = 10 | ✅ Approved | 2027-07-14 |
| Lovable AI Gateway | LLM inference (OpenAI, Gemini) | Confidential (prompts, image descriptions) | US | Vendor-managed; upstream: OpenAI SOC 2, Google ISO 27001 | 3 × 3 = 9 | ✅ Approved | 2027-07-14 |
| xAI (Grok) | Optional co-pilot inference | Confidential (prompts only, no PII by design) | US | Emerging; contractually bound not to train on our data | 3 × 3 = 9 | ✅ Approved with control (opt-in toggle, PII redaction) | 2027-01-14 |
| DFINITY / Internet Computer | oracle-ai-v2 canister inference | Internal (prompts, no PII) | IC subnet | Public chain, deterministic canisters | 3 × 2 = 6 | ✅ Approved | 2027-07-14 |
| PostHog | Product analytics (opt-in) | Internal (anonymized events) | EU (Frankfurt) | SOC 2 Type II, GDPR-ready | 2 × 2 = 4 | ✅ Approved | 2027-07-14 |
| Sentry | Error monitoring | Confidential (stack traces may contain identifiers) | US | SOC 2 Type II, ISO 27001, GDPR | 2 × 3 = 6 | ✅ Approved with control (PII scrubbing enabled) | 2027-07-14 |
| Resend | Transactional email delivery | Confidential (email addresses, content) | US / EU | SOC 2 Type II, GDPR | 2 × 3 = 6 | ✅ Approved | 2027-07-14 |
| Microsoft Graph (Outlook/Teams) | Calendar & mail integration (per-user OAuth) | Confidential (per end-user, scoped tokens) | Per user tenant | SOC 2, ISO 27001, HIPAA | 2 × 3 = 6 | ✅ Approved | 2027-07-14 |
| Google (OAuth + Gmail) | Sign-in and calendar (per-user OAuth) | Confidential (per end-user, scoped tokens) | Per user | SOC 2, ISO 27001 | 2 × 3 = 6 | ✅ Approved | 2027-07-14 |
| GitHub | Source code, CI | Internal (source), Restricted (secrets in Actions) | US | SOC 1/2, ISO 27001 | 2 × 4 = 8 | ✅ Approved | 2027-07-14 |
Compensating controls in effect
- xAI (Grok): disabled by default; user must toggle on. Server strips known PII patterns (email, phone, address) before send.
- Sentry:
beforeSendscrubsAuthorization,cookie, and known PII fields.
Change log
- 2026-07-14 — Full sweep of 12 vendors; all approved. Next annual review: 2027-07-14.
Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.