Skip to main content
Spendrein
Sign inSign up
Legal

Sub-processors

Last reviewed May 17, 2026

What this page is

To run Spendrein, we engage a small number of third-party service providers ("sub-processors") that process customer data on our behalf. This page lists every sub-processor currently engaged, what they do for us, where they process data, and the transfer mechanism that protects data leaving the European Economic Area.

The terms of our engagement with each sub-processor — including confidentiality, security, and data-protection commitments substantially equivalent to those in our own Data Processing Agreement — are in writing with that sub-processor. We remain responsible to you for their performance.

Change notice

We will give Workspace Owners at least 30 days' notice by email before adding or replacing a sub-processor. If you object on reasonable data-protection grounds, email privacy@spendrein.com within the notice period and we will work with you on a resolution as set out in Section 5.3 of our Data Processing Agreement.

Current sub-processors (10)

  • Supabase Inc.

    Managed Postgres database, authentication, and object storage for uploaded statements and contracts.

    Region
    European Union
    Scope
    Content
    Transfer mechanism
    Intra-EEA; EU SCCs where any onward US transfer occurs
    Resources
    Privacy policyDPA
  • Vercel Inc.

    Application hosting (Fluid Compute, serverless functions), CDN, and AI Gateway routing.

    Region
    United States (with regional edge caching)
    Scope
    Content
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • Stripe, Inc. and Stripe Payments Europe, Ltd.

    Payment processing, subscription billing, and invoicing. Stripe is an independent controller for payment instrument data; Spendrein never sees or stores card details.

    Region
    United States and Republic of Ireland
    Scope
    Metadata only
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • Resend, Inc.

    Outbound transactional email delivery (sign-up confirmations, renewal alerts, account notifications) and inbound email parsing for cancellation replies and contract forwards.

    Region
    United States
    Scope
    Content
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • Anthropic, PBC

    Large language model inference for transaction classification, contract field extraction, and negotiation script generation. Configured for zero data retention; submissions are not used to train models.

    Region
    United States
    Scope
    Content
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • OpenAI, L.L.C.

    Large language model inference (used in development environments and as configured fallback). Configured for zero data retention; submissions are not used to train models.

    Region
    United States
    Scope
    Content
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • Inngest, Inc.

    Durable workflow execution for asynchronous jobs: audit processing, cancellation dispatch, renewal reminders, and email ingestion.

    Region
    United States
    Scope
    Content
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • Upstash, Inc.

    Managed Redis for rate-limiting state. Only user IDs and request counters are stored; no statement, contract, or transaction content.

    Region
    European Union (Frankfurt) or United States, depending on key
    Scope
    Metadata only
    Transfer mechanism
    EU SCCs (Module Two) where US Processing occurs
    Resources
    Privacy policyDPA
  • Functional Software, Inc. (Sentry)

    Application error monitoring and performance tracing. PII-redacting filters are applied before events leave Spendrein's servers.

    Region
    United States
    Scope
    Metadata only
    Transfer mechanism
    EU SCCs (Module Two)
    Resources
    Privacy policyDPA
  • Cal.com, Inc.

    Scheduling for Business onboarding kickoff calls (cal.eu instance). Receives the attendee's name, email address, optional pre-meeting question response, and meeting timestamp — never any audit, contract, or transaction data.

    Region
    European Union (cal.eu instance)
    Scope
    Metadata only
    Transfer mechanism
    Intra-EEA via cal.eu; EU SCCs (Module Two) for any onward US transfer to Cal.com, Inc.
    Resources
    Privacy policy

Scope key

Content means the sub-processor receives customer-uploaded content such as statement rows, contract text, or email bodies. Metadata means the sub-processor receives only identifiers, counters, or operational signals — never the content of your statements, contracts, or messages.

Contact

For data-protection questions — including sub-processor objections, DPA countersignature requests, or data subject rights — email privacy@spendrein.com.