Sub-processors List
Last updated: June 17, 2026
Notification Framework: We will provide customers with at least 30 calendar days advance notice before adding or replacing any Sub-processor. Notice will be sent to your registered email address and this page will be updated.
Objection Rights: If you have legitimate data protection concerns about a new Sub-processor, you may object in writing within 14 days of receiving notice. If we cannot accommodate your objection, you may terminate the affected Services without penalty. See our Data Processing Agreement for details.
Current Sub-processors
The following table lists all third-party Sub-processors currently engaged by Semly Pro to process customer data. Each Sub-processor is bound by contractual obligations at least as protective as our Data Processing Agreement.
| Sub-processor | Purpose | Data Location | Data Protection |
|---|---|---|---|
| Infrastructure & Hosting | |||
| Vercel Inc. vercel.com | Cloud hosting, serverless functions, edge network, application deployment | Global (primary: bom1 - Mumbai, India) Edge locations worldwide | SOC 2 Type II EU-US DPF DPA |
| Supabase Inc. supabase.com | PostgreSQL database, authentication, real-time subscriptions, storage | ap-south-1 (Mumbai, India) | SOC 2 Type II ISO 27001 DPA |
| Upstash Inc. upstash.com | Redis caching, rate limiting, session storage | ap-south-1 (Mumbai, India) | ISO 27001 EU SCCs DPA |
| AI Content Generation | |||
| Anthropic PBC anthropic.com | AI content generation (Claude models), MCP server integration | US (AWS us-east-1, us-west-2) No data retention post-30 days | SOC 2 Type II Zero data retention Terms |
| OpenAI OpCo, LLC openai.com | AI content generation (GPT models), embeddings, moderation | US (Azure regions) Zero retention for API use | SOC 2 Type II Zero data retention Business Terms |
| Microsoft Corporation Azure OpenAI | AI content generation (Azure OpenAI Service) | EU/US (customer choice) Data residency guaranteed | SOC 2, ISO 27001 EU DPF, EU SCCs DPA |
| Google LLC Google AI | AI content generation (Gemini models) | US (multi-region) No training on enterprise data | SOC 2, ISO 27001 EU-US DPF Cloud DPA |
| Analytics & Monitoring | |||
| Google LLC Google Analytics | Google Analytics 4 integration, Google Search Console integration, Google Ads API (optional) | US/EU (customer choice) IP anonymization enabled | EU-US DPF ISO 27001 Data Processing Terms |
| Sentry sentry.io | Error tracking, performance monitoring, application logs | US (us-east-1) | SOC 2 Type II EU SCCs DPA |
| Axiom axiom.co | Security logs, audit trails, system monitoring | US/EU (customer choice) | SOC 2 Type II EU SCCs DPA |
| Payment Processing | |||
| Stripe, Inc. stripe.com | Payment processing (EUR, USD), subscription management, invoicing | US/EU (multi-region) PCI DSS Level 1 | PCI DSS Level 1 SOC 2, ISO 27001 DPA |
| Razorpay Software Pvt Ltd razorpay.com | Payment processing (INR), subscription management (India-based customers only) | India (Mumbai) | PCI DSS Level 1 ISO 27001 Privacy Policy |
| Communications | |||
| Resend, Inc. resend.com | Transactional emails (account notifications, password resets, billing) | US (AWS us-east-1) | SOC 2 Type II EU SCCs DPA |
| Security & Fraud Prevention | |||
| FingerprintJS Inc. fingerprint.com | Bot detection, fraud prevention, device fingerprinting | US/EU (multi-region) | SOC 2 Type II EU SCCs Privacy Policy |
| Webhook Infrastructure | |||
| Svix Inc. svix.com | Webhook delivery, retry logic, webhook verification | US (AWS us-east-1) | SOC 2 Type II EU SCCs DPA |
| Workflow Automation | |||
| Inngest Inc. inngest.com | Workflow orchestration, scheduled jobs, event-driven functions | US (AWS us-east-1) | SOC 2 Type II EU SCCs DPA |
CMS Platform Sub-processors
When you integrate a third-party CMS platform, that platform processes content data according to your relationship with them (as controller or processor). The following CMS platforms are supported:
- WordPress (wordpress.com, self-hosted)
- Sanity.io
- Contentful
- Ghost
- Webflow
- Shopify
- HubSpot
- Strapi
- Storyblok
- Hygraph (GraphCMS)
- DatoCMS
- Prismic
- Framer
Important: These CMS platforms act as independent controllers or processors based on your contractual relationship with them. We store only encrypted connection credentials and act as your agent to publish content you explicitly approve. You are responsible for ensuring your CMS provider agreements include appropriate data protection terms.
Change Notification Procedures
Adding or Replacing Sub-processors
When we plan to add or replace a Sub-processor, we will:
- 30 days before the change:
- Send email notification to your registered email address
- Update this page with the new Sub-processor details
- Include: Sub-processor name, purpose, data location, and data protection measures
- 14-day objection period: You may object in writing to legal@semlypro.com if you have legitimate data protection concerns
- Resolution: We will work with you to address concerns or provide alternative solutions. If we cannot accommodate your objection, you may terminate the affected Services without penalty.
Emergency Changes
In exceptional circumstances (security incidents, service outages, regulatory requirements), we may need to engage a replacement Sub-processor with less than 30 days notice. In such cases:
- We will notify you as soon as practicable
- We will ensure the replacement Sub-processor meets equivalent data protection standards
- Your objection rights remain in effect
Sub-processor Due Diligence
Before engaging any Sub-processor, we conduct due diligence to ensure they:
- Provide appropriate technical and organizational security measures
- Comply with GDPR Article 28 processor obligations
- Maintain relevant certifications (SOC 2, ISO 27001, etc.)
- Execute data processing agreements with us containing equivalent protections to our DPA with you
- Provide appropriate international transfer mechanisms (EU SCCs, UK IDTA, adequacy decisions, or DPF certification)
Liability
We remain fully liable to you for the performance of our Sub-processors as if it were our own performance under the Data Processing Agreement. If a Sub-processor fails to fulfill their data protection obligations, we remain liable to you for that Sub-processor's failure.
Questions?
For questions about our Sub-processors or to object to a proposed change, contact:
Related legal documents:
Data Processing Agreement | Privacy Policy | Security Practices | Terms of Service