Sub-Processors
Last updated: May 2026
A “sub-processor” is any third party we use to deliver Sentinellis. Below is the complete list. We have a signed Data Processing Agreement (DPA) with each one — public DPA pages are linked in the table. For data transfers outside the European Economic Area we rely on the EU-US Data Privacy Framework where the vendor is certified, and on Standard Contractual Clauses (SCCs) elsewhere.
For questions: contact@sentinellis.com.
Change notification commitment
Whenever we add or replace a sub-processor that handles personal data, we will update this page and notify subscribers at least 30 days in advance via the email on file. To get those notifications, simply have an active account — no separate sign-up required. To opt out, close your account; that also removes you from notifications.
| Provider | Purpose | Data | Region | DPA | Transfer |
|---|---|---|---|---|---|
| Railway | Backend hosting (FastAPI, Temporal worker), PostgreSQL database | Account data, reports, audit log | EU (Western Europe) / US | View | EU-US DPF + SCCs |
| Vercel | Frontend hosting, edge CDN | Request metadata (no body content stored) | Global edge / US | View | EU-US DPF + SCCs |
| Stripe | Payment processing, subscriptions, invoicing | Email, billing address, last4 of card (we never see full PAN) | EU / US | View | EU-US DPF + SCCs |
| Brevo (Sendinblue) | Transactional email — verification, password reset, drip campaigns | Email address, name, message metadata | EU (France) | View | EEA only — no transfer mechanism needed |
| Twilio | WhatsApp report delivery (opt-in), inbound bot | Phone number, message content (subject of the analysis) | EU / US | View | EU-US DPF + SCCs |
| Anthropic | Claude API — generates the analysis text from public company data | Company name + scraped public data (no end-user PII sent) | US | View | SCCs (Anthropic is not DPF-certified at time of writing) |
| Sentry | Error tracking and performance monitoring | Stack traces, request metadata (PII scrubbed at SDK) | EU (Frankfurt) | View | EEA only — no transfer mechanism needed |
| PostHog | Product analytics — funnel events, feature usage | Hashed user ID, event names (no PII), consent-gated | EU (Frankfurt) / US | View | EU-US DPF + SCCs |
| Google (OAuth) | Sign-in with Google (optional alternative to email/password) | Email address, name, profile picture URL | Global | View | EU-US DPF + SCCs |
| Cloudflare R2 | Encrypted database backups (off-Railway disaster recovery) | Compressed PostgreSQL dump (all account data, encrypted at rest) | EU (Eastern Europe) | View | EEA only — no transfer mechanism needed |
| Cloudflare Turnstile | CAPTCHA on login and register, bot protection | IP address, browser fingerprint (Cloudflare deletes after 7 days) | Global | View | SCCs |
Public data sources (not sub-processors)
Below feed the analysis itself but receive only the company name you typed — not your account or personal data. Listed for transparency, not under sub-processor obligations:
- NewsData.io — business news API
- Yahoo Finance — fundamentals + news (via yfinance)
- The GDELT Project — global news index (CC0 / public domain)
- Google News RSS — fallback news source
- SEC EDGAR — US public company filings
Request a DPA copy
Most public DPAs above are linked. If you need a counter-signed copy of any specific DPA for your own compliance file, email contact@sentinellis.com with the vendor name and we’ll forward what we hold.