Legal

Subprocessors

Last updated: June 2026

1. About this list

To deliver OverlayRiskWitness, we rely on a small set of third-party service providers (“subprocessors”) that may process personal data on our behalf. The table below lists each subprocessor, what it does, the data it handles, and where it operates. This page is referenced by our Data Processing Agreement and Privacy Policy.

2. Current subprocessors

SubprocessorPurpose & dataRegion
VercelApplication hosting and edge delivery; request metadataUnited States
SupabasePostgres database and authentication; account data, run recordsUnited States
StripePayment processing; billing and transaction dataUnited States / global
ResendTransactional email; email address and message contentUnited States
BrowserbaseHosted headless browser that runs the scans; submitted URLsUnited States
PostHogProduct analytics; usage events (consent-gated)United States
Google AnalyticsWeb analytics; usage events (consent-gated)United States / global
CloudflareDNS and inbound email routing; network and email metadataUnited States / global

We also use the Anthropic Claude API to extract compliance claims from page content during paid Risk Packet runs.

TODO: Confirm with counsel whether Anthropic should be listed as a formal subprocessor in the table above and whether any provider’s data region needs to be narrowed for your target markets.

3. Changes to subprocessors

We may add or replace subprocessors as the service evolves. When we do, we will update this page and the “Last updated” date. Customers on a signed Data Processing Agreement may request advance notice of material changes as described in that agreement.

4. Contact

For questions about our subprocessors or data handling, contact privacy@overlayrisk.com.