App Subprocessors
v1.0·
App Subprocessor List
Business Pulse OS — app.businesspulseos.com
Version: v1.1 Effective date: 2026-05-12
This list discloses every third-party service ("subprocessor") that processes personal data on the Business Pulse OS application. A separate Website Subprocessor List (L3) covers the marketing site at businesspulseos.com.
When a new subprocessor is added, an in-app banner surfaces on your next login. If the addition is a material change (new data category, new country of processing, new data class like AI training), re-consent is required before you can continue using the Platform.
Current subprocessors
| Vendor | Purpose | Data categories | Location | Certifications / safeguards |
|---|---|---|---|---|
| Supabase Inc. | Primary database, authentication, file storage, realtime | All Platform data: profiles, Client content, documents, audit logs | EU (Frankfurt) | SOC 2, HIPAA-ready; DPA |
| Vercel Inc. | Application hosting, edge delivery, deployment | IP address, request metadata, server logs | USA + EU edge | SOC 2, ISO 27001; DPA + SCCs + EU-US Data Privacy Framework |
| Anthropic PBC | AI generation (Claude) for summaries, drafts, analysis | Content passed to prompts (document excerpts, notes, questions) | USA | SCCs + EU-US DPF. Contractual ban on training. Zero Data Retention target (see OQ-F35-1). |
| Together AI, Inc. | Vector embeddings for the per-client Knowledge Base (multilingual-E5-large-instruct, 1024-dim). Embeddings power semantic retrieval against uploaded document content. | Chunk text derived from your uploaded documents (sent for embedding only, not retained beyond response generation per Together's standard API terms) | USA | SCCs + EU-US DPF. No model training on customer inputs. Re-evaluation triggers in docs/requirements/F04_Knowledge_Base.md §12.9. |
| Unstructured.io | Document text extraction when native extraction fails | Document bytes, extracted text | USA | SCCs + DPF. Zero-retention mode enforced. |
| AssemblyAI | Audio and video transcription (S-09 pipeline) | Audio/video bytes, transcripts | EU endpoint (api.eu.assemblyai.com) | EU-only processing. US endpoint prohibited. |
| Trigger.dev | Background job orchestration (ingestion, long-running work) | Job metadata, document IDs, no Client content content itself | EU | DPA |
| Nodemailer via SiteGround | Outbound email (transactional: invites, notifications, receipts) | Recipient email, message body | EU (Netherlands) | GDPR-compliant; DPA |
| Stripe Inc. | Billing and payment processing (Tier 1 subscription fees) | Billing name, company, VAT, payment method (card tokenised by Stripe) | USA | PCI-DSS Level 1, SOC 1/2; DPA + SCCs + DPF |
Rules about this list
- Every new vendor is added before going live. No data flows to an undisclosed vendor.
- Material changes trigger re-consent. You see an in-app banner and must accept the new version before continuing to use the Platform.
- Minor changes (corrections, rewording, adding a second data center in the same country) are announced via in-app banner but do not require re-consent.
- Removed vendors stay visible in the changelog below for 2 years so you can audit historic subprocessor chains.
- Objection rights. If you object to a specific subprocessor, contact privacy@businesspulseos.com. We work with you to find an alternative; if none is feasible, you may cancel and invoke the 90-day data-deletion grace period.
Changelog
- 2026-05-12 v1.1 — Added Together AI (USA) for vector embeddings on the per-client Knowledge Base. Not a material change per these rules (no new data category, no new country of processing, no new data class — already-disclosed document content sent for embedding only). In-app banner notification on next login; no re-consent required.
- 2026-04-21 v1.0 — Initial publication: Supabase, Vercel, Anthropic, Unstructured.io, AssemblyAI (EU), Trigger.dev, SiteGround SMTP, Stripe.