Sub-Processor List

Last updated: March 27, 2026

1. About This List

The AI Check ("AIC," "we," "us," or "our") uses a limited number of third-party service providers ("sub-processors") to operate the Service. This page lists every sub-processor that processes personal data on our behalf, as required by GDPR Article 28(3)(d) and standard enterprise procurement practices.

AIC operates under a zero-knowledge architecture. Where a sub-processor hosts or transmits encrypted vault content, that content is ciphertext — the sub-processor cannot read, access, or decrypt it. Only unencrypted account metadata (email, billing status, sync event logs) is accessible to sub-processors in the normal course of operations.

2. Current Sub-Processors

Sub-ProcessorServiceData ProcessedLocation
Supabase, Inc. (hosted via Amazon Web Services)Database, authentication, file storageAll user account data, encrypted vault content (ciphertext only), authentication tokens, file attachmentsUSA (primary); EU data residency available on request for Enterprise customers
Vercel, Inc. (hosted via AWS / Google Cloud Platform)Web hosting, CDN, edge functionsHTTP request data, server logs, session tokens in transitUSA (primary); global edge network
Stripe, Inc.Payment processing, subscription managementEmail address, Stripe customer ID, payment method metadata. AIC does not store full payment card numbers.USA
Resend, Inc.Transactional email deliveryEmail addresses (for delivery of account notifications, password resets, policy update notices)USA
Plausible AnalyticsPrivacy-first web analyticsAnonymized page views and events. No cookies. No cross-site tracking. IP addresses are processed momentarily in memory solely to generate anonymized, non-reversible daily visitor hashes — the IP is then discarded and never stored.EU (Germany)

3. Services We Do Not Use

AIC does not use any of the following:

  • Google Analytics, Facebook/Meta Pixel, or any advertising or behavioural tracking technology.
  • Any data broker or data reseller.
  • Any AI provider as a sub-processor. When you use the BYOK feature, API calls are sent directly from your browser to the AI provider (OpenAI, Google, Anthropic, xAI) using your own API key. AIC is not in that data flow and does not act as an intermediary.

4. BYOK and AI Providers

When you use the Bring Your Own Key feature, your browser communicates directly with the AI provider's API using your own credentials. AIC does not proxy, relay, or intermediate these requests. The AI providers (OpenAI, Google, Anthropic, xAI) are not sub-processors of AIC — they are service providers you engage directly under your own agreement with them.

Your API keys are encrypted on your device with your master encryption key before storage. AIC stores only ciphertext and cannot access, read, or use your API keys.

5. International Data Transfers

Several of our sub-processors are based in the United States. For transfers of personal data from the European Economic Area (EEA), the United Kingdom, or Switzerland to sub-processors in the United States, AIC relies on:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission, where available from the sub-processor.
  • The EU-U.S. Data Privacy Framework, where the sub-processor is certified.

Enterprise customers subject to GDPR may request EU data residency for their Supabase database instance. Contact [email protected] for details.

Regardless of where data is stored, encrypted vault content remains protected by AES-GCM-256 client-side encryption. Sub-processors that host vault data store only ciphertext and cannot decrypt it.

6. Changes to This List

When we add or replace a sub-processor, we follow this procedure:

  1. Publish the updated sub-processor list on this page at least 30 days before the change takes effect.
  2. Send an email notification to all Pro and Enterprise users informing them of the change.
  3. Individually notify Enterprise customers who have an active Data Processing Agreement (DPA), with the opportunity to object to the new sub-processor within the 30-day notice period.

If an Enterprise customer objects to a new sub-processor and AIC cannot reasonably accommodate the objection, the customer may terminate the affected services under the terms of their DPA. Upon termination, the customer's account will be subject to the standard cryptographic erasure and data deletion timelines outlined in our Privacy Policy.

7. Version History

DateChange
2026-03-27Initial publication. Five sub-processors listed: Supabase, Vercel, Stripe, Resend, Plausible Analytics.

8. Contact

If you have questions about our sub-processors or data processing practices, contact us at [email protected].

This document was last updated on March 27, 2026. It is a pre-launch draft and will be reviewed by legal counsel before becoming effective.