Stub — counsel review pending

Sub-processors

The third parties Showly uses to process personal data on behalf of customers. Material changes are notified 30 days in advance per the DPA.

Authoritative source: legal/sub-processors.md in the platform repository. Each section flagged [REVIEW] in the source awaits external counsel input before going live.

Counsel review in progress

Showly is finalizing this document with counsel. For the binding version applicable to your account, contact legal@showly.ai.

Notification policy

Per the Data Processing Addendum § 5, this list is authoritative. When we add or replace a sub-processor, DPA-signing customers receive at least 30 days notice via the email on file plus a banner on this page.

Subscribers may object to a material change within the 30-day window. If the change is essential to platform operation and we cannot accommodate the objection, the customer may exit the contract under the DPA's termination clause.

Current sub-processors

Counsel review pending

Entries marked[REVIEW]in the source markdown await external counsel confirmation of the legal entity name + DPA reference before this list is contractually offered.

Sub-processor	Service	Data	Region
Google Cloud Platform	Compute, storage, networking	All tenant data when residency = us / eu / ap	US / EU / AP (per region)
Stripe, Inc.	Payment processing	Billing data: customer id, payment method, invoice metadata	US (DPA cross-region via SCC)
Resend, Inc.	Transactional + marketing email	Recipient email, subject, body	US (DPA via SCC)
Cloudflare, Inc.	Turnstile (CAPTCHA), edge CDN	Visitor IP transient, no persistence	Global
Sentry / Functional Software, Inc.	Error tracking	Stack traces, request metadata (PII redacted by Pino)	US (DPA via SCC)
OpenAI / OpenAI Ireland	LLM provider	AI-credit-consuming prompts + responses	US / IE
Anthropic PBC	LLM provider	AI-credit-consuming prompts + responses	US (DPA via SCC)
Google AI / Vertex	LLM provider	AI-credit-consuming prompts + responses	US / EU
ClickHouse, Inc. / cloud	Visitor analytics OLAP	Daily-salted visitor_hash, pageview metadata (no PII)	US / EU (per residency)
Vanta, Inc.	SOC 2 evidence automation	Read-only platform telemetry	US (DPA via SCC)

Region selection & LLM routing

Customers on the Team and Enterprise tiers can pin their primary data residency. The selection scopes which sub-processors see tenant data — EU residency keeps all PII inside Google Cloud's EU regions; US residency routes through US data centers. AI providers are only invoked when the customer consumes AI credits; non-AI-using customers' data is never sent to OpenAI, Anthropic, or Vertex.

Disclosure history

We log every change to this list in the audit trail (audit_events, event_type=subprocessor.changed) and the immutable history is reflected in the markdown source under version control. Diff-able evidence for DSAR or audit requests.

This page summarises the current draft. The repository holds the full structural document — see the legal/sub-processors.md referenced above. Substantive language is intentionally conservative until counsel review concludes.