Sub-processor list
1. Overview
Get Causality uses the following third-party sub-processors to deliver our services. In accordance with GDPR Art. 28 and our Data Processing Agreement, we maintain this list of authorized sub-processors and provide 30 days advance notice of any changes.
2. Current sub-processors
| Sub-processor | Purpose | Location | Compliance | Data processed |
|---|---|---|---|---|
| Vercel Inc. | Application hosting (frontend CDN + serverless API functions) | USA (global edge) | SOC 2 Type II, ISO 27001 | All platform data in transit. Serverless functions process API requests. PII is encrypted at the application layer (AES-256-GCM) before reaching Vercel. |
| Neon Inc. | PostgreSQL database | USA (AWS us-east-1) | SOC 2 Type II | All stored data. PII is AES-256-GCM encrypted at the application layer before storage; Neon stores ciphertext only. |
| Cloudflare Inc. | Edge protection — Web Application Firewall (WAF), DDoS mitigation, bot management (Turnstile), TLS termination | Global edge network | SOC 2 Type II, ISO 27001, PCI-DSS | Edge requests pass through Cloudflare's global network for security inspection. No persistent storage of user data; data is in transit only. |
| Stripe Inc. | Payment processing (currently paused during closed beta) | USA | PCI DSS Level 1 | Payment metadata only. Card details are handled entirely by Stripe and never touch our servers. |
| Resend Inc. | Transactional email delivery | USA | SOC 2 Type II | Email addresses (for delivery) and email content (verification, password reset, notifications). |
| PostHog Inc. | Anonymous product analytics + server-side security telemetry | USA | SOC 2 Type II | Anonymized usage events only (page views, feature usage). Consent-gated for analytics. Server-side security telemetry under legitimate interest (Art. 6(1)(f)) tagged category=security; contains no email, IP, or response contents. No PII transmitted. Session recording disabled. |
| Sentry Inc. | Error monitoring | USA | SOC 2 Type II | Stack traces and browser metadata for debugging. PII is scrubbed via a beforeSend hook before transmission (sendDefaultPii: false). Frontend Sentry is consent-gated; backend Sentry runs unconditionally for production reliability. |
3. Data-protection measures
All sub-processors are bound by Data Processing Agreements that include, in order of priority for each transfer corridor:
- EU-U.S. Data Privacy Framework (where the sub-processor is certified)
- Standard Contractual Clauses, Module 2 (controller-to-processor), under Commission Implementing Decision (EU) 2021/914
- UK International Data Transfer Addendum or UK Extension to the DPF for UK transfers
- Swiss-U.S. DPF or SCCs adapted for Switzerland per FDPIC guidance
- Obligation to implement appropriate technical and organizational measures
- Breach notification requirements (mirroring our 72-hour Art. 33 commitment)
- Data deletion upon termination, per the retention schedule below
4. Essential services
Stripe (payment processing — when active) and Cloudflare Turnstile (bot protection) are classified as essential / functional services required for platform operation and security. These services are loaded without requiring analytics cookie consent, as they are necessary for the legitimate functioning of the platform.
5. Retention schedule
Personal data retention is governed by the schedule below. Sub-processors hold data only for the duration we hold it as Controller; once we delete, our standard Data Processing Agreement requires sub-processors to delete within their backup-rotation cycle.
| Data category | Active | Grace | Backups | Hard delete |
|---|---|---|---|---|
| Account data | Indefinite while active | 30 days | 30 days | Day 60 from cancellation |
| Survey responses | Per researcher's data_retention_days | 30 days | 30 days | Day 60 |
Cognitive profiles (extracted_concepts) | Per fcm_retention_days then PII-stripped | — | — | Anonymized at config; retained for research only |
| Audit logs (security) | 2 years (24 months) from event date | After 2 years | ||
| Payment metadata | 7 years from last transaction (US tax / accounting) | After 7 years | ||
| Breach records | Indefinite (Art. 33(5)) | — | ||
Full per-category schedule is published in our retention reference documentation (opens in new tab).
6. Changes to sub-processors
We provide at least 30 days advance notice before adding, removing, or replacing any sub-processor. Notifications will be sent to institutional contacts on file and reflected on this page.
7. Contact
- Data Protection Officer: [email protected]
- Privacy inquiries: [email protected]