Trust

Subprocessors

Last updated: 2026-06-26

What this list is

A subprocessor is a third-party service that processes personal data on our behalf so we can deliver Jeanus. Every supplier we route customer data through is named below, with what they do, what data they see, where they hold it, and a link to their Data Processing Agreement (DPA).

This list is part of our Data Processing Agreement and our Privacy Notice. By signing up to Jeanus you consent to us using the subprocessors listed here.

Current subprocessors

Vercel Inc.
Application hosting + CDN
Added 2025-09-01
Receives
HTTP requests, including any personal data sent in URLs, headers and request bodies; server logs (IP, user agent, timestamp).
Region
Primary compute in lhr1 (London, UK). Static assets served from global edge.
Compliance
SOC 2 Type II, ISO 27001, GDPR-compliant DPA published.
Supabase Inc.
Managed Postgres database + authentication
Added 2025-09-01
Receives
All customer CRM data (customers, leads, products, activities, messages, files); account credentials (email + bcrypt-hashed password); session tokens.
Region
UK (London).
Compliance
SOC 2 Type II, HIPAA-ready, GDPR-compliant DPA published.
Anthropic PBC
Claude AI - powers AI features (drafts, briefings, summaries, enrichment)
Added 2025-09-01
Receives
Prompts that may contain customer CRM content (a lead description, an email thread, a customer note) when a user triggers an AI feature. No data sent unless the AI feature is used.
Region
United States.
Compliance
SOC 2 Type II. Per the Anthropic Commercial Terms, customer prompts are not used to train Anthropic models.
Stripe Payments Europe Ltd.
Subscription billing + payment processing
Added 2025-09-01
Receives
Billing contact (name, email, company), payment method details (collected directly by Stripe, never touched by Jeanus servers), subscription state, invoice history.
Region
Ireland (EU) for European customers, with global infrastructure.
Compliance
PCI DSS Level 1, SOC 1, SOC 2 Type II, ISO 27001, GDPR-compliant DPA published.
Resend Inc.
Transactional email delivery
Added 2025-09-01
Receives
Recipient email address, email subject and body (e.g. verification emails, quote send-outs, password resets).
Region
United States.
Compliance
SOC 2 Type II, GDPR-compliant DPA published.

How we vet subprocessors

Before we send any customer data to a new supplier, we check that they:

  • Publish a Data Processing Agreement aligned with UK GDPR Article 28.
  • Operate to a recognised independent standard (SOC 2 Type II, ISO 27001, or equivalent attestation).
  • Support customer-initiated data deletion within a documented timescale.
  • Commit to notifying us of personal-data breaches without undue delay, so we can in turn notify you within 72 hours.
  • Host data in a jurisdiction with adequate protection for UK personal data, or operate under Standard Contractual Clauses / a UK International Data Transfer Addendum where the destination is outside the UK / EU.

International transfers

Three of the suppliers above (Anthropic, Resend, and parts of Vercel's CDN) host or process data in the United States. Transfers from the UK to the US are made under the UK International Data Transfer Addendum to the EU Standard Contractual Clauses, which each vendor includes in their DPA.

Stripe and Supabase keep European customer data inside the EU. Vercel routes primary compute through the London (UK) region.

Changes to this list

We will update this page within 30 days of adding or removing a subprocessor. Material changes (a new supplier processing customer data, a change of region for an existing supplier) are also announced to tenant admins by email so you can object before the change takes effect.

If you object to a new subprocessor, contact us at hello@pixelandshovel.co.uk. If we cannot offer an alternative, you have the right to terminate your subscription without penalty for the remainder of the current billing period.

Questions

Email hello@pixelandshovel.co.uk. We answer security and DPA questions personally - no ticketing system.

Built by Pixel & Shovel. Brighton, UK. ICO registration ZC068491.