Sub-processors
Last updated: May 13, 2026
This page is the public list of third-party services that process personal
data on Verxion’s behalf. It mirrors the internal record at
docs/compliance/processor-inventory.md. Material changes are recorded
in the changelog section at the bottom of this page; subscribers receive
notice through the website.
For a description of how Verxion processes personal data, see the Privacy Policy (also available in Spanish).
Processors and sub-processors
| Provider | Purpose | Region | Transfer mechanism | DPA |
|---|---|---|---|---|
| Railway | Application hosting + Postgres database | EU West (EEA, verified 2026-05-08) | n/a | https://railway.com/legal/dpa |
| AWS KMS | Key encryption key custody for field-level encryption | eu-north-1 (Stockholm, EEA) | n/a | https://aws.amazon.com/compliance/gdpr-center/ |
| Sentry | Application error tracking | EEA (DE region) | n/a | https://sentry.io/legal/dpa/ |
| Upstash | Redis for rate limiting and idempotency | UK (eu-west-2, London) | UK adequacy decision (no SCCs required) | https://upstash.com/trust/dpa.pdf |
| Resend | Transactional email + waitlist audience | Ireland (eu-west-1, EEA) | n/a (EEA data residency for domain mail.verxion.ai; Resend entity is US, DPA SCCs cover entity-level access) | https://resend.com/legal/dpa |
| Vercel | Static site hosting + global CDN | Global CDN — EU visitors served from EEA PoPs; compute regions include arn1 (Stockholm), cdg1 (Paris), dub1 (Dublin), fra1 (Frankfurt) | SCCs (Vercel Inc. is US-incorporated; SCCs from the DPA cover entity-level access) | https://vercel.com/legal/dpa |
Separate controllers (not Verxion sub-processors)
These third parties may receive personal data when you actively use specific Verxion features, but they act as separate controllers under their own terms — not as Verxion’s processors:
- Apple Sign In — when you choose Apple as your identity provider.
- Google Sign In — when you choose Google as your identity provider.
- OpenFoodFacts — public food-data lookups (server-to-server, no user PII transmitted).
- Any MCP-compatible client you authorize — when you authorize a connected app via OAuth, it processes the data exposed via the granted scopes under its own terms. The compatible-client list is open and evolves with the ecosystem; non-exhaustive examples: ChatGPT, Claude, Gemini, Cursor, OpenCode, Cline, Continue, Cody, custom-built agents. The legal treatment is identical for every such client.
International transfers
For Vercel, the platform operates a global CDN with several EEA
compute regions (Stockholm, Paris, Dublin, Frankfurt); EU visitors
hit EU PoPs, so transient request data (IP, headers) is handled in
the EEA at the edge. The Vercel legal entity is Vercel Inc.
(Delaware, US), and entity-level access is covered by Standard
Contractual Clauses (SCCs) executed as part of the DPA. Technical
safeguards apply (field-level encryption with EEA-resident keys via
AWS KMS eu-north-1, pseudonymization in logs, scope-limited
access).
For Upstash (UK), transfers are covered by the European Commission’s UK adequacy decision (adopted 28 June 2021), so SCCs are not required for EU→UK transfers. The same technical safeguards apply.
For Resend, the sending domain mail.verxion.ai is pinned to the
Ireland (eu-west-1) region, so email content and addresses are
processed and stored in the EEA. The Resend legal entity is US-based;
entity-level access (support, billing, management) is covered by the
SCCs in their DPA.
Notification of changes
Material changes to this list (a new processor, a region change, a change of scope of processing) are published here with at least 30 days’ notice before they take effect, except when the change is required by a regulator or for security reasons. We will additionally surface a re-acceptance flow if the change requires user attention.
Changelog
| Date | Change |
|---|---|
| 2026-05-13 | Three region clarifications, no change to providers or data flows. (1) Upstash: confirmed as eu-west-2 (London, UK), under the EU’s UK adequacy decision — was previously labelled “EEA (region confirmed in deployment)”. (2) Resend: the sending domain mail.verxion.ai is pinned to eu-west-1 (Ireland, EEA), so email data is now correctly listed as EEA-resident — was previously labelled “US”. The Resend legal entity is still US; entity-level access remains covered by the DPA SCCs. (3) Vercel: clarified that the platform runs a global CDN with several EEA compute regions (Stockholm, Paris, Dublin, Frankfurt); EU visitors are served from EU PoPs. The previous “US (global edge)” wording understated the EEA footprint. The Vercel legal entity is still Vercel Inc. (Delaware), so SCCs still apply at the entity level. |
| 2026-05-08 | Initial public publication of the sub-processor list. Added OpenAI, Sentry, Vercel, AWS KMS to the previously-published Railway/Upstash/Resend listing. |