The professional standard for production AI deployment
Verify a credentialFor organisationsPartner ProgrammeFor nonprofits & NGOsContact

Sub-Processors

Last updated: 2026-05-07 · Version 1.0

This page lists every third party that processes personal data on our behalf. We commit to updating this page within 14 days of any change. To be notified of changes, email hello@productionai.institute. The legal basis for each relationship is described in our Privacy Policy.

Clerk, Inc.

United States

Authentication, account profile, session management

Data processed: Email, name, password hash (we never see the password), sign-in metadata, third-party-provider profile data when you use OAuth

Privacy Policy ↗DPA ↗

Supabase, Inc.

ap-southeast-2 (Sydney)

Database for assessments, certifications, contact enquiries, newsletter subscribers

Data processed: Assessment responses, certification records, contact form submissions, newsletter email addresses

Privacy Policy ↗DPA ↗

Stripe Payments Australia Pty Ltd

Australia (primary) and United States

Payment processing, billing, customer portal, tax invoices

Data processed: Card details (never seen by us), billing address, transaction history, stripe_customer_id and products purchased

Privacy Policy ↗DPA ↗

Resend, Inc.

United States

Transactional email (welcome, cert issuance, contact replies) and newsletter delivery

Data processed: Recipient email address, email content, delivery and engagement metadata

Privacy Policy ↗DPA ↗

OpenAI, OpCo LLC

United States

AI feature processing (Wizard, Heal, Generate, Automate, Executive Brief, PSF Analyzer) via the Responses API

Data processed: Workflow content (node names, types, descriptions, edges) and your AI feature prompt at the moment you trigger an AI feature. Per OpenAI API terms, this content is not used to train OpenAI’s models.

Privacy Policy ↗DPA ↗

Plausible Insights OÜ

Germany (EU)

Cookie-less, anonymised website analytics

Data processed: Page URL, referrer, country, browser family, device type. No cookies. No personal identifiers. No cross-site tracking.

Privacy Policy ↗DPA ↗

Vercel Inc.

Global edge with primary regions in the United States and Europe

Web hosting, edge routing, serverless function runtime, request logging

Data processed: HTTPS request metadata (URL, method, status, timing, IP), retained ∼30 days. Does not include AI request bodies or persisted user content.

Privacy Policy ↗DPA ↗

How we evaluate sub-processors

Before we add a sub-processor we check that they publish a privacy policy and (where relevant) a Data Processing Addendum, encrypt data in transit and at rest, have a published security posture, make data-subject rights requests routable through their support channel, and disclose their hosting region. We do not knowingly use any sub-processor that uses customer content to train AI models without explicit consent.

Recently changed sub-processors

We will record additions, removals, and replacements here so the change history is visible. Currently, no changes have been made since this page was first published.

Questions

For any question about this list, email hello@productionai.institute.