Resources
WhiteOwl uses the third-party service providers listed below to operate the platform. We share this list publicly so that you, our customers, and EU data subjects under GDPR Article 28 can see who handles your data, where, and under what contractual safeguards.
We notify customers via email at least 30 days before adding a new subprocessor that processes personal data. To object, contact privacy@whiteowl.app.
Last updated: 2026-06-10
| Subprocessor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
Amazon Web Services (AWS) SOC 2 → | Document and credential storage (S3); CloudTrail audit logs | United States (us-east-1 primary, us-west-2 replica) | Standard Contractual Clauses; AWS DPA |
Supabase, Inc. DPA → | Postgres database, authentication, storage, realtime subscriptions | United States (project hosted in AWS us-east-1) | Standard Contractual Clauses; Supabase DPA |
Vercel Inc. DPA → | Application hosting, edge networking, deployment | United States (global edge network) | Vercel DPA |
Anthropic PBC | AI / large-language-model inference for chat intake, document analysis, advisor coaching | United States | Anthropic DPA + Zero-Data-Retention amendment (no training on customer data) |
Stripe, Inc. DPA → | Payment processing, subscription billing, advisor payouts via Connect | United States (global processing) | Stripe DPA |
Resend, Inc. DPA → | Transactional email delivery (welcome, notifications, onboarding) | United States | Resend DPA |
Telnyx LLC DPA →SOC 2 → | SMS phone MFA and phone-number verification via Telnyx Verify | United States | Telnyx DPA + Standard Contractual Clauses |
Twilio Inc. DPA → | Outbound SMS notifications and inbound SMS document intake (media ingestion) | United States | Twilio DPA + Standard Contractual Clauses |
Veriff OÜ | Identity verification for advisor onboarding | Estonia (EU); processing within EEA | Veriff DPA |
Inngest, Inc. DPA → | Background job orchestration (document transcription, deletion cascade, scheduled tasks) | United States | Inngest DPA |
Braintrust Data, Inc. | LLM tracing and evaluation infrastructure | United States | Braintrust DPA |
Upstash, Inc. | Distributed rate limiting (Redis) | United States and EU (configurable per database) | Upstash DPA |
Axiom, Inc. | Centralized application logs (6-month retention; audit evidence) | United States and EU (configurable; we use EU region for EU users) | Axiom DPA |
Sentry / Functional Software, Inc. DPA → | Error tracking, performance monitoring, browser RUM | United States and EU (configurable; we use EU region for EU users) | Sentry DPA |
PagerDuty, Inc. DPA → | On-call escalation and incident response paging | United States | PagerDuty DPA |
PostHog Inc. DPA → | Product analytics (funnels, retention, feature flags); session replay (PII-masked) | European Union (we use the EU cloud) | PostHog DPA |
Atlassian / Statuspage | Public uptime status page | United States | Atlassian DPA |
GitHub, Inc. | Source code management, CI/CD pipelines, vulnerability scanning | United States | GitHub DPA (Microsoft) |