Subprocessors
Version 2026.02.22 · Last updated February 22, 2026
This list identifies third-party subprocessors used to deliver VeriRFP services. It is versioned and updated when providers, processing scope, or transfer controls change.
Current subprocessor inventory
| Vendor | Service | Data processed | Primary region | Transfer control | Retention note |
|---|---|---|---|---|---|
| Railway | Application hosting and runtime orchestration | Service telemetry, runtime metadata, and processed request payloads | US | SCC-backed contractual terms | Operational logs retained per provider defaults |
| Supabase | Postgres, authentication, object storage | Workspace records, account metadata, uploaded artifacts, and access logs | US | SCC-backed contractual terms | Customer-controlled retention plus backup windows |
| Stripe | Billing and subscription processing | Customer billing profile, subscription state, invoice metadata | US/EU (provider managed) | DPA + SCCs via Stripe legal terms | Financial records retained per legal obligations |
| OpenAI | Optional AI drafting workflows | Selected questionnaire and evidence excerpts submitted for completion | US (provider managed) | Commercial API terms and DPA | Per provider policy for API usage metadata |
| Sentry | Application error telemetry | Exception traces and operational diagnostics | US/EU (provider managed) | SCC-backed contractual terms | Event retention configured by environment |
Change cadence
- 2026.02.22: Added explicit transfer and retention columns for all subprocessors.
- 2026.02.18: Published versioned subprocessor inventory and notification process.
Material changes are reflected in this page and included in procurement packet updates on the same release day.
Notification and contacts
- Subprocessor updates are reviewed during weekly release governance.
- Enterprise customers may request 30-day notice for material subprocessor additions.
- Contact admin@verirfp.com for current confirmations.