Verinode Sub-processors
Effective date: 2026-05-02 Version: 1.2
This page lists every third party that processes personal information on Verinode's behalf. Required by GDPR Article 28(2) and CCPA service-provider disclosure rules. We update this list at least 30 days before adding a new sub-processor.
Active sub-processors
Infrastructure
| Sub-processor | Purpose | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Vercel | Application hosting + edge / serverless compute | All operator + user data passing through the application layer | United States (with global edge) | EU-Commission Standard Contractual Clauses (SCCs 2021/914), SOC 2 Type 2, ISO 27001 |
| Supabase | Managed Postgres databases (Operator Database + Intelligence Database) + storage + auth | All operator + user PII | United States; regional deployment (including EU) available on enterprise request | EU-Commission SCCs (2021/914), SOC 2 Type 2, HIPAA-eligible plans |
| Cloudflare | Email Routing, CDN, Workers, DNS | Inbound email payloads (briefly, before they reach Vercel) | Global edge | EU-Commission SCCs, SOC 2 Type 2, ISO 27001 |
LLM providers
| Sub-processor | Purpose | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Anthropic (Claude API) | Document extraction, chain extraction, agent reasoning, signal generation | Anonymised document and email content (PII fields like claim numbers, names, addresses replaced with typed placeholders before transmission per docs/architecture/llm-anonymization-pipeline.md); operator metadata; LLM prompts and responses | United States | Zero-Data-Retention (ZDR) mode enabled — Anthropic does not retain or train on our data; Anthropic Data Processing Addendum executed; SOC 2 Type 2 |
| OpenAI | LLM fallback when Claude is unavailable, vector embeddings | Same as Anthropic above | United States | Zero-retention via API; OpenAI Data Processing Addendum executed; SOC 2 Type 2 |
Identity & access
| Sub-processor | Purpose | Data processed | Location | Safeguards |
|---|---|---|---|---|
| WorkOS | Enterprise SSO (SAML 2.0 / OIDC) and SCIM 2.0 directory-sync provisioning. Verinode-side integration in lib/auth/sso/workos.ts, app/(auth)/sso/*, and app/api/webhooks/workos/route.ts. | User name, email address, group / role assignments, IdP-specific metadata (organization ID, connection ID). No operator business data. | United States | EU-Commission SCCs, SOC 2 Type 2, signed DPA. WorkOS Staging environment used during pre-revenue MVP; Production environment when first paid customer requires it. |
Operations
| Sub-processor | Purpose | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Resend | Transactional email (welcome, invites, password reset, signal digests) | User name, email address, message subject + body | United States | EU-Commission SCCs, SOC 2 Type 2 |
| Twilio | SMS notifications + survey delivery | Recipient phone number, message body | United States | EU-Commission SCCs, SOC 2 Type 2, HIPAA BAA available on request |
| Stripe | Subscription billing + payment processing | Operator name, billing email, billing address, payment method (card stored at Stripe, not at Verinode) | United States + global processing nodes | PCI-DSS Level 1, SOC 2 Type 2, EU-Commission SCCs |
| Better Stack | External WORM audit-log retention via Vercel Log Drain. Receives audit-event JSON from lib/logging/audit-stream.ts. Provides immutability outside Verinode's blast radius — defence-in-depth for ISO A.8.15 / SOC 2 CC7.2. | Audit metadata only (event kind, table, action, user_id, operator_id, outcome, structured detail). Filter keys are streamed; filter values are not. No raw operator business data. | United States | SCCs where applicable, SOC 2 Type 2 (Better Stack Telemetry product) |
| Apify | Web scraping for vendor / regulatory / market intelligence (no operator PII; only public web content) | None — public-source intelligence only | United States + EU | SCCs where applicable (no operator PII processed) |
Internal observability
| Sub-processor | Purpose | Data processed | Location | Safeguards |
|---|---|---|---|---|
| Vercel Analytics + Logs | Performance monitoring, error tracking | Anonymised request paths, response times, error stack traces — no operator PII in payloads | United States | Same as Vercel hosting |
What sub-processors we do NOT use
For clarity (questions come up):
- Verisk / Cotality / any insurance-carrier-aligned analytics provider — never used as a sub-processor and never given operator data. This is a binding commitment in the Data Use Policy.
- Advertising networks / data brokers — none, ever.
- Operator-data sale or licensing arrangements — none, ever.
How we evaluate sub-processors
Before adding a sub-processor, we verify:
- They have a published security posture (SOC 2 Type 2 or ISO 27001 ideally; demonstrably substantive security otherwise).
- They will sign a Data Processing Agreement (DPA) consistent with our obligations to operators.
- For non-US operators: they offer EU-Commission Standard Contractual Clauses or equivalent transfer mechanism.
- For LLM providers: zero-retention / no-training-on-our-data is contractually guaranteed.
- We can audit their processing on request (right to audit clause in DPA).
Notification of changes
When we add a new sub-processor, we:
- Update this page with the effective date pushed 30 days into the future.
- Email all operators with the change at least 30 days before effective.
- Provide an objection mechanism — operators who object can request data erasure under our normal erasure procedure (/profile?tab=privacy) before the new sub-processor goes live.
Contact
Questions or objections: privacy@verinode.com.