NEWRead
Trust · Subprocessors

The full list. Always current.

We publish every vendor that touches customer data - name, purpose, region, status. You get 30 days' advance notice before any new subprocessor is engaged, no email required to see who is on the list.

Subscribe to changesRead the DPA
Vendor registerv2026.Q2
VendorStatus
  • VercelA
  • AWSA
  • E2BA
  • ClerkA
  • ConvexA
Published registerPublic · auditable
At a glance

Where the register stands today.

A live snapshot of the vendors processing customer data on our behalf and how recently the list moved.

9
Active subprocessors
1
Pending additions
2026-05-17
Last updated
30 days
Advance notice
Our policy

Transparency, by default.

Public by default

Every subprocessor is named on this page. No NDA, no support ticket, no email gate. If we use them, you see them.

30-day advance notice

Before we engage a new subprocessor, customers get at least thirty days to review it, raise concerns, or object.

Right to object

If a proposed subprocessor doesn't work for you, you can object in writing. We will work with you on a remediation or honour your termination right under the DPA.

The list

All subprocessors processing customer data.

Filter by category or region. Click a vendor name to visit their public website. Status pills mark whether a vendor is live, pending or sunset.

VercelActive
InfrastructureSince · 2025-Q1
Purpose
Web hosting, edge functions, CDN.
Data categories
Account metadataMarketing analytics
Regions
USEU
AWSActive
InfrastructureSince · 2025-Q1
Purpose
Cloud compute, storage, networking.
Data categories
Customer code snapshotsRun logs
Regions
EU (Frankfurt)US (Virginia)
E2BActive
RuntimeSince · 2025-Q1
Purpose
Sandboxed Linux VMs for agent execution.
Data categories
Customer codeCommand output
Regions
EUUS
ClerkActive
IdentitySince · 2025-Q1
Purpose
Authentication, sessions, user records.
Data categories
EmailNameOAuth identifiers
Regions
USEU
ConvexActive
DatabaseSince · 2025-Q1
Purpose
Realtime application database.
Data categories
Account metadataWorkflow state
Regions
US
ResendActive
EmailSince · 2025-Q1
Purpose
Transactional and notification email.
Data categories
EmailName
Regions
USEU
SentryActive
ObservabilitySince · 2025-Q1
Purpose
Application error tracking.
Data categories
Error contextUser identifier
Regions
US
StripeActive
PaymentsSince · 2025-Q2
Purpose
Subscription billing and payment processing.
Data categories
EmailBilling addressPayment method
Regions
USEU
PostHogPending
ObservabilitySince · 2026-Q2
Purpose
Product analytics and session insights.
Data categories
Pseudonymous usage events
Regions
EU
AnthropicActive
RuntimeSince · 2025-Q2
Purpose
AI model inference (Claude family).
Data categories
PromptsGenerated outputs
Regions
US
Recent changes

Everything that moved on this page.

An append-only log of additions, removals and material changes. Anything new appears here at least thirty days before it ships.

  1. 2026-Q2AddedPostHog

    Pending addition - product analytics with EU residency.

  2. 2025-Q2AddedStripe

    Subscription billing rollout.

  3. 2025-Q2AddedAnthropic

    AI model inference for the Claude family.

  4. 2025-Q1AddedSentry

    Error tracking and release health.

  5. 2025-Q1AddedResend

    Transactional email delivery.

  6. 2025-Q1AddedConvex · Clerk · E2B

    Database, authentication and sandbox runtime onboarded together.

  7. 2025-Q1AddedVercel · AWS

    Core infrastructure platform at launch.

Stay informed

Get 30-day advance notice.

Drop us an email and we'll add you to the subprocessor notification list. You will hear from us only when this register is about to change.

Notification cadence: only when there are changes.

Subscribe to notificationsinfo@codecourier.dev
Vendor due diligence

How we vet every vendor before they land here.

A vendor only joins the register once it has cleared the same review every customer would run themselves.

Security review

We read the vendor's SOC 2 / ISO 27001 reports and confirm their posture matches the data category we will entrust to them.

DPA in place

A signed Data Processing Agreement covers every onboarded vendor before any production data moves.

Data residency check

We pin the processing region and confirm EU customer data stays in EU regions wherever the vendor supports it.

Insurance verification

We verify cyber liability cover sufficient to absorb a vendor-side incident and re-check it on contract renewal.

Backup coverage

We confirm backup, retention and restore capabilities so a vendor outage cannot become a customer-data outage.

Exit plan ready

Every vendor has a documented exit plan - export format, retention window, deletion confirmation - written before we sign.

Legal basis

Anchored in our DPA.

Engagement of subprocessors is governed by Article 28(2)–(4) GDPR and Section 5 of our DPA. We rely on prior general written authorisation paired with a notification duty whenever the register changes.

You retain the right to object to any new subprocessor. If we cannot accommodate your objection through a mitigation, the DPA gives you a termination right for the affected service.

Every subprocessor on this page has agreed to data protection obligations no less protective than the ones we owe you. Where transfers leave the EU/EEA, EU Standard Contractual Clauses and supplementary measures apply.

Read the DPASee GDPR commitments
FAQ

Subprocessor specifics.

How often is this page updated?
We update the register the moment a vendor is added, removed or materially changed. The "Last updated" stamp at the top of the page is canonical - if it has moved, something on this list has too.
What if I object to a new subprocessor?
Email us within the 30-day notice window. We will discuss a mitigation - alternative vendor, scope reduction, additional safeguards. If we cannot land on a workable solution, you may terminate the affected service under the DPA without penalty.
Do subprocessors see my source code?
Only those we have flagged for that purpose - currently the runtime and infrastructure vendors that execute code on your behalf. Identity, payments, email and observability vendors never receive source code; they only see the metadata required to deliver their function.
Where do you publish historical versions of the list?
The change log on this page is the historical record. We append-only - entries are not removed when a vendor is sunset, only marked. If you need a point-in-time snapshot for a procurement file, email us and we will send a signed PDF.
Are sub-subprocessors covered?
Yes. Each subprocessor on this list is contractually bound to flow down equivalent obligations to anyone they engage. We hold the primary vendor responsible for their sub-processors' performance under our DPA.
Can I require additional vendor commitments?
Enterprise customers may negotiate vendor-specific carve-outs - for example, restricting processing to specific regions, requiring additional encryption controls or excluding a named vendor entirely. Contact us to discuss.
Subprocessors at CodeCourier

Want the contract behind this list?

DPA pageContact legal
Free for 14 days · no credit card

Hire your first AI engineer.
Ship by lunchtime.

5 minutes to onboard. First PR within an hour. Cancel anytime.

Deploy your first agentBook a 20-min demo