Subprocessors
Version: 1.0 Last updated: 2026-05-04 Public URL when live: https://meandai.io/legal/subprocessors
This page lists every third party that meandai engages to process personal data on behalf of customers, in fulfilment of Article 28(2) and (4) GDPR and the Data Processing Agreement §7. The list is normative: every subprocessor that touches customer data is named here, with the country, purpose, and DPA URL.
Notification policy
We give all active customers at least 30 days' prior notice of any new or replacement subprocessor by:
- Email to the customer's primary contact, and
- Update of this page (the public URL is RSS-watchable for customer compliance teams), and
- In-app changelog entry under Settings → Compliance.
Within that 30-day window, a customer may object on documented data-protection grounds. If the parties cannot agree on a reasonable alternative within a further 30 days, the customer may terminate the affected services without penalty per DPA §7.2.
Categories
| Category | Engagement model | Default opt-in / opt-out |
|---|---|---|
| Infrastructure — required for the platform to function | All customers | Opt-out impossible without termination |
| Platform services — auth, jobs, email, payments | All customers | Opt-out impossible without termination |
| AI model providers — invoked per inference call | All customers, routed through shared-llm | Per-tenant model preference (e.g., disable OpenAI fallback) configurable by Stefan on Enterprise |
| Observability — logs and product analytics | All customers (logs) / opt-in (product analytics) | Logs cannot be opted out (Art. 32 audit trail); product analytics granular consent via Cookie Banner |
| Marketing channels — Buffer, Meta, LinkedIn, TikTok, YouTube | Tenant-connected (only if customer connects) | N/A — customer initiates the connection |
A. Infrastructure
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | EU — eu-central-1 (Frankfurt) | Key Management Service for envelope encryption (per-tenant DEK and system-level CMK). Plaintext customer data never crosses the AWS boundary; only KMS-wrapped DEKs do. | https://aws.amazon.com/agreement/ + GDPR DPA at https://aws.amazon.com/compliance/gdpr-center/ | 2026-05-04 |
| Neon, Inc. | EU — eu-central-1 (Frankfurt) | Postgres database (primary tenant data store). Per-tenant FORCE RLS isolation. | https://neon.tech/dpa | 2026-05-04 |
| Neo4j, Inc. (Aura) | EU — Belgium | Graph database (per-tenant knowledge graph). Per-tenant database isolation. | https://neo4j.com/legal/dpa/ | 2026-05-04 |
| Cloudflare, Inc. | Global edge (EU presence) for CDN/Turnstile; EU region (WEUR) for R2 bucket meandai-backups | CDN, Turnstile (anti-bot), R2 object storage for encrypted Postgres dumps. | https://www.cloudflare.com/cloudflare-customer-dpa/ | 2026-05-04 |
| Railway Corp. | EU region (configurable; default eu-west) | FastAPI service hosting (~34 services), Inngest worker hosting. | https://railway.com/legal/dpa | 2026-05-04 |
| Doppler, Inc. | United States | Secret management — system credentials only. No customer personal data ever sent to Doppler. Listed because of the (encrypted) secret store containing OAuth refresh tokens of meandai's own admin accounts to vendor services. | https://www.doppler.com/legal/dpa | 2026-05-04 |
B. Platform services
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Clerk, Inc. | EU region (cloud-eu) | Authentication of Authorised Users — sign-up, sign-in, session, MFA, JWT issuance. | https://clerk.com/legal/dpa | 2026-05-04 |
| Inngest, Inc. | United States | Background job orchestration — durable cron, queue, retry. Job payloads carry metadata only (job id, run id, tenant id slug, tags); customer personal data is fetched from Neon at job execution time, not stored in Inngest. | https://www.inngest.com/legal/dpa | 2026-05-04 |
| Resend, Inc. | EU region | Transactional email — billing receipts, security alerts, account notifications, customer-facing AI-drafted email when sent on customer's behalf via Resend SMTP relay. | https://resend.com/legal/dpa | 2026-05-04 |
| Paddle.com Market Limited | Ireland (EU) | Subscription billing, tax compliance (Merchant of Record), payment processing. Receives the customer's billing email and company info; never receives customer-tenant content. | https://www.paddle.com/legal/data-processing-agreement | 2026-05-04 (Live target Track 3) |
C. AI model providers
These are routed via the shared-llm package, with per-tenant model preference and per-call telemetry. We have a contractual commitment from each that customer data submitted via inference calls is not used to train any model and is retained only as required to provide the API response.
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Anthropic, PBC | United States | Claude family LLM inference (default for chat, judge, planning, brand synthesis). | https://www.anthropic.com/legal/dpa + EU SCCs 2021/914 + DPF | 2026-05-04 |
| OpenAI, L.L.C. | United States | GPT family inference (fallback for routing failures), Whisper (audio transcription), TTS (voice output). | https://openai.com/policies/eu-data-processing-addendum + EU SCCs 2021/914 + DPF | 2026-05-04 |
| fal.ai, Inc. | United States | Image generation (when tenant requests; no default invocation). | EU SCCs 2021/914 (per https://fal.ai/legal/dpa) | 2026-05-04 — opt-in, not default |
| Google LLC (Gemini, optional) | United States / EU regions | LLM fallback (not default; configured per-tenant on request only). Engaged only when customer's brand-pack model_preferences includes Gemini. | https://cloud.google.com/terms/data-processing-addendum + DPF | 2026-05-04 — opt-in, not default |
D. Observability
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Pydantic Services Ltd. (Logfire) | EU region | Structured-log observability (every agent run, every tool call, every judge verdict). PII redaction policy applied at emit time; full payload retained 30 days; aggregates retained 1 year. | https://pydantic.dev/legal/dpa | 2026-05-04 |
| PostHog, Inc. | EU region (cloud-eu) | Product analytics (Authorised User events) — opt-in via Cookie Banner only; not loaded for visitors who reject analytics. Feature flags used by judge-gate auto-flip and kill switch. | https://posthog.com/dpa | 2026-05-04 |
| Better Stack (Pingdom-equivalent) | EU | Public uptime page (status.meandai.io) — does not access customer data. | https://betterstack.com/dpa | 2026-05-04 |
E. Marketing channels (tenant-connected only)
These subprocessors only receive personal data if the customer connects them. They are listed here for transparency but are not engaged by default.
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Buffer, Inc. | United States | Scheduled posting to social channels (Buffer fans-out to Instagram / LinkedIn / TikTok / YouTube on tenant's connected accounts). | https://buffer.com/legal/dpa | 2026-05-04 |
| Meta Platforms, Inc. | Ireland (Meta Ireland) for EU users | Posting + reading Instagram, Facebook on the tenant's connected accounts. | https://www.facebook.com/legal/terms/dataprocessing | 2026-05-04 |
| LinkedIn Corporation | Ireland (LinkedIn Ireland) | Posting on the tenant's connected LinkedIn pages / personal profile. | https://www.linkedin.com/legal/l/dpa | 2026-05-04 |
| TikTok / Bytedance Ltd. | Ireland for EU users | Posting on the tenant's connected TikTok account. | https://www.tiktok.com/legal/page/eea/dpa-addendum/en | 2026-05-04 |
| Google LLC (YouTube) | United States / EU regions | Posting on the tenant's connected YouTube channel. | https://cloud.google.com/terms/data-processing-addendum + DPF | 2026-05-04 |
| Telegram FZ-LLC | UAE | Out-of-band kill switch + admin notifications via meandai's bot. No customer personal data sent, only platform alerts. | https://telegram.org/privacy | 2026-05-04 |
| WhatsApp Ireland Ltd. (Meta) | Ireland | WhatsApp Business messaging when the tenant connects its WABA. | https://www.whatsapp.com/legal/dataprocessing-business | 2026-05-04 — opt-in, not default |
| Zoom Video Communications, Inc. | United States / EU regions for EU customers | Meeting recordings + transcripts when the tenant connects Zoom; otherwise not engaged. | https://explore.zoom.us/en/data-processing-addendum/ | 2026-05-04 — opt-in, not default |
F. Insurance and professional services
These are not "subprocessors" in the strict GDPR sense (they do not process personal data on our instructions to provide the platform), but they are listed for transparency because they may receive incident-related personal data.
| Recipient | Country | Engagement | Personal data category |
|---|---|---|---|
| Coalition, Inc. (cyber + tech E&O insurance) | United States, EU operations | On insurance claim only | Incident report metadata, breach notification material |
| External lawyer (TBD via Track 0.C) | Montenegro / EU | On legal matter only | As required by the matter |
| External accountant | Montenegro | Annual filings | Billing data, employee data (when staff hired) |
| Securitum / DeepStrike (planned annual pentest) | EU | Scheduled engagement under NDA | Synthetic test data only — no production tenant data |
G. Region map
A summary of where each subprocessor's primary processing occurs:
EU primary (default) : Neon, Neo4j Aura, Cloudflare R2, Railway, AWS KMS,
Resend, Clerk, Logfire, PostHog, Paddle, Better Stack
US primary : Anthropic, OpenAI, fal.ai, Inngest (metadata only),
Doppler (system secrets only)
EU primary, US data-sharing : Cloudflare edge (global), Buffer/Meta/LinkedIn (tenant-connected)
H. Cross-border transfer mechanisms
Where a subprocessor primarily operates outside the EEA, the legal mechanism for transfer is documented per-subprocessor:
- Anthropic, OpenAI, fal.ai — EU Standard Contractual Clauses 2021/914 Module Two + transfer impact assessment (TIA). Anthropic and OpenAI also rely on the EU-US Data Privacy Framework (DPF) where adequacy is in force.
- Inngest, Doppler — EU SCCs 2021/914 Module Two; data sent is metadata/system credentials, not customer personal data.
- Telegram, Buffer, Meta, LinkedIn, TikTok — relevant SCCs and the subprocessor's own DPA, executed at the moment the customer connects the integration.
A copy of the executed SCCs and TIAs is available on customer request via privacy@meandai.io.
I. Subprocessor change history
| Date | Change | Notes |
|---|---|---|
| 2026-05-04 | Initial publication | Track 9 / Wave 19 |
Internal note — Track 9 / Wave 19:
Paddle is listed as Live-target because Paddle KYC + integration is Track 3 work. Until Paddle is connected, Stripe Connect (US) may be the interim payments processor; if so, this list must be updated and 30 days customer notice given before LIVE flip. Drata Foundation (compliance evidence) is not a subprocessor — it ingests platform metadata (Doppler audit log, Clerk audit log) but does not see customer personal data; it is listed as a recipient in the AUP §4 enforcement evidence trail, not here.