Subprocessors
Last updated: April 25, 2026
A subprocessor is a third-party service that processes customer data on Mistvine's behalf. This page lists every subprocessor we use, what they do, what data they touch, and where to find their Data Processing Agreement (DPA). Each subprocessor is contractually bound to handle your data securely and not use it for their own purposes.
Authoritative source: this page. The summary in our Privacy Policy §4.5 reflects the same list. If they ever drift, this page wins.
Notification commitment. We will notify customers at least 30 days before adding any new subprocessor or making material changes to an existing one. Customers may object on reasonable data protection grounds within the notification period by emailing support@mistvine.com.
Current Subprocessors
Supabase
Infrastructure & Hosting
- Purpose: Stores all application data and manages user authentication.
- Data processed: All customer and employee data you store in Mistvine.
- Data location: United States (US East)
- Privacy policy: https://supabase.com/privacy
- DPA / Terms: https://supabase.com/legal/dpa
- Certifications: SOC 2 Type II, ISO 27001 (held by Supabase)
Cloudflare
Infrastructure & Hosting
- Purpose: Edge content delivery (CDN), Worker compute, DDoS protection, caching, performance optimization.
- Data processed: IP addresses, request metadata, cached content, performance metrics.
- Data location: Global edge network (200+ cities)
- Privacy policy: https://www.cloudflare.com/privacypolicy/
- DPA / Terms: https://www.cloudflare.com/cloudflare-customer-dpa/
- Certifications: SOC 2 Type II, ISO 27001, ISO 27018, PCI DSS (held by Cloudflare)
PostHog
Analytics
- Purpose: Product analytics — feature usage measurement, signup-funnel attribution, error reports.
- Data processed: Anonymous distinct_id (no email or name in identify), page views (with sensitive paths redacted), named feature events with non-PII metadata. Browser Do Not Track honored. PII-scrubbing hook applied before egress.
- Data location: United States
- Privacy policy: https://posthog.com/privacy
- DPA / Terms: https://posthog.com/docs/privacy/gdpr-compliance
- Certifications: SOC 2 Type II
Resend
Communications
- Purpose: Transactional email delivery — sign-in codes, magic links, invitations, billing notices.
- Data processed: Recipient email address, email body content (notifications only).
- Data location: United States
- Privacy policy: https://resend.com/legal/privacy-policy
- DPA / Terms: https://resend.com/legal/dpa
- Certifications: SOC 2 Type II
Stripe
Payment Processing
- Purpose: Subscription billing, payment processing, invoice generation.
- Data processed: Payment card numbers (tokenized; never stored by Mistvine), billing addresses, transaction history, customer email.
- Data location: United States (Stripe global infrastructure)
- Privacy policy: https://stripe.com/privacy
- DPA / Terms: https://stripe.com/legal/dpa
- Certifications: PCI DSS Level 1, SOC 2 Type II, ISO 27001
Anthropic Claude
Artificial Intelligence
- Purpose: Generates AI-driven insights, text analysis, and recommendations. Used for the optional AI insights feature in admin and people-manager surfaces.
- Data processed: Employee performance data, feedback, and other workforce information passed to Claude when an admin generates an AI insight.
- Data location: United States
- Privacy policy: https://anthropic.com/legal/privacy
- DPA / Terms: https://anthropic.com/legal/aup
- Certifications: SOC 2 Type II. API requests deleted after 30 days; data NOT used to train Anthropic models per Commercial Terms.
International Data Transfers
Some of our subprocessors are located in the United States. To ensure your data remains protected when transferred internationally, we use the following safeguards:
- Standard Contractual Clauses (SCCs): EU Commission–approved clauses (Decision 2021/914) with all US-based processors.
- Data Processing Agreements: All subprocessors sign DPAs with security obligations.
- Data minimization: Only necessary data is transferred.
EU/UK customers can request copies of our SCCs by emailing support@mistvine.com.
Data Residency
All customer data is currently stored in US East. EU data residency options are on our roadmap. Email support@mistvine.com if you have specific data residency requirements.
Reporting Concerns
If you have concerns about a subprocessor, want to object to a new one, or need a copy of our SCCs, email support@mistvine.com. For breach-notification or privacy-rights requests, see Privacy Policy §9.