Sub-Processors
Effective Date: 2026-04-21 Version: 1.0
Theta One AI engages the following sub-processors to help operate the Service. Each is bound by a written data-processing contract with appropriate confidentiality, security, and international-transfer safeguards (including the EU Standard Contractual Clauses where applicable).
This list is incorporated into our Privacy Policy and any Data Processing Addendum with a customer.
Current sub-processors
| Sub-processor | Purpose | Data processed | Region |
|---|---|---|---|
| Supabase, Inc. | Authentication, Postgres database, object storage | Account data, consent records, usage metadata | United States |
| Amazon Web Services, Inc. | Compute, object storage, networking for API servers | API request metadata, short-lived logs | United States |
| Vercel, Inc. | Hosting of the Console front-end and marketing/documentation sites | Site access logs, IP address, session cookies | United States, global edge |
| Stripe, Inc. | Card and wallet payment processing, tax handling | Billing name, address, tokenized payment method, invoice history | United States |
| Resend (Resend, Inc.) | Transactional email delivery (verification, security, billing) | Email address, email content, delivery status | United States |
| Google LLC — Google Workspace | Corporate email and document storage used for support correspondence | Content of your support messages | United States |
| Sentry (Functional Software, Inc.) | Error monitoring of Console and API servers | Truncated stack traces, user-agent, session identifier | United States |
When we plan to engage a new sub-processor that processes your personal data, we update this page. You may subscribe to change notifications at privacy@thetaone.co.
Objecting to a sub-processor
Enterprise customers with a signed DPA may object in writing to the addition of a new sub-processor within thirty (30) days of notice, for reasonable data-protection grounds. If we cannot accommodate the objection, either party may terminate the affected part of the Service for convenience.
Safeguards
- Contracts: each sub-processor is bound by written obligations at least as protective as those in our DPA, including confidentiality and security commitments.
- International transfers: SCCs (EU Commission), UK IDTA, or equivalent mechanisms, plus encryption in transit (TLS 1.2+) and at rest.
- Due diligence: we review security posture (e.g., SOC 2, ISO 27001 reports) before onboarding.
Contact
Questions or requests related to sub-processors: privacy@thetaone.co.