Sub-Processors
Last updated: April 19, 2026
Rootlab LLC engages the third parties listed below to deliver the Attevera readiness operating platform. This list is maintained to support our Data Processing Agreement and Privacy Policy.
Change notification
We provide at least 30 days' advance notice before engaging a new sub-processor that will process personal data. Customer admins on file are notified by email and this page is updated. You may object to a new sub-processor during the notice period by contacting support@attevera.com; if no objection is raised, the new sub-processor is deemed approved under DPA §4.
Current sub-processors
Each of the following third parties is engaged under a Data Processing Agreement and, where data leaves the EU/EEA, the European Commission's 2021 Standard Contractual Clauses supplemented by the EU–US Data Privacy Framework where the sub-processor is certified under it.
Supabase
Supabase Inc.
- Purpose
- Database (Postgres), authentication, and evidence-file storage.
- Data processed
- Workspace records, AI system data, authentication credentials, evidence file content, audit-log entries.
- Data subjects
- Customer users and data subjects referenced in evidence entered by the customer.
- Storage region
- EU West (Ireland)
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification for US support access.
- Notes
- Sub-sub-processor: AWS, per Supabase's own sub-processor list.
Stripe
Stripe, Inc.
- Purpose
- Subscription billing, invoicing, and payment processing.
- Data processed
- Billing contact name, email, company name, card summary (last 4 + brand), payment events, tax identifiers.
- Data subjects
- Customer billing contacts.
- Storage region
- United States (primary); EU/EEA processing via Stripe's EU entity where applicable.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Notes
- Attevera never stores full payment card numbers.
Sentry
Functional Software, Inc.
- Purpose
- Error monitoring. Error-only diagnostic replay with input masking; sampled session replay is disabled.
- Data processed
- Stack traces, URL, user id, and a short masked DOM replay captured only when a session errors.
- Data subjects
- Customer users whose session experiences an error.
- Storage region
- United States
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Retention
- 90 days rolling.
Resend
Plus Five Five, Inc.
- Purpose
- Transactional email delivery — account-lifecycle mail (password reset, email confirmation, invitations) and product emails sent when a user requests classification or assessment results be delivered to them.
- Data processed
- Recipient email address, sender identity, message subject and body, delivery metadata, and (when Attevera enables tracking) IP address, user agent, and opens/clicks. Attevera disables open and click tracking by default.
- Data subjects
- Attevera account holders, users invited to an Attevera workspace, and people who request a classifier or assessment result by email from the public tools.
- Storage region
- United States (primary processing per Resend DPA §6.1); EU region used for mail routing where configured.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification. Governing law: Ireland.
- Retention
- Deleted within 90 days of account termination.
- Notes
- Signed DPA on file, 12/31/2025 revision. Sub-sub-processors per resend.com/legal/subprocessors.
LinkedIn Ads
LinkedIn Corporation
- Purpose
- Advertising measurement and retargeting on LinkedIn. Loaded on public marketing pages only, gated behind Cookiebot marketing-cookie consent. Never loaded inside the authenticated product.
- Data processed
- Pseudonymous cookie identifiers (bcookie, bscookie, li_sugr, UserMatchHistory), URL, referrer, and event type at the moment a visitor accepts marketing cookies. No workspace content, no form inputs, no email addresses.
- Data subjects
- Visitors to Attevera public marketing pages who accept marketing cookies.
- Storage region
- United States (contracting entity); EEA member data is additionally handled by LinkedIn's Irish entity per LinkedIn's own internal structure.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Retention
- LinkedIn's default cookie lifetimes apply (bcookie ~1 year, UserMatchHistory ~30 days).
- Notes
- Never loaded inside the authenticated product. Consent-gated; if the visitor rejects marketing cookies the tag never executes and no data is sent.
Google Ads
Google LLC
- Purpose
- Advertising measurement, conversion tracking, and remarketing on Google Ads. Loaded on public marketing pages only, gated behind Cookiebot marketing-cookie consent with Google Consent Mode v2 defaults set to denied. Never loaded inside the authenticated product.
- Data processed
- Pseudonymous cookie identifiers (_gcl_au, _gcl_aw, _gcl_dc, and — post-consent — NID, IDE), URL path, referrer, Google click identifier (gclid) where present, and conversion event signals. No workspace content, no form inputs, no email addresses.
- Data subjects
- Visitors to Attevera public marketing pages who accept marketing cookies.
- Storage region
- United States (contracting entity); EEA member data is additionally handled by Google Ireland Limited per Google's own internal structure.
- Transfer mechanism
- Google's 2021 SCCs + EU–US Data Privacy Framework certification.
- Retention
- Google's default cookie lifetimes apply (_gcl_* ~90 days, NID / IDE up to ~13 months).
- Notes
- Google Consent Mode v2 defaults (ad_storage, ad_user_data, ad_personalization, analytics_storage) are set to 'denied' before consent. Cookiebot upgrades them to 'granted' only after the visitor accepts marketing cookies. Never loaded inside the authenticated product.
Vercel
Vercel Inc.
- Purpose
- Application hosting, content delivery, cookieless Vercel Web Analytics, and anonymous Vercel Speed Insights (Core Web Vitals) for the Attevera platform and public marketing pages.
- Data processed
- Request metadata (IP address, URL, user agent), build and deploy logs, Vercel Web Analytics events (URL path, referrer, country-level geo, browser/OS family, and a daily-rotating salted hash of IP+user-agent used only for same-day visitor deduplication), and Vercel Speed Insights samples (anonymous Core Web Vitals metrics — LCP, CLS, INP, FCP, TTFB — with URL path and device family, no persistent identifier).
- Data subjects
- Visitors to Attevera public pages and authenticated Attevera users.
- Storage region
- EU (primary edge + origin regions) with analytics and Speed Insights aggregation in the United States.
- Transfer mechanism
- 2021 SCCs Module 2 + EU–US Data Privacy Framework certification.
- Retention
- Analytics events retained for 30 days; Speed Insights samples aggregated and retained per Vercel's policy; access/build logs per Vercel's retention policy.
- Notes
- Vercel Web Analytics and Speed Insights are both cookieless and do not track visitors across sites. Sub-sub-processors per vercel.com/legal/subprocessors.
Contact
Questions about this list, or to object to a proposed new sub-processor during the 30-day notice period, contact support@attevera.com. For the formal processor commitments, see our Data Processing Agreement.