Back to Home

Sub-processors

Last updated: May 30, 2026

A sub-processor is a third-party service we use to run sprintrr. Some of these services have technical access to your data in order to provide their service to us — for example, our database provider hosts the customer projects you create, and our AI provider receives the prompts you submit to AI features.

We choose sub-processors carefully (see our Trust page for our vendor-assessment process), and we require them to apply security and privacy controls at least as strong as our own.

Change notification. We notify customers at least 30 days before adding a new sub-processor that processes customer data, where feasible. Emergency additions during a vendor incident may be notified retroactively. To subscribe to changes, email support@sprintrr.ai.

Current sub-processors

  • Supabase
    Critical
    Service
    Database, authentication, file storage
    Data shared
    All customer-account data, project content, authentication records, uploaded files
    Location
    United States (primary region)
    Certifications
    • SOC 2 Type II
    • HIPAA-eligible
  • Vercel
    Critical
    Service
    Application hosting, edge network
    Data shared
    Request metadata, response logs, deployment artifacts (no customer content at rest)
    Location
    Global edge network
    Certifications
    • SOC 2 Type II
    • ISO 27001
  • Anthropic
    Critical
    Service
    Claude AI inference for AI-generated content
    Data shared
    AI prompts you submit to Sprintrr AI features
    Location
    United States
    Certifications
    • SOC 2 Type II
  • OpenAI
    Important
    Service
    GPT inference (only when you Bring Your Own Key)
    Data shared
    Prompts you submit — only when you have configured a personal OpenAI key (BYOK)
    Location
    United States
    Certifications
    • SOC 2 Type II
  • Google (Gemini API)
    Important
    Service
    Gemini inference (only when you Bring Your Own Key)
    Data shared
    Prompts you submit — only when configured with a personal Google AI key
    Location
    United States / global Google Cloud
    Certifications
    • SOC 2 Type II
    • ISO 27001
    • ISO 27017
    • ISO 27018
  • Google (OAuth)
    Important
    Service
    Sign-in provider when you choose "Continue with Google"
    Data shared
    Your Google account email, name, and profile picture
    Location
    United States / global
    Certifications
    • SOC 2 Type II
    • ISO 27001
  • Polar.sh
    Critical
    Service
    Subscription billing and payments
    Data shared
    Customer email, plan, subscription identifiers (no payment-card numbers — those stay with Polar)
    Location
    United States
    Certifications
    • PCI DSS (via Stripe)
  • Resend
    Important
    Service
    Transactional email delivery (account emails and customer-published status updates)
    Data shared
    Recipient email and message content (transactional only — no marketing)
    Location
    United States
    Certifications
    • SOC 2 Type II
  • Slack (Salesforce)
    Important
    Service
    Optional channel for delivering customer-published status updates (OAuth-based, customer-initiated)
    Data shared
    Customer-authored status update content; workspace ID and channel ID chosen by the customer
    Location
    United States
    Certifications
    • SOC 2 Type II
    • ISO 27001
    • ISO 27017
    • ISO 27018
  • Atlassian (Jira Cloud)
    Important
    Service
    Optional one-way import of issues from a customer-supplied Jira Cloud workspace (customer-initiated, API-token-based)
    Data shared
    Customer's Atlassian email + API token (encrypted at rest); read-only access to the chosen Jira project's issue fields
    Location
    United States / EU / AU
    Certifications
    • SOC 2 Type II
    • ISO 27001
    • ISO 27017
    • ISO 27018
  • Cloudflare
    Important
    Service
    Bot protection (Turnstile) and edge security
    Data shared
    IP address, browser fingerprint, request metadata
    Location
    Global edge
    Certifications
    • SOC 2 Type II
    • ISO 27001
  • Upstash
    Important
    Service
    Rate-limiting state store (Redis)
    Data shared
    Anonymous counters keyed by user ID or IP
    Location
    AWS regions (US/EU)
    Certifications
    • SOC 2 Type II
    • ISO 27001
  • Sentry
    Important
    Service
    Error monitoring (enabled when Sentry DSN is configured)
    Data shared
    Stack traces and request metadata — cookies, authorization headers, and known PII are scrubbed before send
    Location
    United States / EU options
    Certifications
    • SOC 2 Type II
    • ISO 27001
  • Axiom
    Important
    Service
    Application log aggregation (enabled when AXIOM credentials are configured)
    Data shared
    Application log lines
    Location
    United States / EU
    Certifications
    • SOC 2 Type II
  • GitHub
    Critical
    Service
    Source code hosting and CI/CD
    Data shared
    Application source code, deployment metadata (no customer content)
    Location
    United States
    Certifications
    • SOC 2 Type II
    • ISO 27001
    • FedRAMP
  • Meta Platforms
    Important
    Service
    Advertising conversion measurement (Meta Pixel) on public marketing pages
    Data shared
    Page-view and signup-conversion events, IP address, browser/cookie identifiers — marketing visitors only. No project content, task data, or AI prompts.
    Location
    United States
    Certifications
    • ISO 27001
    • ISO 27018
VendorServiceData sharedLocationCertificationsTier
SupabaseDatabase, authentication, file storageAll customer-account data, project content, authentication records, uploaded filesUnited States (primary region)
  • SOC 2 Type II
  • HIPAA-eligible
Critical
VercelApplication hosting, edge networkRequest metadata, response logs, deployment artifacts (no customer content at rest)Global edge network
  • SOC 2 Type II
  • ISO 27001
Critical
AnthropicClaude AI inference for AI-generated contentAI prompts you submit to Sprintrr AI featuresUnited States
  • SOC 2 Type II
Critical
OpenAIGPT inference (only when you Bring Your Own Key)Prompts you submit — only when you have configured a personal OpenAI key (BYOK)United States
  • SOC 2 Type II
Important
Google (Gemini API)Gemini inference (only when you Bring Your Own Key)Prompts you submit — only when configured with a personal Google AI keyUnited States / global Google Cloud
  • SOC 2 Type II
  • ISO 27001
  • ISO 27017
  • ISO 27018
Important
Google (OAuth)Sign-in provider when you choose "Continue with Google"Your Google account email, name, and profile pictureUnited States / global
  • SOC 2 Type II
  • ISO 27001
Important
Polar.shSubscription billing and paymentsCustomer email, plan, subscription identifiers (no payment-card numbers — those stay with Polar)United States
  • PCI DSS (via Stripe)
Critical
ResendTransactional email delivery (account emails and customer-published status updates)Recipient email and message content (transactional only — no marketing)United States
  • SOC 2 Type II
Important
Slack (Salesforce)Optional channel for delivering customer-published status updates (OAuth-based, customer-initiated)Customer-authored status update content; workspace ID and channel ID chosen by the customerUnited States
  • SOC 2 Type II
  • ISO 27001
  • ISO 27017
  • ISO 27018
Important
Atlassian (Jira Cloud)Optional one-way import of issues from a customer-supplied Jira Cloud workspace (customer-initiated, API-token-based)Customer's Atlassian email + API token (encrypted at rest); read-only access to the chosen Jira project's issue fieldsUnited States / EU / AU
  • SOC 2 Type II
  • ISO 27001
  • ISO 27017
  • ISO 27018
Important
CloudflareBot protection (Turnstile) and edge securityIP address, browser fingerprint, request metadataGlobal edge
  • SOC 2 Type II
  • ISO 27001
Important
UpstashRate-limiting state store (Redis)Anonymous counters keyed by user ID or IPAWS regions (US/EU)
  • SOC 2 Type II
  • ISO 27001
Important
SentryError monitoring (enabled when Sentry DSN is configured)Stack traces and request metadata — cookies, authorization headers, and known PII are scrubbed before sendUnited States / EU options
  • SOC 2 Type II
  • ISO 27001
Important
AxiomApplication log aggregation (enabled when AXIOM credentials are configured)Application log linesUnited States / EU
  • SOC 2 Type II
Important
GitHubSource code hosting and CI/CDApplication source code, deployment metadata (no customer content)United States
  • SOC 2 Type II
  • ISO 27001
  • FedRAMP
Critical
Meta PlatformsAdvertising conversion measurement (Meta Pixel) on public marketing pagesPage-view and signup-conversion events, IP address, browser/cookie identifiers — marketing visitors only. No project content, task data, or AI prompts.United States
  • ISO 27001
  • ISO 27018
Important

About this list

“Critical” sub-processors are services whose failure or breach would materially affect the sprintrr service or customer-data confidentiality. “Important” sub-processors process some customer data but their failure degrades a non-core feature.

For each Critical and Important sub-processor we maintain an internal vendor-assessment record covering the security certifications listed above, our Data Processing Agreement on file, and the residual risk we accept. Customers under contract may request a redacted assessment.

See our Privacy Policy for the rights you have over your personal data, and our Trust page for the overall security program.