/ trust / subprocessors
subprocessor register
last updated: may 19, 2026 · subscribe to updates: follow material vendor changes via the public changelog (email sign-up planned).
tl;dr — vendors that process personal data on behalf of whitelabel.dev customers. columns align with our dpa schedule: name, processing role, data categories, primary region, public contract/trust artefact link, and last security & commercial review date. for the high-level trust overview, see whitelabel.dev/trust.
/01 subprocessors
each row corresponds to one material subprocessor engaged as of publication. anthropic sits on the platform default inference path where configuration supplies the key; openai applies only where a customer configures byok to route traffic to openai.
| contract url | |||||
|---|---|---|---|---|---|
| supabase | database, object storage, authentication, realtime subscriptions | customer account & profile data; application content stored in postgres and storage buckets; auth identifiers and tokens | us-east (primary compute & storage) | data processing agreement | |
| vercel | application hosting, builds, routing, serverless runtime, edge middleware | HTTP request metadata and transient payloads handled during page and api delivery; CI logs where applicable | us-east (primary); edge executes globally per request routing | data processing agreement | |
| resend | transactional email delivery | recipient email addresses, subject lines, plaintext & html bodies for transactional messages (invitations, notices) | united states | dpa overview | |
| sentry | error monitoring across web, worker, extension, and mobile clients | stack traces and diagnostic context with PII minimized via sentry scrubbing rules | united states | dpa hub | |
| anthropic | AI inference provider on the configured default inference path when keys are supplied for model access | prompts and model outputs routed through anthropic apis from tenant-controlled keys or product configuration per workspace tier | united states | commercial & data terms | |
| openai | AI inference routed through openai apis only where a customer configures byok | prompts and completions sent only when tenants supply their openai credential; operator-managed tenant inference does not rely on hosted openai keys | united states | data processing addendum | |
| oauth 2 identity provider for “sign in with google” flows | oauth profile surfaced after consent — typically email display name avatar url as authorised by end user consent | global (controlled by google’s identity infrastructure) | Google order form & dpa tooling |
objections to new or expanded processing follow the pathway described alongside our trust programme — contact privacy@whitelabel.dev within the documented notice window.