Subprocessor list

v1.0 · Effective 11 June 2026 · Last updated 2026-06-11 · 8 vendors · Download as JSON →

We share the minimum data needed with each sub-processor. The list below identifies the legal entity, country, what we share, retention, and DPA status. We commit to 30 calendar days' prior notice of any new sub-processor, by email and in-product notification. If you object on reasonable data-protection grounds, you may terminate the affected services and receive a pro-rata refund, or terminate the entire MSA with 90 days' transition assistance.

#	Sub-processor	Country	Data shared	Purpose	Retention	DPA
1	Stripe Inc.	US / IE	Customer name, email, billing amount, IP, payment-method last-4	Payment processing	7 yr (txn); 30 d (logs)	✅ Standard Stripe DPA
2	Cloudflare Inc. (R2, Workers, Pages, Email Routing)	US (with EU/APAC edge)	Audit report PDFs, raw JSON, telemetry, transactional email	Hosting, storage, email routing	Customer-controlled	✅ Click-to-sign DPA
3	OpenAI OpCo LLC (API)	US	Prompt text (audit queries) and the 30-50 brand mentions being tested	AI-search query execution (ChatGPT engine)	0 (ZDR)	✅ ZDR + DPA
4	Anthropic PBC (API)	US	Prompt text and the 30-50 brand mentions being tested	AI-search query execution (Claude engine)	0 (ZDR)	✅ ZDR + DPA
5	Perplexity AI Inc. (Sonar API)	US	Prompt text and the 30-50 brand mentions being tested	AI-search query execution (Perplexity engine, online mode)	30 d (commercial default)	✅ Commercial DPA + ZDR available on request
6	ByteDance Volcengine (Ark API)	CN	Prompt text and brand mentions (Chinese prompts)	AI-search query execution (Doubao 豆包 engine)	0 (ZDR)	✅ ZDR enterprise contract
7	Moonshot AI Inc. (Kimi API)	CN	Prompt text and brand mentions (Chinese prompts)	AI-search query execution (Kimi engine)	0 (ZDR)	✅ ZDR enterprise contract
8	Resend Inc.	US (with EU edge)	Customer email address, audit report PDF (as attachment or link)	Transactional email delivery	30 d (delivery logs)	✅ Standard Resend DPA

Vendors we explicitly do not use

For full transparency, here is what we are not doing in v1.0:

No Paddle / Lemon Squeezy / 2Checkout — we invoice and collect directly. (See MSA §6.)
No Google Analytics, no Facebook Pixel, no retargeting or ad-tech cookies. Telemetry is via Plausible or self-hosted, cookieless.
No customer-data training — neither by us, nor by any LLM sub-processor (all LLM sub-processors under ZDR).
No Facebook / Twitter / LinkedIn login — only email + password (or magic link) via Cloudflare Access or equivalent.

Subscribe to change notifications

Email [email protected] with subject "Subscribe to subprocessor changes" to receive every update by email. We commit to 30 days' prior notice; the change will be reflected on this page on the effective date.

Subprocessor list v1.0 effective 11 June 2026. Next scheduled review 11 September 2026.