Sub-processors
Last updated: April 19, 2026
Current list of third-party sub-processors that may process Controller personal data on behalf of VinReach, Inc. (Processor). Referenced by the DPA §5. Material additions are notified 30 days before go-live.
Core infrastructure
| Vendor | Purpose | Data categories | Region |
|---|---|---|---|
| Neon | Postgres hosting | All tenant data at rest | US (East) |
| Cloudflare | Edge pixel + DNS + Worker runtime | Event stream, IP, UA, cookie | Global |
| Vercel | Web + serverless hosting | Request/response, session cookies | US |
| Google Cloud KMS | Credential envelope encryption | Wrapped DEKs for vendor API keys. Per-row DEKs never transit the key-management boundary in plaintext. | US (us-east1) |
Delivery
| Vendor | Purpose | Data categories | Region |
|---|---|---|---|
| Postmark (ActiveCampaign) | Transactional + marketing email | To/from email, subject, body, open + click events | US |
| SendGrid (Twilio) | Email (BYO alternative) | Same as Postmark | US |
| Twilio | SMS + 10DLC (TCR-mediated) | Phone, message body, delivery receipts | US |
AI + content + crawling
| Vendor | Purpose | Data categories | Region |
|---|---|---|---|
| Anthropic | LLM generation | Prompt + completion strings, PII-scrubbed pre-send | US |
| Voyage AI | Text embeddings for brand corpus | Brand voice chunks, PII-scrubbed | US |
| Bright Data | Web Unlocker + Crawl API + DCA for dealer-site inventory | Public dealer-site HTML, VIN + price + photo URLs | US |
Valuations
| Vendor | Purpose | Data categories | Region |
|---|---|---|---|
| Black Book | Trade-in valuation | VIN, mileage, ZIP (3-digit prefix) | US |
Identity enrichment (opt-in per-purpose)
| Vendor | Purpose | Data categories | Region |
|---|---|---|---|
| FullContact | Identity resolution (Essential tier) — anonymous-visitor-to-identified-shopper matching for opted-in dealer rooftops. Loaded only when visitor grants analytics + marketing consent and has not asserted GPC / CPRA sale-share opt-out. | FullContact PersonID cookie; enrichment returns email, phone, and postal location when a match exists. Raw response retained for audit. FullContact is not able to purge records from their identity graph on our request — dealer must suppress locally. | US |
| Leadpipe, Inc. | Identity resolution (Enhanced tier) — anonymous-visitor-to-identified-shopper matching for opted-in dealer rooftops. Same consent gate as FullContact; only loaded for rooftops on the Enhanced identity tier. DPA: TODO — pending legal review. | Hashed email, hashed phone, IP address, user agent. Leadpipe is a separate data controller for its own identity graph; consumer-level deletions must be directed to Leadpipe. Dealer-side suppression enforced locally. | US |
| AtData | Email validation + EID (opt-in) | Hashed email for resolve; plaintext for inbound verify | US |
Billing + auth
| Vendor | Purpose | Data categories | Region |
|---|---|---|---|
| Clerk | Authentication | User email, password hash, OAuth tokens | US |
| Stripe | Subscription + metered billing | Org billing email, card metadata (PCI-scoped via Stripe Elements), meter events | US |
Change procedure
Adding a sub-processor is a material DPA change. We post the update here, email every signed Controller at the admin contact, and wait 30 days before routing any data to the new vendor. Controllers may object within the window; see the DPA §5 for the opt-out mechanism.