List effective 2026-05-12. To subscribe to changes by email, send a request to privacy@paragraphs.co.uk.
| Provider | Purpose | Location | In use since |
|---|---|---|---|
| Supabase, Inc. | Primary database (Postgres + pgvector). Authentication. | EU (Frankfurt) or US (Virginia) per Customer's choice | 2026-04-01 |
| Cloudflare, Inc. | Edge delivery (Workers), KV cache, R2 object storage, DNS, DDoS protection. | Global edge; data origin pinned to Customer's region | 2026-04-01 |
| Anthropic, PBC | LLM translation (Claude Sonnet / Opus / Haiku) via commercial API. | US (no training on customer data) | 2026-04-01 |
| OpenAI, Inc. | Text embeddings (text-embedding-3-large) for translation memory. | US (no training on customer data) | 2026-04-01 |
| DeepL SE | Machine translation for Tier A units. | Germany (EU) | 2026-04-01 |
| Stripe, Inc. / Stripe Payments Europe Ltd | Billing, subscriptions, tax, invoicing. | US / Ireland (per Customer's region) | 2026-04-01 |
| Resend, Inc. | Transactional and marketing email delivery. | EU | 2026-04-01 |
| Functional Software, Inc. (Sentry) | Error tracking, traces, performance monitoring. | EU | 2026-04-01 |
| PostHog, Inc. | Product analytics. Self-hosted EU instance. | EU | 2026-04-01 |
| Better Stack (BetterStack Inc.) | Uptime monitoring, status page, incident management. | EU | 2026-04-01 |
| WorkOS, Inc. | SAML SSO, SCIM provisioning (Business+ only). | US | 2026-04-01 |
| Inngest, Inc. | Event-driven workflow orchestration (translation pipeline only). | US | 2026-04-01 |
| Railway Corp. | Application hosting (control plane and dashboard). | EU or US per Customer's region | 2026-04-01 |
| BuiltByGo Ltd | JustRun.sh — scheduled job platform (self-operated). | EU (Frankfurt) | 2026-04-01 |
Change notice
We give 30 days' prior notice of additions or replacements to the list above. Notice goes by email to organisation admins and by in-app banner. Subscribers may object; if we can't resolve the objection, Customer may terminate the affected portion of the contract without penalty per the DPA.
How we evaluate
New sub-processors are evaluated against: documented security posture (preferably SOC 2 / ISO 27001), data-processing terms acceptable to our DPA, locational compatibility with Customer data residency, financial stability, alignment with the principle of least data. We don't add sub-processors casually.