Subprocessors

Version 1.0 — Last updated 2026-05-05

Calafai uses a small set of third parties to deliver the service. When you submit a brief, run an engagement, or receive a deliverable, your data may pass through one or more of these subprocessors. We list them here in full so you can review the chain of custody before signing up.

Subprocessors fall into two groups: AI model providers, who run the language and image models that produce your deliverables, and operational subprocessors — the hosting, billing, email, and monitoring services that keep the platform running.

We will give at least 30 days' notice before adding a new subprocessor that processes customer personal data, in line with our Data Processing Agreement. This page is the canonical record — bookmark it.

AI model providers

These are the model providers we currently route production traffic to. We disclose only providers we actually use — if a connector exists in our codebase but no traffic flows to it (no API key deployed in production), it is not listed here. We update this page whenever we add or remove a provider.

OpenAI

OpenAI, L.L.C.

United States

Purpose: Research-tier reasoning, accountancy/cost tasks, and complex multi-step analysis (gpt-5.4, gpt-5.4-mini, o3, gpt-4.1-nano fallback).
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs.
Data location: USA. EU data residency available via Azure OpenAI EU deployments.
Processing terms: DPA in force via OpenAI commercial agreement.

Website ↗Privacy policy ↗DPA ↗

Models in production (4)

gpt-5.4Research tier — deep analysis and synthesis.
gpt-5.4-miniAccountant tier — financial reasoning.
o3Reasoning tier — complex multi-step analysis.
gpt-4.1-nanoTiered fallback when primary models are unavailable.

Anthropic

Anthropic, PBC

United States

Purpose: Writing, full-stack consulting reasoning, synthesis, and analytical scoring (claude-sonnet-4-6, claude-opus-4-7, claude-haiku-4-5).
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs.
Data location: USA. GCP EU infrastructure available on request.
Processing terms: DPA in force via Anthropic commercial agreement.

Website ↗Privacy policy ↗DPA ↗

Models in production (3)

claude-sonnet-4-6Writing, full-stack, manager, default tiers.
claude-opus-4-7Synthesis tier — chapter-length narrative generation, report writing.
claude-haiku-4-5-20251001Analytical tier — observer scoring, fast review.

xAI

X.AI Corp.

United States

Purpose: Strategy and efficient tiers (grok-4.3 — adaptive-intensity reasoning).
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs.
Data location: USA.
Processing terms: Standard API enterprise terms; formal DPA pending — Transfer Impact Assessment in progress (see /trust).

Website ↗Privacy policy ↗

Models in production (1)

grok-4.3Strategy and efficient tiers — adaptive-intensity reasoning replaces the retired grok-4.20 / grok-4-1-fast families.

Google (Gemini via AI Studio)

Google LLC

United States

Purpose: Multimodal analysis — images, document parsing, vision tasks (gemini-2.5-flash).
Data processed: Image attachments, PDF/DOCX extracts, multimodal prompts.
Data location: US endpoints today (AI Studio consumer API). Vertex AI / GCP EU residency becomes available on migration.
Processing terms: Google AI Studio Additional Terms (DPA-by-reference) today; Vertex AI / GCP DPA migration expected by 2026-05-21 (BACKLOG #130, P0).

Website ↗Privacy policy ↗DPA ↗

Models in production (1)

gemini-2.5-flashMultimodal tier — image and document analysis.

Ideogram

Ideogram, Inc.

United States

Purpose: Image generation for deliverable illustrations and brand visuals.
Data processed: Text prompts only — no client-uploaded source imagery.
Data location: USA.
Processing terms: Standard API terms; no separate DPA required (text-only prompts).

Website ↗Privacy policy ↗

Models in production (1)

ideogram-v2Image generation for deliverables.

Self-hosted (Ollama / Qwen models)

Calafai B.V. (self-hosted)

Self-hosted within Calafai infrastructure

Purpose: Cost-zero code generation and simple support tasks running on Calafai-controlled hardware (qwen3-coder, qwen3:8b).
Data processed: Engagement briefs and code-generation prompts.
Data location: Self-hosted; no third-country transfer. Model weights distributed by Alibaba Cloud (Qwen) but no inference data leaves Calafai infrastructure.
Processing terms: Not applicable — self-hosted inference, no external processor.

Models in production (2)

qwen3-coderCode tier — code generation, self-hosted inference.
qwen3:8bSimple tier — routing and basic support tasks.

Operational subprocessors

Service providers that process customer personal data on Calafai's behalf to operate the platform — hosting, payments, email delivery, and error monitoring.

Supabase

Supabase, Inc.

United States (EU-region database hosting)

Purpose: Primary application database (PostgreSQL) with row-level tenant isolation, plus authentication (email/password, magic link, SSO).
Data processed: Account credentials, engagement metadata, deliverables, audit logs.
Data location: EU-region (eu-west) PostgreSQL cluster. Encrypted at rest (AES-256) and in transit (TLS 1.2+).
Processing terms: DPA in force via Supabase platform agreement.

Website ↗Privacy policy ↗DPA ↗

Vercel

Vercel Inc.

United States (global edge network)

Purpose: Web application hosting (Next.js), API routes, edge caching, and CDN.
Data processed: HTTP request/response payloads, account-bound session cookies, server logs.
Data location: Multi-region edge with US-based control plane. EU edge nodes serve EU users.
Processing terms: DPA in force via Vercel commercial agreement.

Website ↗Privacy policy ↗DPA ↗

Railway

Railway Corp.

United States

Purpose: Long-running engagement engine (Python). Receives engagement briefs and dispatches to AI model providers.
Data processed: Engagement briefs, attachment extracts, intermediate reasoning outputs, run logs.
Data location: USA-region container hosting.
Processing terms: DPA in force via Railway terms.

Website ↗Privacy policy ↗

Stripe

Stripe, Inc. (Stripe Payments Europe Ltd. for EU)

United States / Ireland (EU)

Purpose: Subscription billing, credit-pack purchases, invoice generation, payment-method storage.
Data processed: Payment card details (tokenised — never touch Calafai infrastructure), billing address, tax ID, customer email.
Data location: EU customers handled by Stripe Payments Europe Ltd. (Ireland). Card data tokenised by Stripe.
Processing terms: DPA in force via Stripe Services Agreement.

Website ↗Privacy policy ↗DPA ↗

Resend

Resend, Inc.

United States

Purpose: Transactional email delivery — engagement notifications, invite codes, password reset.
Data processed: Recipient email address, message content, delivery metadata.
Data location: USA.
Processing terms: DPA in force via Resend terms.

Website ↗Privacy policy ↗DPA ↗

Sentry

Functional Software, Inc. (dba Sentry)

United States

Purpose: Application error tracking and performance monitoring. Helps Calafai diagnose and fix production issues.
Data processed: Stack traces, request context, user ID (no email/name), browser/OS metadata. Server-side scrubbing strips known PII fields before transmission.
Data location: USA. EU-region Sentry available (under evaluation).
Processing terms: DPA in force via Sentry terms.

Website ↗Privacy policy ↗DPA ↗

Upstash

Upstash, Inc.

United States (multi-region)

Purpose: Optional rate-limiting and ephemeral cache (Redis). Degrades gracefully to in-memory if unavailable.
Data processed: API key prefixes, rate-limit counters, short-lived cache entries. No engagement content.
Data location: Multi-region (EU available).
Processing terms: DPA in force via Upstash terms.

Website ↗Privacy policy ↗

Questions or objections

If you have questions about a specific subprocessor, or you would like to object to a planned change, write to privacy@calafai.com. For matters specific to AI Act compliance, write to ai-act@calafai.com.