Compliance

Subprocessors

Third parties that process customer data on our behalf, what they do, and where. Required by our DPA and most enterprise vendor onboarding programs.

Customers on a signed DPA receive 30 days’ notice via email for material changes (new subprocessor or data category). Last updated 2026-05-08.

Production processors

  • Vultr

    USA · New Jersey

    Application hosting (Postgres + Next.js container)

    • All customer data at rest
    • Application logs
    • Encrypted database backups
    Their DPA / privacy →

  • Cloudflare

    Global edge

    DNS, edge cache, DDoS shield, email routing

    • DNS queries
    • Request metadata (IP, UA, path)
    • Inbound email envelopes (forwarded, not stored)
    Their DPA / privacy →

  • Stripe

    USA

    Subscription billing + payment processing

    • Customer billing email + name
    • Card data (Stripe-tokenized — never touches our infra)
    • Subscription / invoice metadata
    Their DPA / privacy →

  • Resend

    USA

    Transactional email delivery (alerts, digests, onboarding)

    • Recipient email address
    • Email subject + HTML body
    • Send + delivery metadata
    Their DPA / privacy →

  • Anthropic

    USA

    AI model inference for OCR, document classification, SOP parsing, /ask

    • Document text + images submitted for AI processing
    • User prompts + AI responses
    Their DPA / privacy →

  • Twilio

    USA

    SMS alerts (gated on TWILIO_FROM env var; currently mock in many deployments)

    • Recipient phone number
    • Message body
    • Delivery metadata
    Their DPA / privacy →

  • GitHub

    USA

    Source control + CI/CD pipelines (no production customer data)

    • Source code only
    • No production database access
    Their DPA / privacy →

Marketing-site-only analytics

  • Google Analytics 4 (Marketing site only)

    USA

    Pageview analytics on the public marketing site

    • Pageview events on /, /pricing, /blog, /api-docs (public pages)
    • Anonymized IP
    • Referrer + UTM
    Their DPA / privacy →

  • Meta Pixel (Marketing site only — opt-in cookie banner)

    USA

    Conversion tracking for paid ads (when running)

    • Pageview events on public pages only
    • No dashboard data
    Their DPA / privacy →

What about $ X?

Categories you may have noticed are missing because we deliberately don’t use them:

  • Salesforce / HubSpot CRM — we use a custom internal dashboard at ai.portofcams.com. No customer data is mirrored there.
  • Zapier / Segment — not used. Webhook events go directly to customer-configured destinations.
  • Datadog / NewRelic— not used. Sentry handles errors; we don’t ship metrics to a third party.
  • Cloudflare R2 / AWS S3 — gated on env var. When enabled, R2 will be added to this list with prior notice; until then, photos are stored as data URLs in Postgres at Vultr.

Email privacy@binnacleai.com for questions or to request the signed DPA template.

Built for evaluation-grade trust