Subprocessors
Third-party processors that may handle customer personal data on behalf of gr0.ai.
Last updated: May 15, 2026
01Overview
gr0.ai uses the third-party services ("Subprocessors") listed below to help operate the platform. Each subprocessor is bound by a written data-processing agreement (DPA) consistent with GDPR Article 28 and our SOC 2 controls.
We notify customers in writing at least 30 days before adding a new subprocessor. To receive these notifications, subscribe at /security-ai-governance.
02Current subprocessors
| Vendor | Purpose | Data | Region | DPA |
|---|---|---|---|---|
| Clerk | Authentication, session management, organization membership | Email, name, password hash, OAuth-provider identifiers, session metadata | United States | DPA → |
| Stripe | Payment processing, subscription billing, tax calculation | Billing email, name, billing address, card last-4, transaction history | United States (with EU/UK data residency for EEA customers) | DPA → |
| PayPal | Alternative payment processor (when selected by org) | Billing email, name, transaction history | United States (PayPal global infrastructure) | DPA → |
| Anthropic | LLM provider for agent execution | Prompt text, agent context (zero-retention API mode where supported) | United States | DPA → |
| OpenAI | Embedding generation, fallback LLM | Document chunks for embedding, prompt text | United States | DPA → |
| Tavily | Web search tool for agents | Search queries issued by agents | United States | DPA → |
| Cloudflare | DNS, WAF, CDN, R2 object storage, Workers, Turnstile bot defense | IP address, request headers, uploaded files (R2), bot-challenge tokens | Global (edge network) | DPA → |
| Hetzner Online GmbH | VPS infrastructure hosting the application + Postgres | All customer data at rest (encrypted) | Germany (EU) | DPA → |
| Coolify (self-hosted control plane) | Deployment + container orchestration | Operational metadata only — no customer PII flows through Coolify | Germany (EU) — same VPS as Hetzner | DPA → |
| Resend | Transactional email delivery | Recipient email, message body, delivery metadata | United States | DPA → |
| Langfuse | LLM observability + trace storage | Prompt/response pairs, token counts, latency metrics | United States (us.cloud.langfuse.com) | DPA → |
03Customer rights
If you object to any subprocessor on the list, contact [email protected]. We may not be able to provide the service without certain core subprocessors (e.g. Clerk for authentication, Stripe for payments), but in those cases we will work with you on alternative paths or termination with pro-rated refund per the DPA.
Questions about this policy?
Contact us at [email protected] or write to gr0.ai, 100 Pine Street, Suite 1250, San Francisco, CA 94111.