Last updated: May 16, 2026
A subprocessor is a third-party service provider that Proveo engages to process personal data on our behalf in order to provide the Service. Engaging a subprocessor is permitted under our Data Processing Addendum (DPA) and under Article 28 of the GDPR. We choose subprocessors that provide sufficient guarantees to implement appropriate technical and organisational measures, and we remain responsible to you for their performance of data-protection obligations.
The following subprocessors are engaged across all of Proveo's product features. Data residency reflects the primary processing region; some providers may replicate data globally for redundancy. Certifications are self-reported by each vendor and current to the best of our knowledge.
| Subprocessor | Purpose | Data Processed | Primary Location | Key Certifications |
|---|---|---|---|---|
| Supabase Inc. | Database, authentication, file storage, realtime | Account profile, photos, comparisons, leads, all app database tables | United States (AWS us-east-1) | SOC 2 Type II, HIPAA |
| Stripe, Inc. + Stripe Connect | Subscription billing, Stripe Connect for contractor payouts | Billing details, payment-method tokens, business identity (Connect) | United States, EU | PCI DSS Level 1, SOC 1/2 |
| Cloudinary Ltd. | Image processing, composite generation, CDN delivery | Uploaded before/after photos and generated composite images | United States, EU | SOC 2 Type II, ISO 27001 |
| OpenAI, L.L.C. | AI auto-detect, photo-enhancement hints, captions, voice transcription (Whisper) | Photos submitted for AI analysis; voice clips submitted for transcription. Per OpenAI policy, API content is not used to train OpenAI models. | United States | SOC 2 Type II |
| Anthropic, PBC | Drafting and assistant features (Claude API) | Prompts and text content you submit to drafting features. Per Anthropic policy, API content is not used to train Anthropic models. | United States | SOC 2 Type II |
| Resend | Transactional email — lead notifications, review requests, agreements, quotes | Recipient name, email, message body | United States | SOC 2 Type II |
| Vercel Inc. | Application hosting, edge network, Web Analytics, Speed Insights | Server logs, IP address (for security and edge routing), anonymous pageview events | Global edge (primary: United States) | SOC 2 Type II, ISO 27001 |
| Functional Software, Inc. (Sentry) | Error monitoring and performance tracing | Stack traces, breadcrumbs, request metadata. We scrub personal data before transmission. | United States, EU | SOC 2 Type II, ISO 27001 |
| Google LLC (Google Ads) | Google Ads conversion measurement (gtag.js) | IP address, ad-click identifiers, conversion event timestamps. We do not share email or phone with Google. | United States, EU | ISO 27001/27017/27018, SOC 2/3 |
Most of our subprocessors are based in the United States. For personal data of individuals in the European Economic Area, United Kingdom, or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021/914) and, where applicable, the UK Addendum (IDTA). The European Commission's adequacy decision for the EU-US Data Privacy Framework (DPF) also covers transfers to DPF-certified vendors. Vendor-specific status is reflected in their published privacy notices.
Before we engage a new subprocessor that will have access to your personal data, we will update this page and, for customers who have requested it, send an email notice at least thirty (30) days in advance. You may object to a new subprocessor on reasonable data-protection grounds during that period; if we cannot accommodate the objection, you may terminate the affected portion of the Service.
To receive email notifications when this list changes, write to privacy@proveohq.com. See our Data Processing Addendum.