Sub-processors — Contractor Co-Pilot (contractor-co-pilot.com)
Scope: Authoritative registry of third-party subprocessors that process customer personal data on behalf of Contractor Co-Pilot (the product) in connection with the service described at https://contractor-co-pilot.com. This file is markdown in-repo (diffable, version-controlled). It is not the full privacy policy; the live policy is hosted via Termly on the marketing site.
Effective date: 2026-04-26
Last reviewed: 2026-04-26
Related documents
- Termly policy audit (LEGAL-01): see
docs/agent-context/audits/termly-policy-audit-2026-04-27.mdin the repository — privacy / cookie / disclosure alignment - Compliance packet (AT-05, PR #408):
docs/legal/compliance/data-flow-inventory.md,docs/legal/compliance/third-party-processors.md,docs/legal/compliance/gdpr-mapping.md,docs/legal/compliance/ccpa-mapping.md - Internal runbooks:
docs/runbooks/secret-rotation.md,docs/runbooks/incident-response-sop.md - Acceptable Use Policy (LEGAL-03):
/legal/acceptable-use
Termly (policy hosting): Canonical consumer-facing privacy, terms, and cookie notices are loaded from Termly embeds on public routes (e.g. /privacy). Matthew + counsel own Termly wording; this registry should stay consistent with those disclosures once Termly references this URL.
Consumer URL for this registry: /legal/sub-processors (canonical; LEGAL-02 / PR #470 pattern).
1. Definitions
- Sub-processor: A vendor that processes personal data on our instructions in order to provide the SaaS (typical Art. 28 / “service provider” style relationship where applicable).
- Customer data: Data our customers and their users submit to or generate in the product, including account identifiers, project and business records, and content sent to integrated services (e.g. AI prompts, emails for delivery, documents for e-sign).
Geographic labels below are primary / typical processing locations for the vendor’s service as commonly configured; confirm project region (e.g. Supabase) and enterprise contract exhibits for diligence.
2. Sub-processor register
| Legal name (service) | Purpose on behalf of CC | Categories of customer data typically shared | Primary processing location (typical) | DPA / processor terms (public) |
|---|---|---|---|---|
| Stripe, Inc. (Stripe Payments, Billing, Tax where used) | Payment processing, subscription billing, tax calculation, Connect payouts where enabled | Billing contact details; customer/org identifiers; payment method tokens and transaction metadata (not full card numbers) | United States (global infrastructure; default US-oriented stack) | Stripe DPA — public DPA available; signed exhibit via Stripe Dashboard where required |
| Clerk, Inc. | Authentication, session management, organization membership, MFA | Email, name, auth identifiers, session tokens, security metadata (e.g. device / IP signals per Clerk policy) | United States | Clerk Data Processing Agreement — public DPA available |
| Supabase, Inc. (hosted Postgres + Storage) | Primary application database and file/object storage | Broad: application data including PII, financial/project content, uploads, audit-related records per app configuration | Region of Supabase project (confirm production project; often United States for US deployments) | Supabase DPA — public DPA available |
| Vercel Inc. | Application hosting, serverless / edge runtime, platform logs | Request/response metadata, environment configuration, build artifacts; may include URLs or identifiers in logs depending on traffic | United States (primary); edge PoPs global for delivery | Vercel DPA — public DPA available |
| DocuSign, Inc. | Electronic signature workflows for documents initiated in-product | Signer identity, email, agreement metadata, document content for envelopes tied to customer workflows | United States (contract-dependent; confirm account / region) | DocuSign Trust / agreements — DPA and subprocessors via DocuSign agreement center / account (counsel / procurement for executed exhibit) |
| OpenAI, LLC | LLM inference for product AI features | User prompts, document excerpts, model outputs; may include PII or business content as users submit it | United States (API default regions; confirm org OpenAI settings) | OpenAI data processing addendum — public terms; enterprise DPA path via OpenAI account where applicable |
| Anthropic PBC | LLM inference for product AI features | Same category as OpenAI — prompts and completions may reflect customer-submitted content | United States | Anthropic commercial terms / DPA references — public legal hub; confirm signed flow with Anthropic for enterprise |
| PostHog, Inc. | Product analytics and (if enabled) session replay | Pseudonymous identifiers, event payloads, replay segments; may include PII if sent in custom properties | United States (confirm NEXT_PUBLIC_POSTHOG_HOST deployment) | PostHog DPA — public DPA available |
| Resend, Inc. | Transactional and product email delivery | Recipient email, message subject/body, delivery events | United States | Resend DPA — public DPA available |
Counsel note — DPA execution: Public URLs above are vendor standard processor terms. Whether a separately countersigned DPA is required for a given customer is contract-specific (see LEGAL-05 / procurement), not determined by this registry alone.
3. Change control
Updates follow the same discipline as the rest of docs/legal/ and the AT-05 packet:
- PR required to add/remove a row or materially change data categories / locations.
- Notify customers with active DPAs per the commitment in your DPA template / LEGAL-05 (typically 30-day advance notice for new sub-processors unless security-critical).
- Re-sync Termly if the privacy policy lists vendors or points at this registry — avoid drift between Termly and git.
The authoritative editorial copy also lives under docs/legal/sub-processors.md; keep src/content/legal/sub-processors.md in sync when counsel updates the register.
4. Engineering alignment note (read-only code scan)
A read-only scan of src/** shows additional vendors that may process customer-related data (e.g. Sentry error reporting, Upstash Redis / QStash, Svix webhook verification, Mapbox geocoding). Those are detailed in docs/legal/compliance/third-party-processors.md. They are not duplicated in the table above where this deliverable matched the LEGAL-01 / pre-launch processor set requested for counsel review; if any of those remain in production for customer tenants, they must appear in the consumer-facing registry and Termly disclosures — treat as [P1] gap until aligned.