Sub-processors.
These are the third-party services that help us operate Synchronise AI. Each one is bound to protect customer data and process it only to provide its part of the service. We keep this list current and notify workspace admins before a new sub-processor that handles customer data takes effect.
| Provider | Region | Purpose | Security posture |
|---|---|---|---|
| Supabase | Tokyo, Japan | Database, auth, and file storage — holds all workspace data | SOC 2 Type II, ISO 27001 (provider) |
| Vercel | Global edge | Application hosting and serverless functions — data in transit | SOC 2 Type II, ISO 27001 (provider) |
| Fly.io | Regional (per workspace) | Dedicated compute for autonomous agents — prompt + signal during a run | SOC 2 Type II (provider; report under NDA) |
| Anthropic | United States | AI inference for chat, insights, and agents — prompts + connected signal | SOC 2 Type II, ISO 27001/42001 (provider); no training on API data |
| Composio | United States | OAuth broker / tool router — holds connector tokens; reads sources during tool calls | SOC 2 Type II (provider) |
| Resend | United States | Transactional + agent email — recipient address and message content | SOC 2 Type II (provider) |
| Stripe | United States / Ireland | Subscription billing — billing contact and plan; card data handled by Stripe | PCI DSS Level 1; SOC 1 & SOC 2 (provider) |
| PostHog | United States | Product analytics + masked session recording — usage events, no raw source data | SOC 2 Type II (provider) |
| Telegram | Global | Optional agent delivery — linked chat ID + notifications (only if you link it) | No DPA; notification channel only |
About this list
Synchronise AI does not hold its own SOC 2 attestation. The certifications in the table belong to the named providers and reflect their own published statements; their reports are available from them directly, typically under NDA. Regions reflect where each provider processes data for us and can change as providers evolve their infrastructure.
Sources you connect
The tools you connect — analytics, support, project management, docs, and communication platforms — are the data sources you point us at, not sub-processors acting on our behalf. We read from them through the OAuth broker above, at the scopes you grant, and you can disconnect any of them at any time. Their handling of your data is governed by their own terms.
Changes
When we add or replace a sub-processor that handles customer data, we update this page and email workspace admins before the change takes effect. You have 30 days to object on reasonable data-protection grounds. See the Privacy Policy and Data Processing Addendum for the full terms.