A sub-processor is a third party that processes customer data on our behalf in the course of delivering our services. Naming them in public is a commitment: customers should never have to guess which companies can, in theory, touch their data. This page is the authoritative list.
We keep the list short on purpose. Every sub-processor is reviewed for security posture, compliance history, and operational fit before it is introduced. When a new sub-processor is added, we notify customers with enough time to raise concerns before the change takes effect.
Our commitment to notify customers
We notify customers of any material change to this list — additions, removals, or changes to the categories of data processed — at least thirty days before the change takes effect. Notifications are sent by email to the address on file and published here on the same day they go out. Customers on the notification list can object to a proposed change and discuss it with us through the process described in their Data Processing Addendum.
To receive these notifications, email privacy@neuraphic.com with the subject "Sub-processor notifications" and the primary contact email for your organization. Subscribing is free and does not require a paid plan.
Current sub-processors
Google Cloud Platform. Google LLC. Core hosting provider for our production infrastructure — compute, managed databases, object storage, and networking. Data categories: customer account data, application data, service logs. Regions: United States (primary), European Union (rolling out). Data Processing Addendum: available at cloud.google.com/terms/data-processing-addendum.
Cloudflare. Cloudflare, Inc. Edge network provider — TLS termination, DDoS protection, CDN for static assets, and edge compute. Data categories: request metadata (IP address, user agent, timing), cached public assets. Cloudflare does not store application database contents. Regions: global edge network. Data Processing Addendum: available at cloudflare.com/cloudflare-customer-dpa.
Resend. Resend, Inc. Transactional email delivery — account verification, password reset, security notifications, and product emails. Data categories: recipient email address, message content, delivery metadata. Region: United States. Data Processing Addendum: available at resend.com/legal/dpa.
GitHub. GitHub, Inc. (a subsidiary of Microsoft Corporation). Source control for our application code and documentation. Customer content is not stored in GitHub; the relevance here is that GitHub hosts the code that runs the service and the workflows that deploy it. Data categories: employee access logs, build metadata. Region: United States. Data Processing Addendum: available at github.com/customer-terms/github-data-protection-agreement.
How to request a DPA
Customers acting as data controllers under the GDPR, the UK GDPR, or equivalent frameworks may sign a Data Processing Addendum with us. Our DPA incorporates standard contractual clauses for international transfers where those are required and reflects the sub-processor list on this page.
To request a DPA, email legal@neuraphic.com with your company's legal name, the jurisdictions in which you operate, and the products you use. We will return a counter-signed copy suitable for your records.
Questions about sub-processors
Questions about a specific sub-processor, its role, or the data it processes can be sent to privacy@neuraphic.com. Procurement teams are welcome to reference this page in their vendor reviews; we will answer follow-up questions in writing for the record.