Legal
Sub-processors
Last updated: May 3, 2026
Veriva uses the sub-processors below to provide the Service. We bind each provider to written data-protection obligations and remain responsible for their performance under the Veriva DPA.
We notify subscribed contacts at least 30 days before adding or replacing a sub-processor that materially affects customer personal data processing.
| Provider | Purpose | Data category | Region | DPA |
|---|---|---|---|---|
| AWS | Bedrock model inference, S3 audit archives, backups, and underlying cloud infrastructure. | Repository diffs, prompts and responses, finding evidence, audit archives, backup data. | United States: us-east-1 primary, us-west-2 failover where enabled. | View |
| Stripe | Subscription billing, checkout, invoices, customer portal, payment status webhooks. | Billing contacts, customer identifiers, subscription metadata, payment status, invoice data. | Global processing by Stripe entities and affiliates. | View |
| Resend | Transactional email and confirmed subscription broadcasts. | Email addresses, confirmation and unsubscribe tokens, delivery metadata, message contents. | United States and Resend service regions. | View |
| Sentry | Application error monitoring and release-health diagnostics. | Error events, stack traces, release identifiers, request metadata, scrubbed diagnostic context. | United States and Sentry service regions. | View |
| PostHog | Product analytics, activation metrics, feature flags, and funnel instrumentation. | Usage events, page views, device metadata, user and organization identifiers where configured. | United States cloud; EU cloud available if the deployment is reconfigured. | View |
| Google Workspace | Company email, internal documents, calendar, and support/legal correspondence. | Business contact details, support correspondence, customer legal/procurement messages. | Global Google Workspace infrastructure. | View |
| GitHub | OAuth identity, GitHub App installation, repository and pull-request integration. | GitHub account identifiers, repository metadata, pull request metadata, diffs, check-run data. | Global GitHub infrastructure. | View |
| Vercel | Public site and webapp hosting, preview deployments, edge/serverless request handling. | Web request metadata, session-adjacent operational logs, deployment and preview metadata. | Global edge network with United States control plane. | View |
| Railway | API runtime, worker runtime, managed Postgres, managed Redis, and operational logs. | Customer account data, repository and pull-request metadata, findings, job queue data, logs. | United States Railway deployment region for the Veriva API/data plane. | View |
Change notice policy
Customers may object to a new or replacement sub-processor on reasonable data-protection grounds during the 30-day notice window. Send objections to privacy@veriva.dev.
This public list is the canonical sub-processor record referenced by the Privacy Policy and Data Processing Agreement.