Effective Date: June 2, 2026 Last Updated: June 2, 2026 Version: 1.0
This page is maintained publicly at https://docujson.com/sub-processors and is incorporated by reference into the Privacy Policy and Data Processing Addendum (DPA). DocuJSON, Inc. will notify affected paid customers by email at least 30 days before adding or replacing a sub-processor that materially changes how Customer Personal Data is processed.
What Is a Sub-processor?
A "sub-processor" is a third-party service provider that processes personal data on DocuJSON's behalf to help us deliver the Services. Under GDPR and similar laws, we disclose these providers and give customers the right to object to material changes.
Current Sub-processors
Infrastructure & Hosting
| Provider | Role | Location | Data Processed | Certifications / Notes |
|---|---|---|---|---|
| Vercel, Inc. | Application hosting, serverless compute, edge delivery, Vercel Blob storage, and Vercel AI Gateway routing | USA / multi-region | Customer Content in transit during API calls; generated PDF files; web dashboard access logs; temporary compute memory; AI prompts routed through Gateway when AI features are used | SOC 2 Type II, ISO 27001 |
| Amazon Web Services, Inc. (AWS) | Underlying cloud infrastructure used by Vercel and Supabase | USA / provider regions | Infrastructure-level processing and storage for hosted services | SOC 2 Type II, ISO 27001; HIPAA-eligible services under separate BAA |
Database & Authentication
| Provider | Role | Location | Data Processed | Certifications / Notes |
|---|---|---|---|---|
| Supabase, Inc. | Database, authentication, authorization, and storage services | USA / configured project region | Account data, workspace metadata, API key hashes, usage logs, customer configuration, authentication cookies | SOC 2 Type II; HIPAA-eligible plans available under separate BAA |
Payments
| Provider | Role | Location | Data Processed | Certifications / Notes |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, billing, subscription management, tax calculation, fraud prevention | USA / global | Billing contact information, tokenized payment data, transaction details, IP address for fraud detection | PCI DSS Level 1, SOC 1 & 2, ISO 27001 |
Error Monitoring & Operations
| Provider | Role | Location | Data Processed | Certifications / Notes |
|---|---|---|---|---|
| Sentry.io / Functional Software, Inc. | Error tracking, performance monitoring, operational diagnostics | USA / global | Error events, stack traces, route metadata, scrubbed request context, workspace identifiers where needed for debugging | SOC 2 Type II; configured to scrub sensitive payloads |
AI Model Inference (Optional Feature)
| Provider | Role | Location | Data Processed | Certifications / Notes |
|---|---|---|---|---|
| Vercel AI Gateway and configured AI model providers | Large language model routing and inference for AI-assisted custom template generation | Varies by selected provider | Customer-provided prompts, reference screenshots, and sample data submitted to AI template-generation features. Not used for standard PDF generation. | Model provider may vary by configuration and may include Alibaba, Google, Anthropic, OpenAI, or other allow-listed Gateway models. API inputs are not intended for provider model training unless a provider-specific feature explicitly says otherwise. |
| Langfuse | Optional AI observability for template-generation traces | USA / EU depending on configured workspace | AI trace metadata, model names, costs, stage timings, and — only if explicitly enabled — captured prompts or outputs | Disabled unless configured with project keys; payload capture is off by default |
Note: AI model sub-processors are engaged only when customers use AI-assisted custom template features. Standard PDF generation from an existing template does not transmit payload data to AI model providers.
Planned or Not Currently Active
The following providers are not currently used as production sub-processors for Customer Personal Data unless and until this page is updated and customers are notified where required.
| Provider | Status | Role |
|---|---|---|
| Resend, Inc. | Planned / not active | Transactional email delivery for invitations, receipts, security alerts, and product notifications |
| Plausible Analytics | Not active | Potential aggregate, cookieless website analytics |
| Axiom, Inc. or Datadog, Inc. | Planned / not active | Centralized logging and monitoring |
International Data Transfers
DocuJSON is based in the United States. Sub-processors primarily process data in the United States, with some offering multi-region configurations through Vercel, Supabase, Stripe, and AI model providers.
For personal data transferred from the European Economic Area, United Kingdom, or Switzerland to countries without an adequacy decision, we rely on the EU Standard Contractual Clauses, the UK Addendum, and appropriate supplementary measures where required.
Notification of Changes
When we add or replace a sub-processor that materially changes processing of Customer Personal Data, we will:
- Update this page with the new sub-processor's name, role, location, and data categories.
- Update the "Last Updated" date.
- Send an email notification to affected paid-plan customers at least 30 days before the change takes effect, unless urgent security, availability, or legal reasons require faster replacement.
To subscribe to sub-processor change notifications, contact privacy@docujson.com. Notifications are sent to the billing or admin contact on file.
Your Rights
If you object to a new sub-processor:
- Reply to our notification email within 30 days with a written objection and the reason.
- We'll work in good faith to address the objection, including offering an alternative configuration if feasible.
- If we cannot reasonably resolve the objection, you may terminate the affected Services without penalty and receive a pro-rata refund for prepaid, unused fees for those Services.
Archive
Prior versions of this sub-processor list are available on request via privacy@docujson.com.
Questions
- Privacy: privacy@docujson.com
- Data Processing Addendum requests: legal@docujson.com
- Security: security@docujson.com