PostGrad
v2.0.0Source of truth: DPA §5

Sub-processors

PostGrad uses the following third-party sub-processors to deliver, host, and support the service. Per our Data Processing Addendum, we provide customers with at least 30 days' prior notice before adding or replacing a sub-processor that processes personal data on their behalf. Customers may object during the notice window per the DPA.

Current sub-processors

NamePurposeLocationData processedAdded
SupabaseManaged Postgres database, Auth, and Storage for the application backend.United States (us-east-1)Account identifiers, email addresses, hashed credentials, all licensor and subscriber content, knowledge entries, audit logs.2026-04-08
StripePayment processing and Stripe Connect payouts to licensors.United StatesBilling name, email, billing address, country, payment-method metadata, payout bank/identity information for Connect accounts.2026-04-08
VercelApplication hosting, edge runtime, and CDN for the PostGrad web application and APIs.United States (multi-region edge)IP addresses, request headers, geolocation derived from IP, request and response payloads in transit.2026-04-08
UpstashServerless Redis used for rate limiting and short-lived ephemeral cache entries.Multi-region (US + EU)Hashed API key identifiers, IP-derived rate-limit buckets, ephemeral request fingerprints.2026-04-08
ComposioBrokering authenticated agent integrations to third-party SaaS tools on behalf of subscribers.United StatesOAuth tokens issued by subscriber-connected third parties, integration metadata, request payloads forwarded to connected tools.2026-04-08
Google (Gemini API)Large language model inference for the knowledge extraction pipeline.United StatesTranscript content submitted for extraction. Google contractually disclaims use for model training on paid Gemini API usage.2026-04-08
ResendTransactional email delivery (account, billing, legal, deletion-undo links).United StatesRecipient email address, recipient name, message body and metadata, delivery and engagement events.2026-04-08
OpenRouterCurated AI-news editorial pipeline — invokes Claude Haiku to summarize/categorize articles for the AI News Daily feed.United StatesPublic article URLs and bodies fetched from third-party news sources. No customer-submitted personal data is sent.2026-04-22
Brave SearchFallback search source for the AI News Daily feed when primary RSS sources produce no results for the day.United StatesA static editorial query (e.g., "AI announced OR released OR launched"). No customer-submitted data and no per-user identifiers.2026-04-22
Jina (Reader API)Web-page content extraction for the AI News Daily feed editorial pipeline.Singapore (Jina AI Pte. Ltd.)Public article URLs from third-party news sources. No customer-submitted data.2026-04-22
ApifyPublic-web scraping for the TikTok Trending feed — runs the togetherinc/tiktok-trending-audio actor on a schedule.European Union (Czech Republic)Public TikTok metadata (track names, view counts, hashtags). No customer-submitted data.2026-04-22

Version history

  • v2.0.0 2026-04-22
    Added OpenRouter, Brave Search, Jina, and Apify as sub-processors for the curated AI News Daily and TikTok Trending feeds. These vendors do not process customer-submitted personal data — only public web content fetched on a schedule. Surfaced by Phase 5 audit finding 5c.
  • v1.0.0 2026-04-08
    Initial v3.2 sub-processor registry: Supabase, Stripe, Vercel, Upstash, Composio, Google/Gemini, Resend.

How we notify customers of changes

New sub-processors are announced at least 30 days before they begin processing customer personal data. Notice is delivered via email to the billing contact on each account and posted on this page along with an updated SUB_PROCESSOR_VERSION. Objections may be sent to [email protected] during the notice window per the DPA.