⚠️ Draft placeholder. This document is pending review by legal counsel and is not yet binding.
Subprocessor List
Version: Draft (pending counsel review)
Last updated: 2026-06-14
This list discloses every third-party subprocessor that may Process
Customer Personal Data in support of the Blueprint Service.
Material changes (additions, replacements) are announced at least
30 days in advance via this list and email to the account
address of paying customers.
1. Core platform subprocessors
These are required to deliver the core Service. Removing or
substituting any of these would constitute a material change to
the Service.
1.1 Google Cloud Platform (GCP)
| |
|---|
| Role | Compute, object storage, managed databases — production hosting |
| Provider | Google LLC |
| Address | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
| Data processed | All Customer Content; account data; service logs |
| Region | us-east1 (Moncks Corner, SC, USA) |
| Retention | Per Customer's account lifecycle + 30 days |
| Certifications | SOC 1/2/3, ISO 27001/27017/27018/27701, PCI DSS, FedRAMP Moderate (selected services), HIPAA-eligible |
| Privacy notice | https://cloud.google.com/terms/data-processing-addendum |
| DPA / SCCs | Executed |
1.2 Clerk
| |
|---|
| Role | Authentication, session management, user identity |
| Provider | Clerk, Inc. |
| Address | 660 King St, Unit 345, San Francisco, CA 94107, USA |
| Data processed | Account data (email, user ID, sign-in events); session cookies |
| Region | United States |
| Retention | Lifecycle of the user account |
| Certifications | SOC 2 Type II |
| Privacy notice | https://clerk.com/privacy |
| DPA / SCCs | Per Clerk standard DPA |
1.3 Stripe
| |
|---|
| Role | Payment processing; subscription + one-shot Top-Up billing; customer portal |
| Provider | Stripe, Inc. |
| Address | 354 Oyster Point Boulevard, South San Francisco, CA 94080, USA |
| Data processed | Payment card information (Stripe-hosted; we do not see); billing address; Stripe customer ID; charge / invoice records |
| Region | United States (with global edge for card networks) |
| Retention | Per financial regulations (typically 7 years) |
| Certifications | PCI DSS Level 1, SOC 1/2, ISO 27001 |
| Privacy notice | https://stripe.com/privacy |
| DPA / SCCs | Per Stripe Services Agreement and DPA |
1.4 SendGrid (Twilio)
| |
|---|
| Role | Transactional email delivery (welcome, run-complete, billing, heads-up) |
| Provider | Twilio Inc. (SendGrid product) |
| Address | 101 Spear Street, 5th Floor, San Francisco, CA 94105, USA |
| Data processed | Recipient email, subject, body (transactional content), delivery + open events |
| Region | United States |
| Retention | 30 days for event data; longer for unsubscribe records (statutory) |
| Certifications | SOC 2 Type II, ISO 27001, HIPAA (with BAA — not signed for our use) |
| Privacy notice | https://www.twilio.com/legal/privacy |
| DPA / SCCs | Per Twilio DPA |
1.5 Cloudflare
| |
|---|
| Role | DNS, edge proxy, Zero Trust Access (authentication gating), TLS termination, DDoS mitigation |
| Provider | Cloudflare, Inc. |
| Address | 101 Townsend Street, San Francisco, CA 94107, USA |
| Data processed | Request metadata (IP, user agent, URL, timing); Zero Trust authentication events |
| Region | Global anycast edge |
| Retention | 30 days for access logs |
| Certifications | SOC 2 Type II, ISO 27001/27018, PCI DSS, FedRAMP Moderate |
| Privacy notice | https://www.cloudflare.com/privacypolicy/ |
| DPA / SCCs | Per Cloudflare DPA |
2. AI / LLM subprocessors
Each Brief is processed by one or more of the following providers
to generate Artifacts. We have configured each provider's
data-handling settings to maximize Customer privacy where supported.
2.1 DeepSeek
| |
|---|
| Role | Standard-tier LLM provider for Unrestricted content |
| Provider | Hangzhou DeepSeek Artificial Intelligence Co., Ltd. |
| Address | Hangzhou, People's Republic of China |
| Data processed | Brief content + pipeline prompts (transient); generated Artifact text |
| Region | China |
| Retention | Per DeepSeek API policy (subject to change); we treat all DeepSeek inputs as logged for ≤ 30 days |
| Training opt-out | Configured per DeepSeek API options where supported |
| Privacy notice | https://platform.deepseek.com/privacy |
| ⚠ Notes | DeepSeek's PRC jurisdiction creates legal exposure if Customer submits ITAR/EAR or CUI content. The AUP prohibits such submissions, but Customer is responsible for the classification of their own content. EU and UK Customers should consider this transfer when assessing GDPR Art 44–49 compliance. |
2.2 Google (Gemini API)
| |
|---|
| Role | Embedding generation; fallback LLM for refusals and Confidential tier |
| Provider | Google LLC |
| Address | 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA |
| Data processed | Brief content (for embeddings); pipeline prompts for fallback generation |
| Region | United States (specific Gemini API region depends on model) |
| Retention | Per Google AI API Additional Terms; production-paid APIs are not used for training by default |
| Training opt-out | Default for paid API tier |
| Privacy notice | https://policies.google.com/privacy; Gemini API Additional Terms at https://ai.google.dev/gemini-api/terms |
| DPA / SCCs | Covered by Google Cloud's GDPR DPA where applicable |
2.3 OpenAI
| |
|---|
| Role | Premium-tier LLM provider; fallback for refusals |
| Provider | OpenAI, LLC |
| Address | 3180 18th Street, San Francisco, CA 94110, USA |
| Data processed | Brief content + pipeline prompts; generated Artifact text |
| Region | United States |
| Retention | API inputs retained for up to 30 days for safety + abuse monitoring; not used for training when Customer is on a Zero Data Retention (ZDR) enrolled account |
| Training opt-out | Default for API tier; Customer may not opt into training even by request |
| Privacy notice | https://openai.com/policies/privacy-policy/ |
| DPA / SCCs | Per OpenAI DPA |
3. Observability subprocessors
These do not Process Customer Content, only operational telemetry.
3.1 Sentry
| |
|---|
| Role | Error tracking + performance monitoring (backend + frontend) |
| Provider | Functional Software, Inc. d/b/a Sentry |
| Address | 132 Hawthorne Street, San Francisco, CA 94107, USA |
| Data processed | Error stack traces, scrubbed request metadata, browser console errors. Customer Content fields are scrubbed before transmission (see Privacy Policy §3.2). |
| Region | United States |
| Retention | 90 days for free tier (default); errors auto-purge after this |
| Certifications | SOC 2 Type II |
| Privacy notice | https://sentry.io/privacy/ |
| DPA / SCCs | Per Sentry DPA |
3.2 BetterStack (Better Stack)
| |
|---|
| Role | Uptime monitoring; SMS / email alerts to founder on incident |
| Provider | Better Stack Inc. |
| Address | 750 9th Avenue, San Francisco, CA 94109, USA |
| Data processed | Public health check responses (no Customer Content); founder contact (phone, email) for paging |
| Region | Multi-region edge (probes from US, EU, Asia) |
| Retention | Incident history per plan terms |
| Certifications | SOC 2 in progress |
| Privacy notice | https://betterstack.com/policies/privacy-policy |
| DPA / SCCs | Per Better Stack DPA |
4. Change history
| Date | Change |
|---|
| 2026-06-14 | Initial Subprocessor List drafted |
5. Notice mechanism
To receive 30-day-in-advance notice of subprocessor additions:
6. Contact
NeuronKite LLC
Attn: Privacy
4539 N 22nd St #6544, Phoenix, AZ 85016
[email protected]