sub-processors.
Every third party that may process personal data on behalf of VCEye is listed below. We notify Customers of any changes with at least 30 days' notice.
| Processor | Purpose | Location | Transfer mechanism | Privacy |
|---|---|---|---|---|
| Supabase | Database, authentication, object storage, real-time | EU (Frankfurt, eu-central-1) | Intra-EU, no transfer | policy → |
| Vercel | Application hosting, serverless functions, edge network | Global edge; primary EU regions | EU SCCs where non-EU egress occurs | policy → |
| Anthropic | LLM inference for AI Concierge and scan-enhancement analysis | United States | EU Standard Contractual Clauses (2021/914) | policy → |
| OpenRouter | Optional alternative LLM routing for cost optimisation | United States | EU Standard Contractual Clauses | policy → |
| Polar | Merchant of Record for payments, invoicing, VAT handling | United States (with EU sub-processors) | EU Standard Contractual Clauses | policy → |
| Resend | Transactional email delivery (audit ready, alerts, digests) | EU | Intra-EU, no transfer | policy → |
| Sentry | Error tracking, performance monitoring (only with consent) | EU region | Intra-EU where EU region is selected | policy → |
| HeyGen | AI-powered dubbing of the 20-min audit walkthrough video to the customer language | United States | EU Standard Contractual Clauses | policy → |
| GitHub | Code hosting of the Customer; read-only access via GitHub App | United States | Customer is already Controller of their repo; VCEye accesses under the Customer GitHub contract | policy → |
changes & objections
New sub-processors are announced via email to active Customers and updated on this page at least 30 days before they start processing. Customers may object on reasonable grounds; if unresolved, the affected service can be terminated with pro-rata refund of prepaid amounts.