Effective: 10 May 2026
What this page is. Every third party that processes Validera customer data on our behalf is listed below, along with the purpose, the data they handle, and where the processing happens. This is the source-of-truth list.
Notice of changes. We commit to giving customers thirty days notice via email before adding a new sub-processor. Customers under a Data Processing Agreement may object to the addition; we will work with you to find a resolution and, where reasonably practical, offer alternatives.
| Vendor | Purpose | Data handled | Region | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. | Hosting for the admin dashboard (app.validera.io) and the three backend services (extractor, verdict, audit). Build pipeline, runtime, edge network, runtime logs. | All operational data in transit. Runtime logs (scrubbed of PII). | Functions execute on Vercel's global edge network, region nearest the user. Build artefacts stored in the United States. | EU Standard Contractual Clauses (Vercel DPA) |
| Supabase Inc. | Managed PostgreSQL database for the audit log (verdict events, override events, extraction events, tenant configuration). | All operational data at rest. AES-256 encryption at rest. | Sydney (AWS ap-southeast-2) | Australia — no cross-border transfer for at-rest data. Supabase support access governed by Supabase DPA. |
| Anthropic, PBC | Claude API. Used by the extractor to convert ticket text into a structured Intent Object, and by the verdict service for semantic-check rules. Synchronous request/response only. | Ticket text and intent objects sent at request time. Not retained beyond Anthropic's commercial-API retention window. Not used to train models under Anthropic's commercial terms. | United States | EU Standard Contractual Clauses (Anthropic Commercial DPA) |
| Google LLC | Chrome's identity API (chrome.identity.getProfileUserInfo) used by the extension to surface the agent's signed-in Google profile email for self-onboarding. | Agent email address only. We receive the email; Google does not receive any Validera data. | Global (Chrome client-side; no Validera data sent to Google servers). | Not applicable — Validera does not transfer customer data to Google. |
| GitHub, Inc. (Microsoft) | Source code hosting and CI for Validera's own repositories. No customer data is ever stored in these repositories. | Source code only. No customer data. | United States | Not applicable — no customer data transfer. |
To receive sub-processor change notices, customers should ensure their designated security or privacy contact is registered with us. To register or update a contact, email privacy@validera.io.
If a customer objects to a new sub-processor within thirty days of notice, we will work with the customer in good faith to find an acceptable arrangement. Where no acceptable arrangement can be found, the customer may terminate the affected services without penalty in accordance with the termination provisions of the Data Processing Agreement.
This is the first published version of this page (10 May 2026). Future material changes will be logged here with the date of change and a brief description.