Subprocessors

Version 1.1, Last updated 2026-05-19

Calafai uses a small set of third parties to deliver the service. When you submit a brief, run an engagement, or receive a deliverable, your data may pass through one or more of these subprocessors. We list them here in full so you can review the chain of custody before signing up.

Subprocessors fall into two groups: AI model providers, who run the language and image models that produce your deliverables, and operational subprocessors, the hosting, billing, email, and monitoring services that keep the platform running.

We will give at least 30 days' advance notice before adding a new third-party subprocessor that processes customer personal data, in line with our Data Processing Agreement (clause 4.2). Where we route to a new model from a provider already on this page, no new third party receives your data, and we update this page on the day of the change rather than 30 days ahead (clause 4.3). This lets us pick up newly released models from authorised providers without delay. The no-training commitment and the data-location representation must already cover the new model; if they do not, we treat the change as a new subprocessor and give the full 30-day notice. This page is the canonical record. Bookmark it, or subscribe to change notifications by writing to [email protected].

No training on your data. All AI model providers listed below are contractually prohibited from using your prompts, attachments, or completions to train, fine-tune, evaluate, or benchmark their models. We audit this annually. The LLM Provider DPA Audit is available on written request to [email protected].

AI model providers

These are the model providers we currently route production traffic to. We disclose only providers we actually use, if a connector exists in our codebase but no traffic flows to it (no API key deployed in production), it is not listed here. We update this page whenever we add or remove a provider. The specific models and how they are orchestrated are an internal implementation detail; what matters for your data is the provider, location, and processing terms below.

OpenAI

OpenAI, L.L.C.

United States

Purpose: Large language model inference — reasoning, financial analysis, and complex multi-step text generation for engagement deliverables.
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs.
Data location: USA. EU data residency available via Azure OpenAI EU deployments.
Processing terms: DPA in force via OpenAI commercial agreement.

Website ↗Privacy policy ↗DPA ↗

Anthropic

Anthropic, PBC

United States

Purpose: Large language model inference — writing, consulting reasoning, synthesis, and analytical review for engagement deliverables.
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs.
Data location: USA. GCP EU infrastructure available on request.
Processing terms: DPA in force via Anthropic commercial agreement.

Website ↗Privacy policy ↗DPA ↗

xAI

X.AI Corp.

United States

Purpose: Large language model inference for strategic analysis in engagement deliverables.
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs.
Data location: USA.
Processing terms: Standard API enterprise terms; formal DPA pending — Transfer Impact Assessment in progress (see /trust).

Website ↗Privacy policy ↗

Google (Gemini via AI Studio)

Google LLC

United States

Purpose: Multimodal model inference — image and document analysis, and independent review of engagement deliverables.
Data processed: Image attachments, PDF/DOCX extracts, multimodal prompts. For Second Opinion review: the full engagement corpus — brief, thinking-partner sessions, the report, and intermediate drafts.
Data location: US endpoints today (AI Studio consumer API). Vertex AI / GCP EU residency becomes available on migration.
Processing terms: Google AI Studio Additional Terms (DPA-by-reference) today; Vertex AI / GCP DPA migration expected by 2026-05-21 (BACKLOG #130, P0).

Website ↗Privacy policy ↗DPA ↗

Ideogram

Ideogram, Inc.

United States

Purpose: Image generation for deliverable illustrations and brand visuals.
Data processed: Text prompts only — no client-uploaded source imagery.
Data location: USA.
Processing terms: Standard API terms; no separate DPA required (text-only prompts).

Website ↗Privacy policy ↗

Self-hosted (Ollama / Qwen models)

Calafai B.V. (self-hosted)

Self-hosted within Calafai infrastructure

Purpose: Self-hosted inference for low-cost code generation and routing tasks, running on Calafai-controlled hardware.
Data processed: Engagement briefs and code-generation prompts.
Data location: Self-hosted; no third-country transfer. Model weights distributed by Alibaba Cloud (Qwen) but no inference data leaves Calafai infrastructure.
Processing terms: Not applicable — self-hosted inference, no external processor.

Operational subprocessors

Service providers that process customer personal data on Calafai's behalf to operate the platform, hosting, payments, email delivery, and error monitoring.

Supabase

Supabase, Inc.

United States (EU-region database hosting)

Purpose: Primary application database (PostgreSQL) with row-level tenant isolation, plus authentication (email/password, magic link, SSO).
Data processed: Account credentials, engagement metadata, deliverables, audit logs.
Data location: EU-region (eu-west) PostgreSQL cluster. Encrypted at rest (AES-256) and in transit (TLS 1.2+).
Processing terms: DPA in force via Supabase platform agreement.

Website ↗Privacy policy ↗DPA ↗

Vercel

Vercel Inc.

United States (global edge network)

Purpose: Web application hosting (Next.js), API routes, edge caching, and CDN.
Data processed: HTTP request/response payloads, account-bound session cookies, server logs.
Data location: Multi-region edge with US-based control plane. EU edge nodes serve EU users.
Processing terms: DPA in force via Vercel commercial agreement.

Website ↗Privacy policy ↗DPA ↗

Railway

Railway Corp.

United States

Purpose: Long-running engagement engine (Python). Receives engagement briefs and dispatches to AI model providers.
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs, run logs.
Data location: USA-region container hosting.
Processing terms: DPA in force via Railway terms.

Website ↗Privacy policy ↗

Stripe

Stripe, Inc. (Stripe Payments Europe Ltd. for EU)

United States / Ireland (EU)

Purpose: Subscription billing, credit-pack purchases, invoice generation, payment-method storage.
Data processed: Payment card details (tokenised — never touch Calafai infrastructure), billing address, tax ID, customer email.
Data location: EU customers handled by Stripe Payments Europe Ltd. (Ireland). Card data tokenised by Stripe.
Processing terms: DPA in force via Stripe Services Agreement.

Website ↗Privacy policy ↗DPA ↗

Resend

Resend, Inc.

United States

Purpose: Transactional email delivery — engagement notifications, invite codes, password reset.
Data processed: Recipient email address, message content, delivery metadata.
Data location: USA.
Processing terms: DPA in force via Resend terms.

Website ↗Privacy policy ↗DPA ↗

Sentry

Functional Software, Inc. (dba Sentry)

United States

Purpose: Application error tracking and performance monitoring. Helps Calafai diagnose and fix production issues.
Data processed: Stack traces, request context, user ID (no email/name), browser/OS metadata. Server-side scrubbing strips known PII fields before transmission.
Data location: USA. EU-region Sentry available (under evaluation).
Processing terms: DPA in force via Sentry terms.

Website ↗Privacy policy ↗DPA ↗

Upstash

Upstash, Inc.

United States (multi-region)

Purpose: Optional rate-limiting and ephemeral cache (Redis). Degrades gracefully to in-memory if unavailable.
Data processed: API key prefixes, rate-limit counters, short-lived cache entries. No engagement content.
Data location: Multi-region (EU available).
Processing terms: DPA in force via Upstash terms.

Website ↗Privacy policy ↗

Questions or objections

If you have questions about a specific subprocessor, or you would like to object to a planned change, write to [email protected]. For matters specific to AI Act compliance, write to [email protected].