v2.0.0Source of truth: DPA §5
Sub-processors
PostGrad uses the following third-party sub-processors to deliver, host, and support the service. Per our Data Processing Addendum, we provide customers with at least 30 days' prior notice before adding or replacing a sub-processor that processes personal data on their behalf. Customers may object during the notice window per the DPA.
Current sub-processors
| Name | Purpose | Location | Data processed | Added |
|---|---|---|---|---|
| Supabase | Managed Postgres database, Auth, and Storage for the application backend. | United States (us-east-1) | Account identifiers, email addresses, hashed credentials, all licensor and subscriber content, knowledge entries, audit logs. | 2026-04-08 |
| Stripe | Payment processing and Stripe Connect payouts to licensors. | United States | Billing name, email, billing address, country, payment-method metadata, payout bank/identity information for Connect accounts. | 2026-04-08 |
| Vercel | Application hosting, edge runtime, and CDN for the PostGrad web application and APIs. | United States (multi-region edge) | IP addresses, request headers, geolocation derived from IP, request and response payloads in transit. | 2026-04-08 |
| Upstash | Serverless Redis used for rate limiting and short-lived ephemeral cache entries. | Multi-region (US + EU) | Hashed API key identifiers, IP-derived rate-limit buckets, ephemeral request fingerprints. | 2026-04-08 |
| Composio | Brokering authenticated agent integrations to third-party SaaS tools on behalf of subscribers. | United States | OAuth tokens issued by subscriber-connected third parties, integration metadata, request payloads forwarded to connected tools. | 2026-04-08 |
| Google (Gemini API) | Large language model inference for the knowledge extraction pipeline. | United States | Transcript content submitted for extraction. Google contractually disclaims use for model training on paid Gemini API usage. | 2026-04-08 |
| Resend | Transactional email delivery (account, billing, legal, deletion-undo links). | United States | Recipient email address, recipient name, message body and metadata, delivery and engagement events. | 2026-04-08 |
| OpenRouter | Curated AI-news editorial pipeline — invokes Claude Haiku to summarize/categorize articles for the AI News Daily feed. | United States | Public article URLs and bodies fetched from third-party news sources. No customer-submitted personal data is sent. | 2026-04-22 |
| Brave Search | Fallback search source for the AI News Daily feed when primary RSS sources produce no results for the day. | United States | A static editorial query (e.g., "AI announced OR released OR launched"). No customer-submitted data and no per-user identifiers. | 2026-04-22 |
| Jina (Reader API) | Web-page content extraction for the AI News Daily feed editorial pipeline. | Singapore (Jina AI Pte. Ltd.) | Public article URLs from third-party news sources. No customer-submitted data. | 2026-04-22 |
| Apify | Public-web scraping for the TikTok Trending feed — runs the togetherinc/tiktok-trending-audio actor on a schedule. | European Union (Czech Republic) | Public TikTok metadata (track names, view counts, hashtags). No customer-submitted data. | 2026-04-22 |
Version history
- v2.0.0 — 2026-04-22Added OpenRouter, Brave Search, Jina, and Apify as sub-processors for the curated AI News Daily and TikTok Trending feeds. These vendors do not process customer-submitted personal data — only public web content fetched on a schedule. Surfaced by Phase 5 audit finding 5c.
- v1.0.0 — 2026-04-08Initial v3.2 sub-processor registry: Supabase, Stripe, Vercel, Upstash, Composio, Google/Gemini, Resend.
How we notify customers of changes
New sub-processors are announced at least 30 days before they begin processing customer personal data. Notice is delivered via email to the billing contact on each account and posted on this page along with an updated SUB_PROCESSOR_VERSION. Objections may be sent to [email protected] during the notice window per the DPA.