GDPR Art. 28
Subprocessors
We engage the following subprocessors to deliver the Altvisor service. Rows shaded amber indicate processors located in or routing data through the United States — those transfers rely on the EU-US Data Privacy Framework and Standard Contractual Clauses.
| Subprocessor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Mistral AI (La Plateforme) | Pixtral 12B inference for Free and Pro alt-text generation | France (EU) | Same jurisdiction (EU/EEA) — no transfer mechanism required. |
| Anthropic (Claude API) | Claude Haiku 4.5 inference for Business tier alt-text generation | United States | EU-US Data Privacy Framework + Standard Contractual Clauses (Module 2) |
| Supabase | Managed Postgres, authentication, storage (eu-west-1) | Ireland (EU) | Same jurisdiction (EU/EEA) — no transfer mechanism required. |
| Vercel | Edge runtime, serverless functions, static asset hosting | United States (with EU edge regions including fra1) | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Stripe | Subscription billing, payment processing, EU VAT collection (Stripe Tax) | Ireland (EU) — with US parent processing | Standard Contractual Clauses + EU-US Data Privacy Framework |
| Resend | Transactional email (password reset, magic link, account notifications) | United States — with EU sending region | Standard Contractual Clauses |
| PostHog | Product analytics, web vitals, error tracking, session replay, LLM observability, and application logs. EU-hosted project; ingestion proxied via /ingest/* to avoid third-party origin in the browser. | Germany (EU) — eu.i.posthog.com | Same jurisdiction (EU/EEA) — no transfer mechanism required. |
| GitHub (Microsoft Corp.) | Content hosting + CMS authentication. Hosts the public marketing blog MDX (content-engine) and authenticates the content partner via the Keystatic GitHub App. Only public marketing content and the partner's GitHub login identity flow here — no customer or data-subject personal data. | United States | EU-US Data Privacy Framework + Standard Contractual Clauses |
| Google Analytics (GA4) | Marketing-site traffic measurement. Loaded only on /(marketing) routes; gated by Consent Mode v2 (default 'analytics_storage: denied'); cookies dropped only after user accepts via the marketing-page consent banner. | United States | EU-US Data Privacy Framework + Standard Contractual Clauses |