The vendors that touch your data.
Every subprocessor used in RateStack production. Updated continuously; material changes (new subprocessor, change of purpose) are announced via the changelog with at least 30 days' notice.
Last updated:
Active subprocessors
What they process and where.
The data class column is the worst-case data the subprocessor could see; in practice many of these never see borrower data because of redaction at the platform boundary.
| Vendor | Purpose | Location | Data class |
|---|---|---|---|
| AWS (Amazon Web Services) | Compute, networking, RDS-managed MySQL, ElastiCache Redis, S3 object storage | United States (us-east-1, us-west-2) | All |
| Cloudflare | DNS, edge TLS termination, WAF for marketing site | Global edge | Public marketing traffic; no production data |
| Anthropic | AI fallback for ratesheet header mapping (default provider) | United States | Header strings only — no borrower data |
| OpenAI (configurable alternative) | AI fallback alternative (per-environment opt-in) | United States | Header strings only — no borrower data |
| Google (configurable alternative) | Gemini AI fallback alternative; Sign-In OIDC | United States | Header strings (Gemini) and operator email/profile (SSO) |
| Microsoft | Microsoft Sign-In OIDC | United States | Operator email/profile (SSO only) |
| Apple | Sign in with Apple | United States | Operator email/profile (SSO only) |
| Stripe | Subscription billing | United States | Billing contact, payment method (PCI-DSS Level 1) |
| Datadog (Business+) | Production observability for customers who opt in | United States | PII-redacted logs and traces |
| Sentry | Error reporting (PII-redacted) | United States | Error envelopes only — PII-redacted at source |
| Resend | Transactional email delivery (verification, password reset, approval) | United States | Operator email and email subject/body |
| Cal.com (or equivalent) | Demo scheduling embedded on /demo | United States | Lead contact details only |
Notification & objection
We notify customers of material subprocessor changes via the changelog at least 30 days before they take effect. Business and Enterprise customers may also subscribe to a direct notification stream via webhook or email.
Customers under DPA may object to a new subprocessor in writing within 30 days of notification. We will work in good faith to address concerns; if we cannot reach agreement, the customer may terminate the affected service with pro-rated refund per the DPA.
Operational subprocessors (not in scope)
Vendors that do not process customer data — internal collaboration tools, code hosting, source-code analysis, employee benefits, payroll — are not listed here as they do not have access to customer data. We can provide the full operational vendor list under NDA on request.
Geographic processing
Standard deployments process data in the United States. Enterprise deployments can be pinned to a specific AWS region (e.g., eu-central-1) with the corresponding subprocessors. Cross-border data transfers, when they occur, rely on Standard Contractual Clauses (SCCs).
Customer data & subprocessors
The redaction pipeline ensures most subprocessors never see borrower PII. For example, observability vendors receive PII-redacted logs and traces — email addresses are stripped before they leave the platform boundary. Where a subprocessor must see operator data (SSO providers, email delivery), the data is limited to what's strictly necessary.