[[ … ]] placeholders.Third parties that process personal data on our behalf to deliver ISOXPERT Compliance360:
| Sub-processor | Purpose | Data categories | Location | Transfer basis |
|---|---|---|---|---|
| Supabase | Database, authentication, hosting | All application data (account, employee, compliance, audit logs) | [[region]] | [[SCCs / adequacy]] |
| Google (Gemini API) | AI drafting & analysis | Compliance content submitted to AI features | US / global | SCCs; paid API data not used for training |
| Stripe | Billing & payments | Org, plan, subscription metadata; card data handled by Stripe | US / global | SCCs |
| Vercel | App hosting / serverless functions | Request data in transit; environment secrets | US / global | SCCs |
| ERP integrations (SAP / Oracle / Odoo) | Optional customer-enabled data sync | Employees, customers, suppliers, products, assets, NCRs | Customer-controlled | Per customer's own agreements |
We notify customers before adding a new sub-processor, per our Data Processing Agreement.