Subprocessors
Version: 1.0 (DRAFT — v3.7 alignment notes appended 2026-05-11; signed-off form gated on F-13 lawyer review) Last updated: 2026-05-04 (v3.3 era body) + 2026-05-11 (v3.7 alignment notes) Public URL when live: https://meandai.io/legal/subprocessors
This page lists every third party that meandai engages to process personal data on behalf of customers, in fulfilment of Article 28(2) and (4) GDPR and the Data Processing Agreement §7. The list is normative: every subprocessor that touches customer data is named here, with the country, purpose, and DPA URL.
v3.7 alignment notes (2026-05-11 autonomous Track B; pre-lawyer-review for F-13)
This document was authored 2026-05-04 against Stack v3.3 / Master Blueprint v3.4 era. Stack v3.7 (locked 2026-05-07) materially changes the subprocessor list across 6 vendors + 1 region. The body below is preserved as the v3.3-era baseline. The lawyer reviewing under F-13 must incorporate the changes below into the signed-off legal pack BEFORE Phase 1 paid-beta launch.
What v3.7 changes (subprocessor table)
| Current entry (v3.3 baseline below) | v3.7 status | Replacement (when migration completes) |
|---|---|---|
AWS KMS — eu-central-1 (Frankfurt) | REGION_DRIFT | AWS KMS — us-east-1 (N. Virginia) per Stack v3.7 §1.2 + §3.10 (US-first lock) |
Neon — eu-central-1 (Frankfurt) | REGION_DRIFT | Neon — us-east-1 per Stack v3.7 §3.3 |
| Neo4j Aura — Belgium | DEMOTED | FalkorDB Cloud preferred per Stack v3.7 §3.5 (us-east-1 if commercial terms clean); Aura demoted to fallback only |
| Resend — EU region | LEGACY (TRANSITION) | Postmark per Stack v3.7 §3.11 (US region); replacement gated on Stefan Postmark signup |
| Paddle.com Market Limited — Ireland (EU) | REMOVED | Stripe per Stack v3.7 §3.13 + ADR-006 + ADR-018 (Stripe-only Phase 1 billing); replacement gated on Wyoming LLC formation chain (ADR-005 + ADR-017) |
| Doppler — United States | LEGACY (TRANSITION) | AWS Secrets Manager — us-east-1 per Stack v3.7 §3.9; replacement gated on F-9 |
| PostHog (EU) | LEGACY | PostHog Cloud US per Stack v3.7 §3.12 (frontend/lib/posthog-client.ts default fixed in commit 6aa6420a) |
| Cloudflare R2 — EU/Global | ROLE_CHANGE | Cloudflare R2 — backup-only role per Stack v3.7 §3.7 (NOT primary artefact storage); primary becomes AWS S3 us-east-1 per §3.6 |
| (NEW) Weaviate Cloud US | NEW | Weaviate Cloud — US per Stack v3.7 §3.4 (semantic memory layer); not in v3.3 baseline; gated on Stefan signup |
| (NEW) AWS S3 us-east-1 | NEW | AWS S3 — us-east-1 per Stack v3.7 §3.6 (raw artefact storage primary); gated on F-9 |
What v3.7 confirms (no change)
- Clerk (US) — auth + tenant orgs.
- Inngest — workflow / cron / event engine.
- Logfire — observability (region update to US per Stack v3.7 §2.1).
- Anthropic / OpenAI / etc. — LLM providers via
shared-llm. - Notification policy (30-day prior notice + RSS-watchable + in-app changelog) — unchanged.
- DPA / Article 28(2) GDPR posture — unchanged at the contract layer; subprocessor identity changes within DPA framework.
Commercial-entity change
The contracting party changes from Montenegro company (predecessor implicit) to Wyoming LLC for Phase 1 commercial distribution per Stack v3.7 §1.3 + ADR-005 + ADR-017. Customer-facing invoice identity = Wyoming LLC. Montenegro company remains the platform/IP/development entity. Intercompany distribution/licence agreement gates the legal-pack signed form.
Notification timeline impact
Per the 30-day prior-notice policy (§"Notification policy"):
- Region migrations (eu-central-1 → us-east-1 for AWS KMS + Neon) → require 30-day notice if any tenant is already onboarded. Today: 3 tenants (MLA + meandai.io + Sandbox), all internal; no external customer notice required for now.
- Vendor swaps (Paddle → Stripe / Doppler → AWS Secrets / Resend → Postmark / Aura → FalkorDB) → same 30-day rule when external customers exist; for current internal-only state no notice required.
- Order of operations: all subprocessor changes lock in BEFORE first paid-beta tenant onboards; no live customer ever sees an in-flight subprocessor swap.
Linkbacks to migration tracking
- Stack v3.7 §3.* — locked vendor decisions.
- ADR-005 (Wyoming LLC), ADR-006 (Stripe-only), ADR-007 (Workflow Option B), ADR-008 (Cap-token KMS-asymmetric), ADR-009 (Redis Option C), ADR-010 (TM Relay template) in
docs/DECISION_LOG.md. - Technical ADRs 017-021 in
docs/adr/. - Migration plans:
docs/migration_plans/EU_TO_US_MIGRATION_2026_05_07.md,CORP_STRUCTURE_PIVOT_2026_05_07.md,NATIVE_AGENTS_TO_MULTITENANT_2026_05_07.md,docs/audits/VENDOR_SWAPS_AUDIT_2026_05_07.md. - Lawyer review packet:
docs/legal/lawyer_review/LAWYER_REVIEW_PACKET.md— also has v3.7 alignment notes appended.
What CTO Tower CANNOT change in this doc
The body subprocessor TABLE (rows 33-47) is preserved as the v3.3-era baseline. CTO Tower does not edit signed-off-target legal-pack content per Master Blueprint v3.7 §10 + CTO Tower v2.3 §1.3 ("legal signatures" + "legal review" are founder/lawyer responsibilities). The lawyer in F-13 review takes these alignment notes and produces the v3.7-aligned signed-off subprocessor table.
This DRAFT v1.0 + alignment notes is input to F-13, not a replacement for it. Signed-off normative subprocessor list lands when Stefan + lawyer complete F-13 review and produce v1.1 (or v2.0).
Notification policy
We give all active customers at least 30 days' prior notice of any new or replacement subprocessor by:
- Email to the customer's primary contact, and
- Update of this page (the public URL is RSS-watchable for customer compliance teams), and
- In-app changelog entry under Settings → Compliance.
Within that 30-day window, a customer may object on documented data-protection grounds. If the parties cannot agree on a reasonable alternative within a further 30 days, the customer may terminate the affected services without penalty per DPA §7.2.
Categories
| Category | Engagement model | Default opt-in / opt-out |
|---|---|---|
| Infrastructure — required for the platform to function | All customers | Opt-out impossible without termination |
| Platform services — auth, jobs, email, payments | All customers | Opt-out impossible without termination |
| AI model providers — invoked per inference call | All customers, routed through shared-llm | Per-tenant model preference (e.g., disable OpenAI fallback) configurable by Stefan on Enterprise |
| Observability — logs and product analytics | All customers (logs) / opt-in (product analytics) | Logs cannot be opted out (Art. 32 audit trail); product analytics granular consent via Cookie Banner |
| Marketing channels — Buffer, Meta, LinkedIn, TikTok, YouTube | Tenant-connected (only if customer connects) | N/A — customer initiates the connection |
A. Infrastructure
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Amazon Web Services, Inc. (AWS) | EU — eu-central-1 (Frankfurt) | Key Management Service for envelope encryption (per-tenant DEK and system-level CMK). Plaintext customer data never crosses the AWS boundary; only KMS-wrapped DEKs do. | https://aws.amazon.com/agreement/ + GDPR DPA at https://aws.amazon.com/compliance/gdpr-center/ | 2026-05-04 |
| Neon, Inc. | EU — eu-central-1 (Frankfurt) | Postgres database (primary tenant data store). Per-tenant FORCE RLS isolation. | https://neon.tech/dpa | 2026-05-04 |
| Neo4j, Inc. (Aura) | EU — Belgium | Graph database (per-tenant knowledge graph). Per-tenant database isolation. | https://neo4j.com/legal/dpa/ | 2026-05-04 |
| Cloudflare, Inc. | Global edge (EU presence) for CDN/Turnstile; EU region (WEUR) for R2 bucket meandai-backups | CDN, Turnstile (anti-bot), R2 object storage for encrypted Postgres dumps. | https://www.cloudflare.com/cloudflare-customer-dpa/ | 2026-05-04 |
| Railway Corp. | EU region (configurable; default eu-west) | FastAPI service hosting (~34 services), Inngest worker hosting. | https://railway.com/legal/dpa | 2026-05-04 |
| Doppler, Inc. | United States | Secret management — system credentials only. No customer personal data ever sent to Doppler. Listed because of the (encrypted) secret store containing OAuth refresh tokens of meandai's own admin accounts to vendor services. | https://www.doppler.com/legal/dpa | 2026-05-04 |
B. Platform services
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Clerk, Inc. | EU region (cloud-eu) | Authentication of Authorised Users — sign-up, sign-in, session, MFA, JWT issuance. | https://clerk.com/legal/dpa | 2026-05-04 |
| Inngest, Inc. | United States | Background job orchestration — durable cron, queue, retry. Job payloads carry metadata only (job id, run id, tenant id slug, tags); customer personal data is fetched from Neon at job execution time, not stored in Inngest. | https://www.inngest.com/legal/dpa | 2026-05-04 |
| Resend, Inc. | EU region | Transactional email — billing receipts, security alerts, account notifications, customer-facing AI-drafted email when sent on customer's behalf via Resend SMTP relay. | https://resend.com/legal/dpa | 2026-05-04 |
| Paddle.com Market Limited | Ireland (EU) | Subscription billing, tax compliance (Merchant of Record), payment processing. Receives the customer's billing email and company info; never receives customer-tenant content. | https://www.paddle.com/legal/data-processing-agreement | 2026-05-04 (Live target Track 3) |
C. AI model providers
These are routed via the shared-llm package, with per-tenant model preference and per-call telemetry. We have a contractual commitment from each that customer data submitted via inference calls is not used to train any model and is retained only as required to provide the API response.
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Anthropic, PBC | United States | Claude family LLM inference (default for chat, judge, planning, brand synthesis). | https://www.anthropic.com/legal/dpa + EU SCCs 2021/914 + DPF | 2026-05-04 |
| OpenAI, L.L.C. | United States | GPT family inference (fallback for routing failures), Whisper (audio transcription), TTS (voice output). | https://openai.com/policies/eu-data-processing-addendum + EU SCCs 2021/914 + DPF | 2026-05-04 |
| fal.ai, Inc. | United States | Image generation (when tenant requests; no default invocation). | EU SCCs 2021/914 (per https://fal.ai/legal/dpa) | 2026-05-04 — opt-in, not default |
| Google LLC (Gemini, optional) | United States / EU regions | LLM fallback (not default; configured per-tenant on request only). Engaged only when customer's brand-pack model_preferences includes Gemini. | https://cloud.google.com/terms/data-processing-addendum + DPF | 2026-05-04 — opt-in, not default |
D. Observability
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Pydantic Services Ltd. (Logfire) | EU region | Structured-log observability (every agent run, every tool call, every judge verdict). PII redaction policy applied at emit time; full payload retained 30 days; aggregates retained 1 year. | https://pydantic.dev/legal/dpa | 2026-05-04 |
| PostHog, Inc. | EU region (cloud-eu) | Product analytics (Authorised User events) — opt-in via Cookie Banner only; not loaded for visitors who reject analytics. Feature flags used by judge-gate auto-flip and kill switch. | https://posthog.com/dpa | 2026-05-04 |
| Better Stack (Pingdom-equivalent) | EU | Public uptime page (status.meandai.io) — does not access customer data. | https://betterstack.com/dpa | 2026-05-04 |
E. Marketing channels (tenant-connected only)
These subprocessors only receive personal data if the customer connects them. They are listed here for transparency but are not engaged by default.
| Subprocessor | Country | Purpose | DPA URL | Last reviewed |
|---|---|---|---|---|
| Buffer, Inc. | United States | Scheduled posting to social channels (Buffer fans-out to Instagram / LinkedIn / TikTok / YouTube on tenant's connected accounts). | https://buffer.com/legal/dpa | 2026-05-04 |
| Meta Platforms, Inc. | Ireland (Meta Ireland) for EU users | Posting + reading Instagram, Facebook on the tenant's connected accounts. | https://www.facebook.com/legal/terms/dataprocessing | 2026-05-04 |
| LinkedIn Corporation | Ireland (LinkedIn Ireland) | Posting on the tenant's connected LinkedIn pages / personal profile. | https://www.linkedin.com/legal/l/dpa | 2026-05-04 |
| TikTok / Bytedance Ltd. | Ireland for EU users | Posting on the tenant's connected TikTok account. | https://www.tiktok.com/legal/page/eea/dpa-addendum/en | 2026-05-04 |
| Google LLC (YouTube) | United States / EU regions | Posting on the tenant's connected YouTube channel. | https://cloud.google.com/terms/data-processing-addendum + DPF | 2026-05-04 |
| Telegram FZ-LLC | UAE | Out-of-band kill switch + admin notifications via meandai's bot. No customer personal data sent, only platform alerts. | https://telegram.org/privacy | 2026-05-04 |
| WhatsApp Ireland Ltd. (Meta) | Ireland | WhatsApp Business messaging when the tenant connects its WABA. | https://www.whatsapp.com/legal/dataprocessing-business | 2026-05-04 — opt-in, not default |
| Zoom Video Communications, Inc. | United States / EU regions for EU customers | Meeting recordings + transcripts when the tenant connects Zoom; otherwise not engaged. | https://explore.zoom.us/en/data-processing-addendum/ | 2026-05-04 — opt-in, not default |
F. Insurance and professional services
These are not "subprocessors" in the strict GDPR sense (they do not process personal data on our instructions to provide the platform), but they are listed for transparency because they may receive incident-related personal data.
| Recipient | Country | Engagement | Personal data category |
|---|---|---|---|
| Coalition, Inc. (cyber + tech E&O insurance) | United States, EU operations | On insurance claim only | Incident report metadata, breach notification material |
| External lawyer (TBD via Track 0.C) | Montenegro / EU | On legal matter only | As required by the matter |
| External accountant | Montenegro | Annual filings | Billing data, employee data (when staff hired) |
| Securitum / DeepStrike (planned annual pentest) | EU | Scheduled engagement under NDA | Synthetic test data only — no production tenant data |
G. Region map
A summary of where each subprocessor's primary processing occurs:
EU primary (default) : Neon, Neo4j Aura, Cloudflare R2, Railway, AWS KMS,
Resend, Clerk, Logfire, PostHog, Paddle, Better Stack
US primary : Anthropic, OpenAI, fal.ai, Inngest (metadata only),
Doppler (system secrets only)
EU primary, US data-sharing : Cloudflare edge (global), Buffer/Meta/LinkedIn (tenant-connected)
H. Cross-border transfer mechanisms
Where a subprocessor primarily operates outside the EEA, the legal mechanism for transfer is documented per-subprocessor:
- Anthropic, OpenAI, fal.ai — EU Standard Contractual Clauses 2021/914 Module Two + transfer impact assessment (TIA). Anthropic and OpenAI also rely on the EU-US Data Privacy Framework (DPF) where adequacy is in force.
- Inngest, Doppler — EU SCCs 2021/914 Module Two; data sent is metadata/system credentials, not customer personal data.
- Telegram, Buffer, Meta, LinkedIn, TikTok — relevant SCCs and the subprocessor's own DPA, executed at the moment the customer connects the integration.
A copy of the executed SCCs and TIAs is available on customer request via privacy@meandai.io.
I. Subprocessor change history
| Date | Change | Notes |
|---|---|---|
| 2026-05-04 | Initial publication | Track 9 / Wave 19 |
Internal note — Track 9 / Wave 19:
Paddle is listed as Live-target because Paddle KYC + integration is Track 3 work. Until Paddle is connected, Stripe Connect (US) may be the interim payments processor; if so, this list must be updated and 30 days customer notice given before LIVE flip. Drata Foundation (compliance evidence) is not a subprocessor — it ingests platform metadata (Doppler audit log, Clerk audit log) but does not see customer personal data; it is listed as a recipient in the AUP §4 enforcement evidence trail, not here.