Current sub-processors
| Sub-processor | Role | Data processed | Location |
|---|---|---|---|
| Vercel | Application hosting and CDN | Application traffic, cached content | United States, with global edge locations |
| Supabase | Database, file storage, Vault | Brand record content, account data, encrypted secrets | European Union (Frankfurt region) |
| Stripe | Payment processing | Billing information, card details | United States, with EU subsidiaries |
| GitHub | Per-tenant content repositories (Guardian) | MDX content, assets | United States |
| Anthropic | AI provider for Oswald | Brand record context and prompts during Oswald sessions | United States |
| Postmark (or similar transactional email provider) | Transactional email delivery | Recipient addresses, email content | United States |
| PostHog (or Plausible) | Privacy-respecting product analytics | Aggregate usage events | European Union (PostHog EU instance) |
For Henry (Customer-supplied)
Henry uses an AI provider chosen by the customer:| Provider | Customer relationship |
|---|---|
| OpenAI | Direct customer relationship; Brand Atlas mediates only the integration |
| Google (Gemini) | Direct customer relationship; Brand Atlas mediates only the integration |
What each sub-processor does, in more detail
Vercel
Hosts the Brand Atlas application and serves the marketing and documentation sites. Vercel’s edge network caches static assets close to users globally. Vercel does not have access to the database; the database lives in Supabase.Supabase
Stores the database (account data, brand record metadata, brand record content), file storage (uploaded assets), and Vault (encrypted secrets including BYOK API keys). The Supabase project is configured in the EU region.Stripe
Processes payments. Stripe is the only party that sees full card numbers; Brand Atlas stores tokenised references. Stripe also generates the invoices made available to customers in the portal.GitHub
For Guardian customers using the per-tenant repo workflow, GitHub hosts the customer’s atlas repo. Repos are private and scoped to the individual atlas.Anthropic
Processes Oswald’s interactions. The Anthropic enterprise API tier does not use API content for training. Anthropic’s data retention is no longer than 30 days for operational debugging purposes.Transactional email provider
Delivers notification and transactional emails (welcome, password reset, invoices, Update Request alerts).Analytics
PostHog or Plausible, configured to collect aggregate usage events without cross-site tracking. No data is shared with advertising networks. Analytics can be disabled per-user from cookie preferences.How we evaluate sub-processors
We select sub-processors based on:- Security maturity. Independent assessments, vulnerability disclosure, breach history.
- Privacy commitments. GDPR readiness, DPA willingness, no-training commitments for AI.
- Service quality. Reliability, performance, support quality.
- Jurisdictional fit. Where the sub-processor operates and the transfer mechanisms available.
Notice of changes
When we add or replace a sub-processor, we notify customers at least 30 days in advance via:- Email to the brand owner of each affected atlas.
- An entry in the changelog.
- An update to this page.
Objecting to a sub-processor
A customer can object to a new sub-processor during the 30-day notice period by writing to legal@brandatlas.pro. We will attempt to accommodate the objection. If we cannot, the customer may terminate the affected portion of the Service per the DPA.What changed
- 27 May 2026: Initial list published.