The third parties that process data on our behalf.

PurposeApplication hosting, edge and serverless compute.

DataAll operator and user data passing through the application layer.

LocationUnited States, with global edge.

SafeguardsEU-Commission Standard Contractual Clauses (SCCs 2021/914), SOC 2 Type 2, ISO 27001.

PurposeManaged Postgres databases (Operator Database + Intelligence Database), storage, and auth.

DataAll operator and user PII.

LocationUnited States; regional deployment (including EU) available on enterprise request.

SafeguardsEU-Commission SCCs (2021/914), SOC 2 Type 2, HIPAA-eligible plans.

PurposeEmail Routing, CDN, Workers, DNS.

DataInbound email payloads (briefly, before they reach Vercel).

LocationGlobal edge.

SafeguardsEU-Commission SCCs, SOC 2 Type 2, ISO 27001.

PurposeDocument extraction, chain extraction, agent reasoning, signal generation.

DataAnonymised document and email content (PII fields like claim numbers, names, addresses replaced with typed placeholders before transmission); operator metadata; LLM prompts and responses.

LocationUnited States.

SafeguardsNo training on our data (Anthropic's default API policy with feedback sharing disabled in console). Standard 30-day abuse-monitoring retention. Data Processing Addendum executed. SOC 2 Type 2. Enterprise Zero-Data-Retention amendment on the roadmap.

PurposeLLM fallback when Claude is unavailable, vector embeddings, text-to-speech for IQ voice mode (reads IQ's typed replies aloud).

DataSame as Anthropic above, plus IQ's assistant text replies submitted to the OpenAI TTS endpoint for audio generation. No operator voice audio passes through OpenAI: voice-mode microphone capture is routed to Deepgram (see Voice section) and discarded after transcription.

LocationUnited States.

SafeguardsNo training on our data (all sharing and training toggles disabled in console). Standard 30-day abuse-monitoring retention. Data Processing Addendum executed. SOC 2 Type 2. Enterprise Zero-Data-Retention amendment on the roadmap.

PurposeReal-time speech-to-text for IQ voice mode (operator microphone capture → transcript) and batch transcription for forwarded voice memos and video soundtracks.

DataOperator voice audio captured during voice-mode interactions or attached as audio / video uploads. Audio is streamed to Deepgram, transcribed in-flight, and discarded by Deepgram immediately after transcription under the zero-retention flag set on every request. Only the resulting transcript is returned to Verinode and stored against the operator's chat log or ingestion record.

LocationUnited States.

SafeguardsZero-retention mode enabled per request (Deepgram's documented "no audio stored, no transcript stored" posture). No training on customer audio under Deepgram's standard customer terms. SOC 2 Type 2. HIPAA-eligible plan with BAA available on request. Data Processing Addendum executed.

PurposeEnterprise SSO (SAML 2.0, OIDC) and SCIM 2.0 directory-sync provisioning.

DataUser name, email address, group / role assignments, IdP-specific metadata (organization ID, connection ID). No operator business data.

LocationUnited States.

SafeguardsEU-Commission SCCs, SOC 2 Type 2, signed DPA.

PurposeTransactional email (welcome, invites, password reset, signal digests).

DataUser name, email address, message subject and body.

LocationUnited States.

SafeguardsEU-Commission SCCs, SOC 2 Type 2.

PurposeSMS notifications and survey delivery.

DataRecipient phone number, message body.

LocationUnited States.

SafeguardsEU-Commission SCCs, SOC 2 Type 2, HIPAA BAA available on request.

PurposeSubscription billing and payment processing.

DataOperator name, billing email, billing address, payment method (card stored at Stripe, not at Verinode).

LocationUnited States and global processing nodes.

SafeguardsPCI-DSS Level 1, SOC 2 Type 2, EU-Commission SCCs.

PurposeExternal WORM audit-log retention via Vercel Log Drain. Provides immutability outside Verinode's blast radius.

DataAudit metadata only (event kind, table, action, user_id, operator_id, outcome, structured detail). Filter keys are streamed; filter values are not. No raw operator business data.

LocationUnited States.

SafeguardsSCCs where applicable, SOC 2 Type 2 (Better Stack Telemetry product).

PurposeWeb scraping for vendor, regulatory, and market intelligence (no operator PII; only public web content).

DataNone: public-source intelligence only.

LocationUnited States and EU.

SafeguardsSCCs where applicable (no operator PII processed).

PurposePerformance monitoring, error tracking.

DataAnonymised request paths, response times, error stack traces. No operator PII in payloads.

LocationUnited States.

SafeguardsSame as Vercel hosting.