Subprocessors
Version 2026.02.22 · Last updated February 22, 2026
This list identifies third-party subprocessors used to deliver VeriRFP services. It is versioned and updated when providers, processing scope, or transfer controls change.
Buyers often review this inventory alongside the DPA, privacy request workflow, and security overview. Keeping the provider list explicit here reduces redlines and prevents inconsistent answers across procurement threads.
Each entry is meant to answer the follow-up questions that usually appear after a trust-center review: where data is processed, what transfer safeguards apply, and how retention expectations align with the privacy policy, status program, and security controls.
Current subprocessor inventory
| Vendor | Service | Data processed | Primary region | Transfer control | Retention note |
|---|---|---|---|---|---|
| Railway | Application hosting and runtime orchestration | Service telemetry, runtime metadata, and processed request payloads | US | SCC-backed contractual terms | Operational logs retained per provider defaults |
| Supabase | Postgres, authentication, object storage | Workspace records, account metadata, uploaded artifacts, and access logs | US | SCC-backed contractual terms | Customer-controlled retention plus backup windows |
| Stripe | Billing and subscription processing | Customer billing profile, subscription state, invoice metadata | US/EU (provider managed) | DPA + SCCs via Stripe legal terms | Financial records retained per legal obligations |
| OpenAI | Optional AI drafting workflows | Selected questionnaire and evidence excerpts submitted for completion | US (provider managed) | Commercial API terms and DPA | Per provider policy for API usage metadata |
| Resend | Transactional email delivery (signup confirmations, billing notices, security alerts) | Recipient email address, message subject, delivery metadata | US (provider managed) | SCC-backed contractual terms | Provider-managed message log retention |
| Cloudflare | Private Edition desktop app — update manifest delivery and model-weight CDN | Client IP, user-agent, and download metadata for Private Edition installations | Global edge (provider managed) | SCC-backed contractual terms via Cloudflare DPA | Provider-managed access log retention |
Change cadence
- 2026.02.22: Added explicit transfer and retention columns for all subprocessors.
- 2026.02.18: Published versioned subprocessor inventory and notification process.
Material changes are reflected in this page and included in procurement packet updates on the same release day.
When a customer asks for subprocessor notice language, this version history is the quickest way to confirm what changed and when.
Notification and contacts
- Subprocessor updates are reviewed during weekly release governance.
- Enterprise customers may request 30-day notice for material subprocessor additions.
- Contact admin@verirfp.com for current confirmations.
How procurement teams use this inventory
This table is meant to support real diligence workflows, not just publish a vendor list. Buyers typically cross-reference subprocessors against the DPA, security posture, and data-retention commitments before approving a new vendor. Keeping those references aligned reduces redlines and prevents inconsistent answers across legal, privacy, and sales threads.
- Use the transfer-control column when procurement asks how cross-border processing is governed.
- Use the retention note when customers want to verify log, backup, or billing-data handling assumptions.
- Pair this page with the privacy workflow when a customer asks for contract language or notice terms.
Related trust resources
These pages answer the next questions that usually follow a subprocessor review.