Legal
Subprocessors
Last updated: June 2026
1. About this list
To deliver OverlayRiskWitness, we rely on a small set of third-party service providers (“subprocessors”) that may process personal data on our behalf. The table below lists each subprocessor, what it does, the data it handles, and where it operates. This page is referenced by our Data Processing Agreement and Privacy Policy.
2. Current subprocessors
| Subprocessor | Purpose & data | Region |
|---|---|---|
| Vercel | Application hosting and edge delivery; request metadata | United States |
| Supabase | Postgres database and authentication; account data, run records | United States |
| Stripe | Payment processing; billing and transaction data | United States / global |
| Resend | Transactional email; email address and message content | United States |
| Browserbase | Hosted headless browser that runs the scans; submitted URLs | United States |
| PostHog | Product analytics; usage events (consent-gated) | United States |
| Google Analytics | Web analytics; usage events (consent-gated) | United States / global |
| Cloudflare | DNS and inbound email routing; network and email metadata | United States / global |
We also use the Anthropic Claude API to extract compliance claims from page content during paid Risk Packet runs.
TODO: Confirm with counsel whether Anthropic should be listed as a formal subprocessor in the table above and whether any provider’s data region needs to be narrowed for your target markets.
3. Changes to subprocessors
We may add or replace subprocessors as the service evolves. When we do, we will update this page and the “Last updated” date. Customers on a signed Data Processing Agreement may request advance notice of material changes as described in that agreement.
4. Contact
For questions about our subprocessors or data handling, contact privacy@overlayrisk.com.