Sub-Processors
Last updated: April 19, 2026
Rootlab LLC engages the third parties listed below to deliver the Attevera readiness operating platform. This list is maintained to support our Data Processing Agreement and Privacy Policy.
Change notification
We provide at least 30 days' advance notice before engaging a new sub-processor that will process personal data. Customer admins on file are notified by email and this page is updated. You may object to a new sub-processor during the notice period by contacting support@attevera.com; if no objection is raised, the new sub-processor is deemed approved under DPA §4.
Current sub-processors
Each of the following third parties is engaged under a Data Processing Agreement and, where data leaves the EU/EEA, the European Commission's 2021 Standard Contractual Clauses supplemented by the EU–US Data Privacy Framework where the sub-processor is certified under it.
Supabase
Supabase Inc.
- Purpose
- Database (Postgres), authentication, and evidence-file storage.
- Data processed
- Workspace records, AI system data, authentication credentials, evidence file content, audit-log entries.
- Data subjects
- Customer users and data subjects referenced in evidence entered by the customer.
- Storage region
- EU (Frankfurt)
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification for US support access.
- Notes
- Sub-sub-processor: AWS, per Supabase's own sub-processor list.
Stripe
Stripe, Inc.
- Purpose
- Subscription billing, invoicing, and payment processing.
- Data processed
- Billing contact name, email, company name, card summary (last 4 + brand), payment events, tax identifiers.
- Data subjects
- Customer billing contacts.
- Storage region
- United States (primary); EU/EEA processing via Stripe's EU entity where applicable.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Notes
- Attevera never stores full payment card numbers.
Sentry
Functional Software, Inc.
- Purpose
- Error monitoring. Error-only diagnostic replay with input masking; sampled session replay is disabled.
- Data processed
- Stack traces, URL, user id, and a short masked DOM replay captured only when a session errors.
- Data subjects
- Customer users whose session experiences an error.
- Storage region
- United States
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Retention
- 90 days rolling.
Resend
Plus Five Five, Inc.
- Purpose
- Transactional email delivery — account-lifecycle mail (password reset, email confirmation, invitations) and product emails sent when a user requests classification or assessment results be delivered to them.
- Data processed
- Recipient email address, sender identity, message subject and body, delivery metadata, and (when Attevera enables tracking) IP address, user agent, and opens/clicks. Attevera disables open and click tracking by default.
- Data subjects
- Attevera account holders, users invited to an Attevera workspace, and people who request a classifier or assessment result by email from the public tools.
- Storage region
- United States (primary processing per Resend DPA §6.1); EU region used for mail routing where configured.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification. Governing law: Ireland.
- Retention
- Deleted within 90 days of account termination.
- Notes
- Signed DPA on file, 12/31/2025 revision. Sub-sub-processors per resend.com/legal/subprocessors.
Vercel
Vercel Inc.
- Purpose
- Application hosting, content delivery, cookieless Vercel Web Analytics, and anonymous Vercel Speed Insights (Core Web Vitals) for the Attevera platform and public marketing pages.
- Data processed
- Request metadata (IP address, URL, user agent), build and deploy logs, Vercel Web Analytics events (URL path, referrer, country-level geo, browser/OS family, and a daily-rotating salted hash of IP+user-agent used only for same-day visitor deduplication), and Vercel Speed Insights samples (anonymous Core Web Vitals metrics — LCP, CLS, INP, FCP, TTFB — with URL path and device family, no persistent identifier).
- Data subjects
- Visitors to Attevera public pages and authenticated Attevera users.
- Storage region
- EU (primary edge + origin regions) with analytics and Speed Insights aggregation in the United States.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Retention
- Analytics events retained for 30 days; Speed Insights samples aggregated and retained per Vercel's policy; access/build logs per Vercel's retention policy.
- Notes
- Vercel Web Analytics and Speed Insights are both cookieless and do not track visitors across sites. Sub-sub-processors per vercel.com/legal/subprocessors.
Contact
Questions about this list, or to object to a proposed new sub-processor during the 30-day notice period, contact support@attevera.com. For the formal processor commitments, see our Data Processing Agreement.