← automatedojo.com

Subprocessors

Third parties we share customer data with as part of operating the platform. We keep this list current; the last 5 changes are in /changelog.

Notification policy: we email all active customer-account admins at least 30 days before adding a new subprocessor that processes lead or personal data.

Vercel

Application hosting (frontend, API routes, cron jobs)
Global edge; primary US-East

Data shared: All HTTP requests + response bodies in transit. No persistent storage.

Posture: SOC 2 Type II, ISO 27001, GDPR-ready

Vendor ↗Privacy ↗DPA ↗

Supabase

Postgres database + authentication + file storage
us-west-2 (Oregon)

Data shared: Customer dojo records, leads, billing metadata, content snapshots, audit logs

Posture: SOC 2 Type II, GDPR-ready, HIPAA-eligible (paid)

Vendor ↗Privacy ↗DPA ↗

Stripe

Payment processing, subscriptions, billing portal
Global (per Stripe data residency policy)

Data shared: Customer email, billing address, payment method tokens. We never see card numbers.

Posture: PCI DSS Level 1, SOC 1 + 2, GDPR-ready

Vendor ↗Privacy ↗DPA ↗

Resend

Transactional + marketing email delivery
US (Resend's AWS us-east-1)

Data shared: Recipient email + email body content (lead notifications, magic links, NPS surveys, etc)

Posture: SOC 2 Type II in progress, GDPR-ready

Vendor ↗Privacy ↗DPA ↗

Twilio

SMS delivery + optional phone provisioning
Global

Data shared: Recipient phone number + message content. Only for dojos with SMS SKU active.

Posture: SOC 2 Type II, ISO 27001, GDPR-ready, HIPAA-eligible

Vendor ↗Privacy ↗DPA ↗

Anthropic

Claude API — site generation, ad assistant, AI editor
US

Data shared: Prompt text (which includes dojo content + ad metadata). Outputs are stored in our DB, not Anthropic's per default settings.

Posture: SOC 2 Type II, GDPR-ready. Default zero data retention on Claude API. No training on customer data by default.

Vendor ↗Privacy ↗DPA ↗

Google Cloud (Google Ads + GA4 APIs)

Ad spend + analytics reporting (read-only OAuth)
Per dojo's existing Google account region

Data shared: OAuth refresh token, ad account read scope. We pull metrics; we don't push customer data to Google.

Posture: SOC 2, ISO 27001, GDPR-ready

Vendor ↗Privacy ↗DPA ↗

Meta (Facebook + Instagram Ads APIs)

Ad spend + audience metrics (read-only OAuth)
US

Data shared: OAuth refresh token, ad account read scope. We pull metrics; we don't push customer data to Meta.

Posture: Per Meta Business Tools terms

Vendor ↗Privacy ↗