Sub-Processor Register
Last updated: Jun 25, 2026 · Version: subprocessors-2026-06-25
This document is a template provided for transparency. It has not been reviewed by an attorney and requires review by counsel before you rely on it legally.
About this register
To run Smart Site Plan we rely on a small set of trusted third-party service providers ("sub-processors") that may process personal data on our behalf. We require each of them to protect personal data to a standard consistent with our Data Processing Agreement and to use it only to provide their service to us. This page is the current list.
Most of these providers process data in the United States. Where a provider receives personal data from the European Economic Area, the United Kingdom, or Switzerland, the transfer is covered by the safeguards described in our DPA, such as the Standard Contractual Clauses (with the UK and Swiss adaptations) or the EU-US Data Privacy Framework where the provider is certified.
Core providers
These providers are part of the standard operation of the Service for every customer.
| Provider | Purpose | Data categories | Location |
|---|---|---|---|
| Railway | Primary cloud hosting for the API and managed databases (PostgreSQL/PostGIS, MongoDB, Redis). | All platform data: account, project, spatial, GPS, and usage records. | United States |
| Vercel | Hosting and global edge delivery for the web application. | Request and log metadata, including IP address. | United States |
| Cloudflare | Object storage (R2) for uploaded files and exports, plus CDN, DDoS protection, and bot mitigation (Turnstile). | Uploaded files and images, export bundles, IP address. | United States |
| Stripe | Payment processing and subscription billing. | Name, email, and billing details. We never store full card numbers. | United States |
| Resend | Delivery of transactional email (verification, security, billing, invitations, alerts). | Name and email address. | United States |
| Sentry | Application error monitoring and performance diagnostics. | Diagnostic and error data, which may include IP address and account identifiers. | United States |
| Anthropic | AI analysis (Claude) for site-plan import, photo-to-map analysis, and regulatory assistance. | The content you submit for analysis: plan PDFs, photos, and any location data embedded in them. | United States |
Feature-specific providers
These providers are engaged only when you use the related feature or enable the related option, so data flows to them only in that context.
| Provider | Purpose | Data categories | Location |
|---|---|---|---|
| ATTOM Data Solutions | Property and parcel data lookups. | The address or coordinates you query. No account identifiers are sent. | United States |
| PostHog | Product analytics, loaded only after you opt in through the cookie banner. | Pseudonymized product-usage events and device metadata. | United States |
| Twilio | SMS delivery for SMS-based two-factor authentication. | Phone number, only if you enable SMS two-factor authentication. | United States |
| Optional OAuth sign-in and Search Console reporting for our public pages. | Email and basic profile, only if you sign in with Google. | United States | |
| OpenStreetMap (Nominatim) | Geocoding addresses to coordinates during site-plan import and search. | The address strings you ask us to locate. | United Kingdom / European Union |
| Esri | Basemap imagery and public open-data feature services. | Map view requests. No personal account data is sent. | United States |
Map and data providers
The Service also displays basemaps and open and public data from providers such as map-tile and government GIS services. Map and tile requests are not tied to your account identity, and open or public data you discover is owned by its provider and subject to that provider's own terms and attribution requirements.
Our AI provider develops the models behind our AI features and publishes its own disclosures, including about the data used to train those models, on its website. We do not train models on your content, as described in our Privacy Policy.
Changes and notice
We update this register when our sub-processors change. Customers under a Data Processing Agreement may request advance notice of new sub-processors and can object on reasonable data-protection grounds as described there. Questions? Email privacy@smartsiteplan.com.