Legal
Subprocessors
Last updated: May 26, 2026
To deliver the Jobflo service, we rely on a small group of third-party vendors (“subprocessors”). This page lists every vendor that may touch your data, what they do for us, and what data each one actually sees. If you have any questions, email privacy@jobflo.us.
1. Current subprocessors
The table below is the complete list as of the “Last updated” date at the top of this page. We will update it whenever we onboard, change, or remove a vendor.
| Vendor | Purpose | Data accessed | Region |
|---|---|---|---|
| Vercel, Inc. | Application hosting + edge network for jobflo.us | All HTTP traffic, server-side logs (with PII scrubbing). No raw database content. | Global edge; primary US |
| Supabase, Inc. | Primary database (Postgres) + authentication | All tenant data — organizations, users, customers, jobs, invoices, addresses, settings | US (us-east-1) |
| Cloudflare, Inc. (R2) | Object storage for invoice PDFs, uploaded logos, job photos, and customer-uploaded files | File payloads + their metadata (filename, size, content type). Private buckets, signed URLs only. | Global; configurable per bucket |
| Stripe, Inc. | Subscription billing (Jobflo→customer) + Connect payments (customer→their customer) | Billing email, tenant name, payment amount, last-4 card digits. We never see full card numbers — Stripe holds them. | US; global via Stripe Connect |
| Resend | Transactional email (invoice emails, password resets, team invites, receipts) | Recipient email, subject, body, attachments (invoice PDFs). Bounce + delivery events. | US |
| Mapbox, Inc. | Maps + geocoding for job addresses + route optimization | Geocoded addresses (street, city, postal code). Not customer names or contact info. | US |
| Anthropic, PBC | Vision-based field detection on uploaded invoice templates | Uploaded invoice template image (no customer PII). Anthropic does not train on our API traffic. | US |
2. How we evaluate subprocessors
Before we onboard any vendor that may handle customer data, we check:
- They publish their own security & privacy policies
- They support encryption in transit (TLS) and at rest
- They have audited compliance (SOC 2, ISO 27001, or equivalent) where applicable
- Their published Data Processing Agreement aligns with ours
- The data they need access to is the minimum required for their function
3. Notice of changes
We notify customers in advance whenever we add or change a subprocessor. Notifications are sent to the billing email on file for each org at least 30 days before the change takes effect, unless the change is urgent for security reasons.
If you object to a new subprocessor, you may terminate your subscription before the change takes effect for a prorated refund of any unused pre-paid time.
4. Sub-subprocessors
Some of the vendors above use their own subprocessors (for example, Vercel and Supabase run on Amazon Web Services). We do not maintain a separate list of those — refer to each vendor’s privacy policy and sub-processor list (linked above).
5. Questions or audit requests
If you need a vendor-by-vendor data flow diagram, signed DPA, or security questionnaire response, email security@jobflo.us. We typically respond within 5 business days.