Skip to main content

Trust

Sub-processors

15 vendors that may process Cavaridge customer data. Exhaustive list, kept honest.

Last reconciled against the codebase: 2026-05-05. Material changes are notified to BAA-covered tenants at least 30 days in advance per the BAA template.

VendorPurposeData classPII / PHIRegionBasisEvidenceReview
Railway Corp.
Railway
Application hosting, container orchestration, managed Redis, build runnersContentPIIPHIus-west2 (Oregon)DPA + BAAlinkverified
Supabase Inc.
Supabase Postgres + Auth helpers + pgvector
Primary application database (cavaridge-platform-prod), row-level security enforcement, vector storageContentPIIPHIus-west-2 (Oregon)DPA + BAAlinkverified
Clerk, Inc.
Clerk authentication + session management
User identity, session tokens, organization membershipIdentityPIIUnited StatesDPAlinkverified
Stripe, Inc.
Stripe + Stripe Connect Express
Payment processing, billing, partner payouts (PROD-08)BillingPIIUnited StatesDPAlinkverified
Cloudflare, Inc.
Cloudflare DNS + CDN + DDoS
DNS resolution, edge caching, TLS termination, DDoS mitigationTelemetryPIIGlobal edgeDPAlinkverified
Doppler, Inc.
Doppler secrets management
Secrets distribution to Railway services and GitHub ActionsSecretsUnited StatesDPAlinkverified
OpenRouter, Inc.
OpenRouter LLM gateway
Routing layer between Spaniel and underlying model providersContentPIIPHIUnited StatesDPA + BAAlinkverified
Anthropic, PBC
Claude API (via OpenRouter; direct via @anthropic-ai/sdk in select packages)
LLM inference (default model family for most agent workflows)ContentPIIPHIUnited StatesBAAlinkverified
OpenAI, L.L.C.
OpenAI API (via OpenRouter; direct via openai SDK in select packages)
LLM inference (alternative model family)ContentPIIPHIUnited StatesBAAlinkverified
Google LLC
Gemini API (via OpenRouter)
LLM inference (alternative model family)ContentPIIPHIUnited StatesBAAlinkverified
Functional Software, Inc. (Sentry)
Sentry error monitoring
Application error capture, stack trace aggregationTelemetryPIIUnited StatesDPAlinkverified
Finto Technologies GmbH (Langfuse)
Langfuse LLM observability
Prompt + response tracing, evaluation, latency trackingContentPIIPHIEU (with US deployment option)DPA + BAAlinkverified
Resend.com, Inc.
Resend transactional email
Transactional email delivery (Cavaridge Herald)IdentityPIIUnited StatesDPAlinkverified
GitHub, Inc.
GitHub source control + Actions
Source control, CI/CDUnited StatesDPAlinkverified
Pax8, Inc.
Pax8 Marketplace (PROD-08)
Reseller marketplace listing distributionBillingPIIUnited StatesDPAlinkverified

Evaluated, not engaged

  • HackerOne / Bugcrowd: VDP runs in-house at PROD-09 launch. May add a managed bug bounty later (operator decision).
  • PagerDuty / Opsgenie: On-call paging is operator-side at PROD-09 launch (single-operator rotation).
  • Segment / PostHog / Mixpanel / Amplitude: Cavaridge does not run third-party analytics. Pulse is the in-house telemetry layer.

See also: /security · /legal/privacy · BAA request.