Subprocessors
Supabrief uses the following third-party service providers (“subprocessors”) to deliver, secure, and improve the Service. Each is bound by a written data-processing contract and, where required for international transfers of EU/UK personal data, the 2021 EU Standard Contractual Clauses (Module 2) or the UK IDTA Addendum.
We will provide at least 30 days' notice before adding or replacing a subprocessor. To receive these notifications, email support@supabrief.com with the subject “Subprocessor change notifications”.
Infrastructure subprocessors
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Supabase Inc. | Authenticated database (Postgres) and authentication | USA (AWS us-east-1) — verify per project | EU SCCs Module 2 + DPA |
| Vercel Inc. | Application hosting (Next.js serverless functions, edge network) | Global edge; primary region: USA | EU SCCs Module 2 + DPA |
| Razorpay Software Pvt Ltd | Payment processing, subscription management, GST invoicing | India | India-domiciled; no transfer issue |
AI processing subprocessors
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Google LLC (Gemini API) | Generates briefs from your Input | USA | EU SCCs + Google's DPA. API inputs excluded from training per provider terms. |
| OpenAI, L.L.C. | Generates briefs from your Input (fallback / paid tier) | USA | EU SCCs + OpenAI's DPA. API inputs excluded from training per provider terms. |
You can replace these with your own AI provider keys (BYOK) in your account settings — in that case your Input is processed under your own contractual relationship with the provider, not ours.
Operational subprocessors
| Provider | Purpose | Location | Transfer mechanism |
|---|---|---|---|
| Resend, Inc. | Transactional & marketing email delivery | USA | EU SCCs + DPA |
Optional integrations (you control)
These are activated only if you connect them from your account settings. Connecting an integration causes the data described to be processed by the named third party under their own privacy terms.
- Slack Technologies, LLC — if connected, we send brief output to the Slack channel you authorise. Governed by Slack's privacy policy.
- Atlassian Pty Ltd (Jira) — if connected, we fetch issue data you authorise. Governed by Atlassian's privacy policy.
- GitHub, Inc. — if connected via PAT, we read repository data you authorise. Governed by GitHub's privacy policy.
- Gong.io, Inc. — if connected, we fetch call/meeting data you authorise. Governed by Gong's privacy policy.
Questions or objections
If you object to a new subprocessor (GDPR Art 28(2) right), email support@supabrief.com within 30 days of our notice. We will discuss alternatives or, if none are feasible, give you the option to terminate your subscription with a pro-rata refund of any prepaid unused fees.