Legal
Subprocessors and Service Providers
Effective: May 10, 2026
Summary
This page lists third-party providers that help operate Accountmade. Some are subprocessors for Customer Personal Data under the DPA. Others, such as Paddle and customer-selected CRMs, may act as independent controllers or customer-controlled providers.
We provide at least 30 days' notice before adding or replacing a DPA subprocessor, unless urgent security, legal, or continuity needs require a shorter period. Customers may object on reasonable data-protection grounds within 14 days after notice.
DPA subprocessors
| Provider | Purpose | Data categories | Processing location | Notes |
|---|---|---|---|---|
| Vercel Inc. | Application hosting, serverless functions, edge delivery | Customer Content, request metadata, IP addresses, headers, logs | United States and global edge | Hosting and edge infrastructure |
| Supabase Inc. | Database, authentication, storage | Account Data, Customer Content, Customer Personal Data, workspace data, integration metadata | United States | Database, auth, and storage infrastructure |
| Cloudflare, Inc. | DNS, CDN, DDoS protection, bot protection, custom-domain routing | IP addresses, request headers, access logs, shared-deck delivery metadata, cached content where applicable | Global | Security and content delivery |
| OpenAI, L.L.C. | AI deck generation, ingestion/extraction, answerability judging, and text embeddings | Prompts, source documents, brand context, personas, selected CRM fields, deck context, generated outputs | United States | Commercial API (Platform). Customer Content is not used for model training under OpenAI's API data-usage terms. Zero-data-retention / no-training status must be confirmed under the account's DPA before publishing any ZDR claim |
| Google LLC (Gemini API) | AI deck generation, ingestion/extraction, answerability judging, and text embeddings (cross-provider fallback / independence) | Prompts, source documents, brand context, personas, selected CRM fields, deck context, generated outputs | United States | Gemini API (Google AI / Generative Language API). Paid-tier data-usage, no-training, and retention terms must be confirmed under the account's DPA before publishing any ZDR claim |
| Upstash, Inc. | Redis caching, queues, rate limiting | Pseudonymous identifiers, usage counters, job state, temporary processing metadata | United States | Cache and rate-limit infrastructure |
| Resend, Inc. | Transactional email | Names, email addresses, workspace/account metadata, message content and delivery metadata | United States | Service, security, billing, and notification email |
| Functional Software, Inc. (Sentry) | Error monitoring and diagnostics | Error events, stack traces, device/browser metadata, IP addresses, limited Customer Content where included in errors | United States | Error tracking and incident diagnostics |
| PostHog, Inc. | Product analytics | Usage events, device/browser metadata, page/activity events, pseudonymous identifiers | United States | Product analytics. Session replay, cookies, and IP handling must match live configuration |
| Channel Corp. (Channel.io) | Customer support chat | Names, email addresses, chat messages, support context, device/browser metadata | Republic of Korea | Support interactions initiated by users |
Not every subprocessor processes every data category in every use of the Service. Some subprocessors process only Account Data or Service Data, while others may process Customer Personal Data depending on the features used.
Independent controllers and payment providers
| Provider | Purpose | Data categories | Processing location | Role |
|---|---|---|---|---|
| Paddle.com Market Limited and affiliates | Merchant of record, checkout, payments, subscriptions, tax, invoicing, refund administration, fraud screening | Billing contact details, payment method details, transaction records, tax location, subscription metadata | United Kingdom, Ireland, and global processing locations | Independent controller for payment transactions |
Paddle is not a DPA subprocessor for Customer Personal Data merely because it processes payment transactions. Accountmade receives limited payment metadata from Paddle and processes that metadata as described in the Privacy Policy.
Customer-selected integrations
| Provider | Purpose | Role |
|---|---|---|
| HubSpot | CRM data sync and field mapping when connected by Customer | Usually Customer's own vendor or independent provider. Accountmade accesses data through Customer-authorized OAuth scopes |
| Salesforce | CRM data sync and field mapping when connected by Customer | Usually Customer's own vendor or independent provider. Accountmade accesses data through Customer-authorized OAuth scopes |
Customer-selected integrations are not automatically Accountmade subprocessors. If Accountmade uses a provider through an Accountmade-managed account to process Customer Personal Data, the provider will be listed in the DPA subprocessors table.
AI provider note
Accountmade does not use Customer Content or Customer Personal Data to train AI models. AI-provider training, retention, and abuse-monitoring controls depend on the provider, product, and configured account terms. This page should be updated whenever the AI-provider arrangement changes.
Change log
| Date | Change |
|---|---|
| June 15, 2026 | Corrected AI subprocessor disclosure: replaced Anthropic (not used) with OpenAI and Google (Gemini API), the providers actually used for AI generation, ingestion, judging, and embeddings |
| May 10, 2026 | Updated standardized subprocessor list and separated DPA subprocessors, independent controllers, and customer-selected integrations |
Contact
Subprocessor questions and objections: legal@accountmade.com