Sub-processors
Last updated: March 11, 2026
SOSCO engages the following third-party sub-processors to deliver its services. This list is provided in compliance with our Data Processing Agreement and GDPR Article 28. We will notify enterprise customers of changes to this list at least 14 days in advance via email or in-app notification.
Questions? Email us at legal@sosco.io.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database hosting (PostgreSQL), authentication-adjacent storage, and private evidence file storage Data: User and company data, conversations, assessments, audit logs, canonical evidence metadata, and private evidence files | European Union (AWS eu-west-1, Ireland) | DPA + EU hosting |
| Vercel | Application hosting and serverless functions Data: Application requests, logs | Global edge/application infrastructure | SCCs where applicable |
| Sentry | Error tracking and performance monitoring Data: Error events, stack traces, request metadata, and diagnostic context | European Union or United States (depending on project configuration) | DPA + SCCs where applicable |
| PostHog | Product analytics (usage data only, with user consent) Data: Usage events and session analytics, subject to cookie consent controls | European Union (eu.posthog.com) | EU hosting + consent-gated |
| Resend | Transactional email delivery (verification, notifications) Data: Email address, email content | United States | SCCs |
| Google Gemini API | AI language model processing (compliance analysis features) Data: Prompts, document excerpts, and generated outputs submitted when AI features are used | United States | SCCs + API data processing terms |
| Pinecone | Vector search for regulatory retrieval and RAG features Data: Regulatory corpus embeddings and retrieval metadata | United States or cloud region selected for the index | DPA + SCCs where applicable |
| UploadThing | Legacy and specialised file-upload handling Data: Profile images, certification/report/VSME documents, pilot evidence, support attachments, and supplier uploads where the flow still uses UploadThing | United States | SCCs |
| Upstash | Redis-backed rate limiting when enabled Data: Rate-limit keys and request counters | Cloud region selected for Redis database | DPA + SCCs where applicable |
| Polar.sh | Payment processing and subscription management Data: Billing information, subscription status | United States | SCCs |
Definitions: "SCCs" = Standard Contractual Clauses adopted by the European Commission under GDPR Art. 46(2)(c). "EU hosting" = data stored and processed exclusively within the European Economic Area. "DPA" = Data Processing Agreement with the sub-processor.