1. Introduction
A “subprocessor” is any third party that processes personal data on our behalf to help us deliver the Vezraa Service. This page identifies our current subprocessors and the categories of personal data each receives. It is incorporated by reference into our Privacy Policy, our Terms of Service, and our Data Processing Addendum.
We have evaluated each subprocessor's data-protection posture and have a data-processing agreement (or equivalent contractual commitments) in place. We share only the minimum data necessary for the relevant purpose.
2. Infrastructure
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Vercel Inc. | Web hosting, serverless functions, edge CDN | Request metadata, IP, technical access logs | USA / global edge |
| Cloudflare, Inc. (via Vercel) | Network edge, DDoS mitigation | Request metadata, IP, TLS handshake data | Global edge |
3. Authentication & data storage
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Supabase Inc. | Authentication (Google / GitHub OAuth, magic-link email OTP) | Email, OAuth identifier, session tokens | Region-configurable; we use the primary region selected at project creation |
| Neon Inc. | Primary Postgres database | Account, scan, finding, billing, audit data | USA (us-east-1) |
| Upstash, Inc. | Redis-based rate limiting, scan queueing, real-time pub/sub | Hashed identifier, request counters, transient queue payloads | Region-configurable |
4. Payments & billing
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Razorpay Software Private Limited | Subscription billing, invoicing, fraud screening, customer portal | Email, billing country, plan / subscription metadata, transaction amount, tax identifier | India / Global |
5. Email delivery
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Resend, Inc. | Transactional, magic-link, scan-completion, and waitlist emails | Email, message content, delivery metadata | USA / EU |
6. AI providers
We send only the minimum context required to generate the requested output (a finding summary or a fix prompt) to the active AI provider. The data sent is redacted of obvious secret-shaped values before transmission. We use these APIs under their commercial terms, which prohibit training on customer inputs and outputs.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| OpenAI, L.L.C. | AI fix-prompt and executive-summary generation | Finding metadata and redacted evidence required to generate an explanation | USA |
| Anthropic, PBC (optional) | Alternative AI provider for the same workloads | Same as OpenAI when configured by you or by us as the active provider | USA |
7. Error & performance monitoring
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Sentry (Functional Software, Inc.) | Error tracking, performance monitoring | Stack traces, hashed user ID, request paths, browser/runtime metadata | USA / EU |
8. Scan-time data sources
Performing a scan involves fetching data from public registries and open data sources. These are not subprocessors of personal data in the strict sense (we do not send personal data to most of them), but we list them here for transparency.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| Google PageSpeed Insights API | Performance / Core Web Vitals metrics for scanned URLs | Public URL submitted for scanning | USA / global |
| NIST National Vulnerability Database (NVD) | CVE / CVSS reference data for findings | Read-only lookups; no personal data sent | USA |
| Public DNS resolvers | DNS, TXT, SPF, DMARC, MX, CAA lookups | Domain names submitted for scanning | Global anycast |
| Public certificate-transparency logs | Subdomain enumeration and certificate inventory | Domain names submitted for scanning | Global |
| Have I Been Pwned (Superlative Enterprises Pty Ltd) | Optional breach monitoring (Max plan only) | Hashed email or domain lookups | EU / global |
9. Optional integrations (you turn these on)
The following providers are only used when you explicitly enable the corresponding feature. Disabling the integration removes any tokens or webhook URLs we hold for you.
| Provider | Purpose | Data shared | Region |
|---|---|---|---|
| GitHub, Inc. (Microsoft) | Optional repository integration: read repo, open pull requests with fixes | OAuth access token, repository identifier, file contents touched by the PR | USA |
| Slack Technologies, LLC | Optional incoming webhook for scan / threat alerts | Webhook URL you supply, message payloads we send | USA / EU |
| Discord, Inc. | Optional incoming webhook for scan / threat alerts | Webhook URL you supply, message payloads we send | USA |
10. International transfer mechanisms
Where personal data is transferred from the EEA, the UK, or Switzerland to a country without an adequacy decision, we rely on the European Commission Standard Contractual Clauses (Module 2 or Module 3 as applicable) and the UK International Data Transfer Addendum, supplemented by technical and organizational measures including encryption in transit, encryption at rest, and access controls. A copy of the relevant transfer mechanism for a specific recipient is available on request to udayakirantumma@gmail.com.
Under the Digital Personal Data Protection Act, 2023 of India, personal data may be transferred outside India to any country other than those notified by the Government of India as restricted destinations; we will comply with any such notifications when published.
11. Changes & how to subscribe to updates
We update this list whenever we add, remove, or change a subprocessor. The “Last updated” date and version stamp at the top of this page record the most recent change.
Customers covered by our Data Processing Addendum may subscribe to subprocessor change notifications by emailing udayakirantumma@gmail.com with the subject “Subscribe: subprocessor updates.” We aim to provide at least thirty (30) days' advance notice of new subprocessors that will process personal data of EEA, UK, Swiss, or Indian Data Principals, except in cases where shorter notice is required for security or legal reasons.
12. Contact
For questions about this list or to object to a new subprocessor, contact udayakirantumma@gmail.com. See also: Privacy Policy, Cookie Policy, and Data Processing Addendum.