Trust centre

Subprocessors and data locations

A named, plain-language inventory of the external services that help operate SREDlog, what each one receives, and why.

SREDlog subprocessors, purposes, data types, locations, and usage
ProviderPurposeData processedLocationUse
RenderApplication hosting and managed PostgreSQLAccount and workspace data, application traffic, operational logsCurrent production region: Oregon, United StatesRequired
CloudflareDNS, edge protection, and private R2 object storageNetwork metadata and customer-uploaded evidence filesCloudflare global network; object placement follows the configured R2 accountRequired
OpenAIManaged AI analysis, drafting, and embeddingsOnly the prompts and selected evidence needed for the requested AI taskProcessing locations governed by OpenAI's API data-processing termsAI features only; firms may use their own API key
StripeSubscription billing, invoices, refunds, disputes, and tax calculationBilling contact, subscription, transaction, and tax information; SREDlog does not store full card numbersProcessing locations governed by Stripe's data-processing termsPaid accounts
ResendTransactional emailRecipient name, email address, and service-message contentProcessing locations governed by Resend's data-processing termsRequired
SentryProduction error monitoring and incident diagnosisError messages, stack traces, route names, and operational identifiers; credentials are excluded by designThe region selected in Sentry's account configurationRequired for production
UpstashShared abuse prevention and rate limitingShort-lived rate-limit keys derived from account email or request IPThe region selected for the configured Redis databaseRequired for production
GitHubCustomer-authorized repository evidence integrationInstallation metadata and read-only repository, issue, and pull-request content selected by the customerProcessing locations governed by GitHub's data-protection termsOptional integration

Customer assurance

We evaluate providers for security, confidentiality, availability, and appropriate data-processing terms before use. We limit each provider to the information needed for its function.

Customers performing vendor review, requiring advance notice of material subprocessor changes, or requesting a data-processing agreement can contact privacy@sredlog.com.

For how SREDlog uses and retains information, see the Privacy Policy and Security page.

Last updated: July 10, 2026.