Trust centre
Subprocessors and data locations
A named, plain-language inventory of the external services that help operate SREDlog, what each one receives, and why.
| Provider | Purpose | Data processed | Location | Use |
|---|---|---|---|---|
| Render | Application hosting and managed PostgreSQL | Account and workspace data, application traffic, operational logs | Current production region: Oregon, United States | Required |
| Cloudflare | DNS, edge protection, and private R2 object storage | Network metadata and customer-uploaded evidence files | Cloudflare global network; object placement follows the configured R2 account | Required |
| OpenAI | Managed AI analysis, drafting, and embeddings | Only the prompts and selected evidence needed for the requested AI task | Processing locations governed by OpenAI's API data-processing terms | AI features only; firms may use their own API key |
| Stripe | Subscription billing, invoices, refunds, disputes, and tax calculation | Billing contact, subscription, transaction, and tax information; SREDlog does not store full card numbers | Processing locations governed by Stripe's data-processing terms | Paid accounts |
| Resend | Transactional email | Recipient name, email address, and service-message content | Processing locations governed by Resend's data-processing terms | Required |
| Sentry | Production error monitoring and incident diagnosis | Error messages, stack traces, route names, and operational identifiers; credentials are excluded by design | The region selected in Sentry's account configuration | Required for production |
| Upstash | Shared abuse prevention and rate limiting | Short-lived rate-limit keys derived from account email or request IP | The region selected for the configured Redis database | Required for production |
| GitHub | Customer-authorized repository evidence integration | Installation metadata and read-only repository, issue, and pull-request content selected by the customer | Processing locations governed by GitHub's data-protection terms | Optional integration |
Customer assurance
We evaluate providers for security, confidentiality, availability, and appropriate data-processing terms before use. We limit each provider to the information needed for its function.
Customers performing vendor review, requiring advance notice of material subprocessor changes, or requesting a data-processing agreement can contact privacy@sredlog.com.
For how SREDlog uses and retains information, see the Privacy Policy and Security page.
Last updated: July 10, 2026.