Who are Impactean's sub-processors?

Supabase (Frankfurt, EU) for database/auth/storage, Vercel (US) for hosting, OpenAI (US) for AI inference, Stripe (Ireland) for payments, and Resend (Dublin, EU) for transactional email.

How much notice do I get before sub-processor changes?

At least 30 days' written notice (email or in-product) before adding or replacing any sub-processor that processes personal data.

Trust CenterSub-processors

Sub-processors

Last updated: 2026-05-19.md

Live list of every vendor that processes Impactean personal data, with hosting region, transfer safeguard, and 30-day change notice.

Last updated: 18 May 2026

A sub-processor is a third party that processes personal data on our behalf. We commit to:

Vetting every sub-processor for security, reliability, and GDPR compliance;
Executing a written data-processing agreement (or relying on each vendor's published DPA) before any personal data is shared;
Publishing the up-to-date list below;
Giving customers at least 30 days' written notice (email or in-product) before adding or replacing any sub-processor that processes personal data, so customers may reasonably object.

#Active sub-processors

Sub-processor	Purpose	Data categories	Hosting region	Transfer safeguard	Vendor links
Supabase, Inc.	Postgres database, authentication, file storage, realtime	All Account, Identity, Contact, Assessment, Coaching, Uploaded file, Usage data	AWS Frankfurt — eu-central-1 (EU/EEA)	Stays in EU; SCCs for any vendor support access from outside EEA	https://supabase.com/legal/dpa · https://supabase.com/legal/subprocessors · SOC 2 Type 2, HIPAA-ready
Vercel, Inc.	Application hosting, serverless functions, edge middleware	All HTTP request/response data; runtime logs (no persistent user content)	Washington, D.C., USA	EU SCCs in Vercel's DPA	https://vercel.com/legal/dpa · https://vercel.com/legal/subprocessors · SOC 2 Type 2, ISO 27001
OpenAI, L.L.C.	AI Executive Coach (chat, voice, transcription, TTS), report generation, content extraction from uploaded assessments	Coaching messages, assessment context, voice audio, uploaded file content (text/image)	United States	EU SCCs in OpenAI DPA. API content is not used to train models. Up to 30 days retention for abuse monitoring on standard API; we will move to OpenAI Enterprise (Zero Data Retention) and update this page when complete	https://openai.com/policies/data-processing-addendum · https://trust.openai.com · SOC 2 Type 2
Stripe Payments Europe, Ltd.	Payment processing, subscription management, invoicing	Email, billing address, transaction history, Stripe customer ID. Card numbers and CVV are handled directly by Stripe and never reach Impactean	Ireland (EU) with global routing to Stripe, Inc. (USA)	Intra-Stripe SCCs; PCI-DSS Level 1	https://stripe.com/legal/dpa · https://stripe.com/privacy · PCI-DSS L1, SOC 1 + 2 Type 2, ISO 27001
Resend, Inc.	Transactional email (verification, receipts, reminders, check-ins)	Recipient email, recipient first name, email subject and body, send/delivery metadata	Ireland — eu-west-1 (EU/EEA)	Stays in EU; SCCs for any vendor support access from outside EEA	https://resend.com/legal/dpa · https://resend.com/legal/security · SOC 2 Type 2

Email privacy@impactean.com with subject "Sub-processor updates" to be added to the change-notification list.

Sub-processors

#Active sub-processors

#Subscribe to changes