Sub-processors
Last updated: April 19, 2026
Current list of third-party sub-processors that may process Controller personal data on behalf of VinReach (Processor). Referenced by the DPA §5. Material additions are notified 30 days before go-live.
Core infrastructure
| Vendor | Purpose | Data categories | Region |
|---|
| Neon | Postgres hosting | All tenant data at rest | US (East) |
| Cloudflare | Edge pixel + DNS + Worker runtime | Event stream, IP, UA, cookie | Global |
| Vercel | Web + serverless hosting | Request/response, session cookies | US |
| AWS KMS | Credential envelope encryption | Wrapped DEKs for vendor API keys | US |
Delivery
| Vendor | Purpose | Data categories | Region |
|---|
| Postmark (ActiveCampaign) | Transactional + marketing email | To/from email, subject, body, open + click events | US |
| SendGrid (Twilio) | Email (BYO alternative) | Same as Postmark | US |
| Twilio | SMS + 10DLC (TCR-mediated) | Phone, message body, delivery receipts | US |
AI + content + crawling
| Vendor | Purpose | Data categories | Region |
|---|
| Anthropic | LLM generation | Prompt + completion strings, PII-scrubbed pre-send | US |
| Voyage AI | Text embeddings for brand corpus | Brand voice chunks, PII-scrubbed | US |
| Bright Data | Web Unlocker + Crawl API + DCA for dealer-site inventory | Public dealer-site HTML, VIN + price + photo URLs | US |
Valuations
| Vendor | Purpose | Data categories | Region |
|---|
| Black Book | Trade-in valuation | VIN, mileage, ZIP (3-digit prefix) | US |
Identity enrichment (opt-in per-purpose)
| Vendor | Purpose | Data categories | Region |
|---|
| FullContact | Identity resolution (opt-in) | SHA-256 hashed email; returns profile | US |
| AtData | Email validation + EID (opt-in) | Hashed email for resolve; plaintext for inbound verify | US |
Billing + auth
| Vendor | Purpose | Data categories | Region |
|---|
| Clerk | Authentication | User email, password hash, OAuth tokens | US |
| Stripe | Subscription + metered billing | Org billing email, card metadata (PCI-scoped via Stripe Elements), meter events | US |
Change procedure
Adding a sub-processor is a material DPA change. We post the update here, email every signed Controller at the admin contact, and wait 30 days before routing any data to the new vendor. Controllers may object within the window; see the DPA §5 for the opt-out mechanism.