Semly Pro

Sub-processors List

Last updated: June 17, 2026

Notification Framework: We will provide customers with at least 30 calendar days advance notice before adding or replacing any Sub-processor. Notice will be sent to your registered email address and this page will be updated.

Objection Rights: If you have legitimate data protection concerns about a new Sub-processor, you may object in writing within 14 days of receiving notice. If we cannot accommodate your objection, you may terminate the affected Services without penalty. See our Data Processing Agreement for details.

Current Sub-processors

The following table lists all third-party Sub-processors currently engaged by Semly Pro to process customer data. Each Sub-processor is bound by contractual obligations at least as protective as our Data Processing Agreement.

Sub-processorPurposeData LocationData Protection
Infrastructure & Hosting
Vercel Inc.
vercel.com
Cloud hosting, serverless functions, edge network, application deploymentGlobal (primary: bom1 - Mumbai, India)
Edge locations worldwide
SOC 2 Type II
EU-US DPF
DPA
Supabase Inc.
supabase.com
PostgreSQL database, authentication, real-time subscriptions, storageap-south-1 (Mumbai, India)SOC 2 Type II
ISO 27001
DPA
Upstash Inc.
upstash.com
Redis caching, rate limiting, session storageap-south-1 (Mumbai, India)ISO 27001
EU SCCs
DPA
AI Content Generation
Anthropic PBC
anthropic.com
AI content generation (Claude models), MCP server integrationUS (AWS us-east-1, us-west-2)
No data retention post-30 days
SOC 2 Type II
Zero data retention
Terms
OpenAI OpCo, LLC
openai.com
AI content generation (GPT models), embeddings, moderationUS (Azure regions)
Zero retention for API use
SOC 2 Type II
Zero data retention
Business Terms
Microsoft Corporation
Azure OpenAI
AI content generation (Azure OpenAI Service)EU/US (customer choice)
Data residency guaranteed
SOC 2, ISO 27001
EU DPF, EU SCCs
DPA
Google LLC
Google AI
AI content generation (Gemini models)US (multi-region)
No training on enterprise data
SOC 2, ISO 27001
EU-US DPF
Cloud DPA
Analytics & Monitoring
Google LLC
Google Analytics
Google Analytics 4 integration, Google Search Console integration, Google Ads API (optional)US/EU (customer choice)
IP anonymization enabled
EU-US DPF
ISO 27001
Data Processing Terms
Sentry
sentry.io
Error tracking, performance monitoring, application logsUS (us-east-1)SOC 2 Type II
EU SCCs
DPA
Axiom
axiom.co
Security logs, audit trails, system monitoringUS/EU (customer choice)SOC 2 Type II
EU SCCs
DPA
Payment Processing
Stripe, Inc.
stripe.com
Payment processing (EUR, USD), subscription management, invoicingUS/EU (multi-region)
PCI DSS Level 1
PCI DSS Level 1
SOC 2, ISO 27001
DPA
Razorpay Software Pvt Ltd
razorpay.com
Payment processing (INR), subscription management (India-based customers only)India (Mumbai)PCI DSS Level 1
ISO 27001
Privacy Policy
Communications
Resend, Inc.
resend.com
Transactional emails (account notifications, password resets, billing)US (AWS us-east-1)SOC 2 Type II
EU SCCs
DPA
Security & Fraud Prevention
FingerprintJS Inc.
fingerprint.com
Bot detection, fraud prevention, device fingerprintingUS/EU (multi-region)SOC 2 Type II
EU SCCs
Privacy Policy
Webhook Infrastructure
Svix Inc.
svix.com
Webhook delivery, retry logic, webhook verificationUS (AWS us-east-1)SOC 2 Type II
EU SCCs
DPA
Workflow Automation
Inngest Inc.
inngest.com
Workflow orchestration, scheduled jobs, event-driven functionsUS (AWS us-east-1)SOC 2 Type II
EU SCCs
DPA

CMS Platform Sub-processors

When you integrate a third-party CMS platform, that platform processes content data according to your relationship with them (as controller or processor). The following CMS platforms are supported:

Important: These CMS platforms act as independent controllers or processors based on your contractual relationship with them. We store only encrypted connection credentials and act as your agent to publish content you explicitly approve. You are responsible for ensuring your CMS provider agreements include appropriate data protection terms.

Change Notification Procedures

Adding or Replacing Sub-processors

When we plan to add or replace a Sub-processor, we will:

  1. 30 days before the change:
    • Send email notification to your registered email address
    • Update this page with the new Sub-processor details
    • Include: Sub-processor name, purpose, data location, and data protection measures
  2. 14-day objection period: You may object in writing to legal@semlypro.com if you have legitimate data protection concerns
  3. Resolution: We will work with you to address concerns or provide alternative solutions. If we cannot accommodate your objection, you may terminate the affected Services without penalty.

Emergency Changes

In exceptional circumstances (security incidents, service outages, regulatory requirements), we may need to engage a replacement Sub-processor with less than 30 days notice. In such cases:

Sub-processor Due Diligence

Before engaging any Sub-processor, we conduct due diligence to ensure they:

Liability

We remain fully liable to you for the performance of our Sub-processors as if it were our own performance under the Data Processing Agreement. If a Sub-processor fails to fulfill their data protection obligations, we remain liable to you for that Sub-processor's failure.

Questions?

For questions about our Sub-processors or to object to a proposed change, contact:

Semly Pro Legal

Email: legal@semlypro.com

Privacy: privacy@semlypro.com


Related legal documents:
Data Processing Agreement | Privacy Policy | Security Practices | Terms of Service