Sub-processors
Last updated: 2026-05-02.
This page lists every third-party service that may process customer personal data on Safe to Publish's behalf. It is referenced from our Privacy Policy §5 and our Data Processing Addendum §3.
We will provide thirty (30) days' advance notice by email before adding a new sub-processor or replacing one of those listed below. To subscribe to that notice list, email support@safetopublish.com.
Current sub-processors
Anthropic
United StatesPurpose: Reviewer model inference (Claude Sonnet 4.6 + Haiku 4.5)
Data accessed: Submitted draft text, after PII auto-redaction. Reviewer calls run with Zero Data Retention enabled — drafts are not retained or used for training.
Voyage AI
United StatesPurpose: Embedding generation for the rule corpus
Data accessed: No customer-submitted content. Embeddings are computed only over our own SEC rule corpus, not over your drafts.
Clerk
United StatesPurpose: Authentication and session management
Data accessed: Email address, name, hashed credentials, IP and user-agent for session security.
Stripe
United StatesPurpose: Subscription billing and customer portal
Data accessed: Email address, billing name, payment method (held by Stripe — we never see card numbers), subscription status.
Resend
United StatesPurpose: Transactional email (sending) and inbound email forwarding
Data accessed: Recipient email address, message body of transactional emails (e.g. quota-warning notices, trial-ending notices, team invitations).
Vercel
United States (primary), global edge cachePurpose: Application hosting and edge network
Data accessed: All HTTP request metadata (IP, path, user-agent, timestamps). Encrypted database traffic transits Vercel’s network but Vercel does not have access to plaintext database contents.
Supabase
Canada (ca-central-1)Purpose: Managed Postgres database (with pgvector for corpus retrieval)
Data accessed: All persisted application data: account records, firm records, submitted drafts, review results, audit-event chain.
Sentry
United StatesPurpose: Error monitoring and performance tracing
Data accessed: Stack traces, request metadata, user id (Clerk id, never email body or draft text). PII is filtered out of error payloads before transmission.
PostHog
United StatesPurpose: Product analytics (page-views, feature usage)
Data accessed: Anonymous distinct id, event names, page paths. We do not send draft text, review results, or other content to PostHog.
Google LLC
United States (primary), global edgePurpose: Web analytics (Google Analytics 4) and ad conversion measurement (Google Ads, including Enhanced Conversions for Web). Loaded only after the visitor grants analytics or marketing consent under Google Consent Mode v2.
Data accessed: Anonymous client identifier, page paths, event names, and aggregate device/region metadata. For Enhanced Conversions: hashed (SHA-256) email submitted via the public waitlist form, only when marketing consent has been granted. No plaintext PII, draft text, or review results are shared.
Notes
- PII auto-redaction. Before draft text leaves our infrastructure for the Anthropic reviewer call, the application substitutes detected SSNs, email addresses, and phone numbers with same-length placeholders. The redaction is reversed only when rendering the result back to you.
- Customer drafts are not used to train any model. Reviewer calls run with Anthropic Zero Data Retention enabled.
- Production database (Supabase) is hosted in Canada (ca-central-1). All other listed sub-processors host customer-touching data in the United States.
Questions: support@safetopublish.com.