Sub-processors
Last updated: March 11, 2026
SOSCO engages the following third-party sub-processors to deliver its services. This list is provided in compliance with our Data Processing Agreement and GDPR Article 28. We will notify enterprise customers of changes to this list at least 14 days in advance via email or in-app notification.
Questions? Email us at legal@sosco.io.
| Sub-processor | Purpose | Location | Safeguard |
|---|---|---|---|
| Supabase | Database hosting (PostgreSQL) and infrastructure Data: All user and company data, conversations, assessments | European Union (AWS eu-west-1, Ireland) | DPA + EU hosting |
| Vercel / Railway / Render | Application hosting and serverless functions Data: Application requests, logs | European Union or United States (depending on deployment target) | SCCs where applicable |
| PostHog | Product analytics (usage data only, with user consent) Data: Anonymous usage events — only if analytics consent granted | European Union (eu.posthog.com) | EU hosting + consent-gated |
| Resend | Transactional email delivery (verification, notifications) Data: Email address, email content | United States | SCCs |
| Anthropic | AI language model processing (compliance analysis features) Data: Documents and text submitted for AI analysis — no personal data included by default | United States | SCCs + API data processing terms |
| UploadThing | File storage for user-uploaded assets Data: Files uploaded by users (profile images, documents) | United States | SCCs |
| Polar.sh | Payment processing and subscription management Data: Billing information, subscription status | United States | SCCs |
Definitions: "SCCs" = Standard Contractual Clauses adopted by the European Commission under GDPR Art. 46(2)(c). "EU hosting" = data stored and processed exclusively within the European Economic Area. "DPA" = Data Processing Agreement with the sub-processor.