Sub-processors

A sub-processor is a third-party company that processes customer personal data on Sorby's behalf as part of providing the service. This page lists every sub-processor Sorby uses today, what they do, where they sit, and how to subscribe to changes.

Last updated: 2 May 2026.

Current sub-processors

Supabase, Inc.

supabase.com/privacy→

Purpose: Primary database (Postgres), file storage, vector search (pgvector), and database backups. Hosts all workspace content: insights, opportunities, solutions, experiments, gates, audit events, embeddings, and workspace member records.
Data processed: Workspace content (including any personal data customers choose to enter, such as user-research notes); workspace-membership identifiers; vector embeddings.
Location: European Union (Frankfurt, eu-central-1). Underlying infrastructure: AWS.

Vercel Inc.

vercel.com/legal/privacy-policy→

Purpose: Application hosting, edge delivery, serverless function execution, and request/error logs.
Data processed: HTTP request metadata (URL, IP, User-Agent), application logs, build artifacts. Customer content passes through Vercel in transit but is not persisted by Vercel beyond log-retention windows.
Location: Global edge network. Build artifacts and logs persisted in the United States.

Clerk, Inc.

clerk.com/legal/privacy→

Purpose: Authentication and identity. Stores user identity records, password hashes, MFA secrets, OAuth tokens for sign-in providers, and session state.
Data processed: Email address, name, hashed credentials, MFA secrets, OAuth identifiers, sign-in event metadata (IP, User-Agent, timestamp).
Location: United States.

Upstash, Inc.

upstash.com/trust/privacy.pdf→

Purpose: Serverless Redis used for sliding-window API rate-limiting and short-lived counters. Holds no customer content.
Data processed: Rate-limit keys derived from user or workspace identifiers; counters with TTLs measured in minutes. No PII payloads.
Location: Global edge. Primary region: United States.

Anthropic, PBC

anthropic.com/legal/privacy→

Purpose: LLM inference for the AI backlog parser and assistive features (Claude Sonnet 4.6 primary, Haiku 4.5 fallback).
Data processed: Whatever text the customer submits to the AI feature in question (typically: pasted backlog items, prompts, generated outputs). Anthropic does not train its models on API traffic.
Location: United States.

How we choose sub-processors

Every sub-processor on this list satisfies all of the following before we route customer data to it:

A signed Data Processing Addendum incorporating the EU Standard Contractual Clauses (2021/914) and, where applicable, the UK International Data Transfer Addendum.
A current third-party security report (SOC 2 Type 2 or equivalent) — except for Anthropic, where the contractual no-training commitment for API traffic and the narrow scope of data processed are the relevant controls.
A documented incident-notification commitment that allows us to notify affected customers within 72 hours of a qualifying breach.
Encryption at rest and in transit as the default, not an upgrade.

We do not enrich, augment, or share customer data with marketing, advertising, analytics, or data-broker vendors. There are no "shadow" sub-processors not on this list.

International transfers

Where customer personal data of EU/EEA or UK residents is transferred to a sub-processor outside the EEA or UK (Clerk, Vercel build artifacts and logs, Upstash, Anthropic), the transfer is covered by the European Commission's Standard Contractual Clauses (2021/914), Module Two (controller-to-processor) or Module Three (processor-to-sub-processor) as applicable, and, for UK transfers, the UK International Data Transfer Addendum.

The relevant transfer mechanisms are incorporated by reference in Sorby's Data Processing Agreement; see /legal/dpa.

Notification of changes

We notify customers at least 30 days in advance of any of the following:

Adding a new sub-processor.
Changing the processing region of an existing sub-processor in a way that introduces a new cross-border transfer.
Replacing one sub-processor with another performing the same function.

Notice is sent by email to every workspace admin who has subscribed to sub-processor updates, and this page is updated on the same day the notice goes out. The "Last updated" date at the top of this page is authoritative.

To subscribe, use our contact form and mention "Subscribe to sub-processor updates."

If you object to a proposed change, you may terminate the affected workspace within 30 days of notice and we will refund any prepaid, unused portion of the subscription fee for that workspace.

What is not a sub-processor

The following vendors handle Sorby's internal operations only and do not process customer data:

GitHub — application source code (no customer data committed).
Namecheap — domain registrar for sorby.io.
Google Workspace — internal email and calendar (no customer data).
A password manager (Bitwarden / 1Password) — internal credential storage.

Vendors that process customer data on our behalf will appear in the table above before any data is sent to them.

Questions about this list

Use our contact form. We answer security questionnaires within 2 business days.