Sub-Processors
Last updated: May 2026
SiteProof AI uses the following sub-processors to operate the Service. We require each to maintain appropriate technical and organizational measures to protect personal data, including Standard Contractual Clauses for any transfer of EU/UK personal data to a third country.
We will publish material changes (additions or replacements) on this page at least 30 days before they take effect, consistent with GDPR Article 28 transparency expectations.
| Sub-processor | Purpose | Data Processed | Location & Safeguards |
|---|---|---|---|
| Supabase, Inc. | Authentication (email + password), user profiles, application database, file storage | Email, hashed password, full name (optional), user-supplied site URLs, scan results, findings, assessments, activity log | United States (AWS us-east-1) — Standard Contractual Clauses in place for EU/UK transfers |
| Vercel, Inc. | Application hosting, edge runtime, content delivery, anonymous Web Analytics | IP address (for routing and analytics), user-agent, page-view events. Vercel Web Analytics is cookieless but stores a short-lived anonymous session id in localStorage. | United States (multi-region edge) — Standard Contractual Clauses in place for EU/UK transfers |
| PayPal Holdings, Inc. | Payment processing, subscription billing, refund handling | Payer name and email (held by PayPal), PayPal payer ID, subscription/order IDs, transaction amounts. We never see or store full payment-card data. | United States and PayPal global infrastructure — PCI DSS Level 1 |
| Anthropic, PBC | AI-powered analysis of public website content to detect compliance issues; generation of AI policies and fix instructions | Excerpts of public HTML from scanned websites; user-submitted risk-assessment answers; finding metadata. No account email or other PII is sent. Anthropic does not train on API data by default. | United States — Standard Contractual Clauses in place for EU/UK transfers |
| Resend (Resend, Inc.) | Transactional email delivery (welcome, payment confirmations, monitoring alerts, account-deletion confirmations) | Recipient email address, first name (when provided), site domain in monitoring alerts, plan name, message contents | United States — Standard Contractual Clauses in place for EU/UK transfers |
| Upstash, Inc. | Redis-based rate limiting and webhook event deduplication | Ephemeral counters keyed by user ID (UUID) or IP address. No email addresses, names, or content are stored. Keys auto-expire within 24 hours. | AWS, region selected at provisioning (EU/US) — Standard Contractual Clauses in place for EU/UK transfers |
Questions or Objections
If you have questions about a sub-processor, want to object to a new sub-processor, or wish to exercise any data-protection right (access, rectification, erasure, portability, restriction, or objection), contact us at support@siteproofai.com.