Legal · Subprocessors
Subprocessors
Effective · Last updated 2026-05-11
Status: Operating entity confirmed (Chykalophia Group, LLC). Subprocessor list still awaiting counsel review. The structure and disclosures below mirror current B2B SaaS practice and GDPR Art. 28(2)–(4) requirements. Each addition or change is announced to customers at least 30 days in advance.
1. What this page is#
A subprocessor is any third-party service we engage that may process personal data on our behalf in the course of operating SendBriefs. Under GDPR Art. 28(2) and equivalent laws, controllers (you, when you upload personal data into the Service) have the right to know who those subprocessors are, what they do, where they're located, and to object to changes.
SendBriefs is operated by Chykalophia Group, LLC (929 Michigan Ave, Apt 3, Evanston, IL 60202, USA). For data you upload into the platform, Chykalophia Group, LLC acts as a processor and you remain the controller. The subprocessors listed below act on Chykalophia's instructions, which in turn act on your instructions.
Each subprocessor is bound by a written Data Processing Agreement (DPA) that imposes data-protection obligations substantially similar to those in our Terms of Service, our Privacy Policy, and applicable law (GDPR, UK GDPR, CCPA/CPRA, and state-law equivalents).
2. Current subprocessors#
2.1 Infrastructure (core processing)#
| Service | Purpose | Entity | Location of processing | Data accessed |
|---|---|---|---|---|
| Vercel | Application hosting, edge CDN, serverless compute, image optimization | Vercel Inc. | US (primary: iad1, sfo1); EU edge for cached marketing-site assets | All inbound request data passes through Vercel's edge before reaching application servers; cached marketing-site responses; serverless function memory during the request lifetime |
| Supabase | Postgres database, authentication, file storage, real-time subscriptions | Supabase Inc. | US (us-east-1) | Account data, workspace data, brief content, integration credentials (encrypted at rest), session tokens |
| Upstash | Redis-compatible queue, rate-limit counters, ephemeral session storage | Upstash, Inc. | US (us-east-1) | Queue payloads (brief render jobs, scheduled deliveries), rate-limit counters keyed by user/IP |
2.2 Communications#
| Service | Purpose | Entity | Location | Data accessed |
|---|---|---|---|---|
| SendGrid (Twilio) | Transactional email — receipts, approval requests, brief deliveries | Twilio Inc. | US | Recipient email, subject + body of each email sent, send/open/click telemetry |
| Resend | Marketing email (Friday Brief newsletter) | Resend Inc. | US | Subscriber email, double opt-in confirmation, send/open/click telemetry on marketing campaigns only |
2.3 Payments#
| Service | Purpose | Entity | Location | Data accessed |
|---|---|---|---|---|
| Stripe | Billing, subscription management, invoices, automated tax computation | Stripe, Inc. | US (primary); EU (for EU customers on Stripe's EU acquirer) | Billing email, billing address, card token (we never see raw PAN), invoice line items, tax-relevant metadata |
2.4 Observability and analytics#
| Service | Purpose | Entity | Location | Data accessed |
|---|---|---|---|---|
| Sentry | Error monitoring, performance tracing | Functional Software, Inc. d/b/a Sentry | US (us-1) | Error stack traces and breadcrumbs (Sentry SDK configured to scrub identified PII fields; incidental PII in unstructured stack frames is best-effort scrubbed but cannot be guaranteed), session metadata |
| PostHog | Product analytics on platform (consent-gated on marketing site) | PostHog Inc. (EU instance) | EU (eu.posthog.com) | Aggregate event data; opt-in only on marketing site, opt-out in-app for platform usage |
| Plausible | Marketing-site traffic analytics (cookieless) | Plausible Insights OÜ | EU (Germany) | Anonymized request metadata only — no IP, no fingerprint, no cookies |
| Vercel Analytics | Core Web Vitals + traffic on marketing site (consent-gated) | Vercel Inc. | US | Pageview metadata, anonymized device fingerprint, vitals measurements |
2.5 Integrations (you authorize each individually)#
The following services act as data sources when you explicitly connect them at the workspace level. They are not blanket subprocessors — they only receive data when you grant OAuth scope or provide an API key, and they only return data when SendBriefs requests it on your behalf.
| Service | Purpose | Entity | Authorization model |
|---|---|---|---|
| HubSpot | CRM data ingestion | HubSpot, Inc. (US) | OAuth, workspace-scoped |
| Stripe (as data source) | Revenue data ingestion | Stripe, Inc. (US) | OAuth |
| Google Analytics 4 | Web analytics ingestion | Google LLC (US) | OAuth |
| Google Search Console | SEO data ingestion | Google LLC (US) | OAuth |
| Linear | Project / issue data ingestion | Linear Orbit, Inc. (US) | OAuth |
| Meta Ads (Facebook / Instagram) | Paid social ad performance | Meta Platforms, Inc. (US) | OAuth |
| Google Ads | Paid search ad performance | Google LLC (US) | OAuth |
| Generic webhook | Inbound JSON payloads from any source | N/A — you control the sender | Workspace-scoped signing key |
When you disconnect an integration (revoke OAuth or remove the API key from your workspace), SendBriefs will stop accessing the third-party data source within 24 hours. Data previously ingested into SendBriefs and used to render past Briefs remains within your workspace and is subject to the retention schedule in the Privacy Policy §6.
2.6 AI / language models#
None. Chykalophia Group, LLC does not currently use any third-party AI/LLM provider as a subprocessor. Customer Data — including brief content, integration data, and client metadata — is never sent to an AI model, ours or anyone else's.
If we add an AI subprocessor in the future, it will be subject to:
- 30-day advance notice to all affected customers.
- Opt-in per workspace by a workspace administrator before any Customer Data is sent.
- A signed Data Processing Agreement and Standard Contractual Clauses (where international transfers apply).
- An entry in this table with full disclosure of what data is sent, what is retained, and for how long.
- An explicit prohibition on the provider using Customer Data to train, fine-tune, or benchmark its models.
3. Pre-cutover note#
Several entries above describe the architectural intent at V1 production cutover. We are pre-launch as of the effective date of this page; some sub-processors may not yet have signed DPAs in place. No production Customer Data is being processed by these services during the pre-launch period. The fully-executed sub-processor DPAs will be in place before any customer's production data enters the system.
4. Categories of personal data processed#
For transparency, the personal-data categories that may be processed via these subprocessors include:
- Identifiers — name, work email, account ID, IP address, device identifier.
- Commercial information — subscription tier, purchase history, billing address.
- Internet/network activity — login events, feature usage, API calls.
- Professional/employment information — job title, agency name (when provided).
- Customer-uploaded data — anything you choose to include in a brief or upload as workspace metadata. You are the controller of this data; please do not include special-category data (GDPR Art. 9) without prior arrangement with us (see Terms §5 acceptable use).
5. International transfers and transfer mechanisms#
Most subprocessors above are US-based. For Customer Data originating in the EU/UK, transfers to the US rely on:
- The EU–US Data Privacy Framework (where the receiving entity is self-certified — Stripe, Vercel, and others are).
- Standard Contractual Clauses (SCCs) under GDPR Art. 46, Module 2 (controller-to-processor) or Module 3 (processor-to-sub-processor), as applicable.
- The UK International Data Transfer Addendum to the EU SCCs for UK-origin transfers.
A Transfer Impact Assessment evaluating the legal landscape of the United States and the practical accessibility of EU/UK data to US government authorities is maintained on file and provided to Enterprise customers on request.
For EU instances (PostHog EU, Plausible Germany), no transfer to a third country occurs as part of normal operation.
6. Notification of changes#
We will notify affected customers by email at least 30 days before any addition, removal, or material change to a subprocessor takes effect (changes to processing location, scope of processing, or sub-processor identity). The notification will include the name of the subprocessor, the purpose, the location of processing, and the categories of data affected.
Enterprise customers may request additional notification channels (e.g., webhook delivery to a designated endpoint) by contacting legal@sendbriefs.com.
7. Your right to object#
If you object to a new subprocessor within 30 days of notification, contact privacy@sendbriefs.com. We will:
- Engage in good-faith discussion to understand your specific concern.
- Where possible, offer an alternative configuration (different region, alternative sub-processor, restricted scope) that addresses the concern.
- If no reasonable accommodation can be reached, you may cancel your subscription on written notice and receive a prorated refund of unused fees, as described in the Terms.
Continued use of the Service after the 30-day notice period without objection constitutes acceptance of the new subprocessor for the purposes of GDPR Art. 28(2).
8. Audit rights#
Under GDPR Art. 28(3)(h), controllers may audit processors' compliance with the DPA. Chykalophia Group, LLC, in turn, has audit rights against each subprocessor under the back-to-back DPAs.
For Customer-initiated audits of Chykalophia Group, LLC, please contact legal@sendbriefs.com. Where reasonable, we satisfy audit obligations by providing recent third-party audit reports (e.g., SOC 2 Type II once available), security questionnaire responses (CAIQ, SIG), penetration-test summaries, and sub-processor compliance documentation. Direct on-site audits are available to Enterprise customers on at least 30 days' written notice, no more than once per year, at the requesting party's expense.
9. Breach notification#
If Chykalophia Group, LLC becomes aware of a personal-data breach at a subprocessor that affects your data, we will notify you without undue delay and no later than 72 hours after confirmation, in line with GDPR Art. 33. The notice will include (where then-known):
- The nature of the breach and the categories and approximate number of data subjects and records affected.
- The likely consequences.
- The measures taken or proposed to address the breach and mitigate adverse effects.
- A point of contact for further information.
10. Data return and deletion#
On termination of your subscription, Customer Data is retained per the schedule in our Privacy Policy §6. At your written request, we will require the relevant sub-processor(s) to delete or return Customer Data acted on by them, where technically feasible and not in conflict with each sub-processor's own legal retention obligations (e.g., Stripe's retention of payment records for tax compliance, which we cannot waive).
11. Contact#
| For | |
|---|---|
| Subprocessor questions or objections | privacy@sendbriefs.com |
| Enterprise notification setup or audit rights | legal@sendbriefs.com |
| Security disclosures (any subprocessor) | security@sendbriefs.com |
Postal: Chykalophia Group, LLC · 929 Michigan Ave, Apt 3 · Evanston, IL 60202 · USA.
Last reviewed: 2026-05-11.