Privacy
Subprocessors
Effective date: TODO — set on legal approval
AI draft— pending legal & owner review; not legally binding.
1. Overview
ShipReady Metrics ("ShipReady", "we", "us"), operated by Persoon.ai Inc., engages a limited set of third-party service providers ("subprocessors") to help deliver, secure, and operate our platform. A subprocessor is an entity that processes customer personal data on our behalf and under our instructions. This page describes the subprocessors we currently rely on, the purpose of each engagement, the categories of data each may process, and the primary processing region.
This document is an AI-generated draft published for transparency. The list below is representative of our intended production architecture and must be reviewed and confirmed by the company owner and counsel before it is treated as authoritative. It does not by itself create or modify any contractual commitment.
Where we act as a processor for customer personal data, our use of subprocessors is governed by our Data Processing Agreement (DPA). Each subprocessor is engaged under a written agreement that is intended to require data protection obligations no less protective than those we owe our customers, to the extent applicable.
2. Current Subprocessors
The following table lists the subprocessors that may process customer data as part of the ShipReady Metrics service. It is REPRESENTATIVE and TO CONFIRM: hosting regions reflect each provider’s typical or default deployment region and must be validated against our actual configuration before this list is treated as authoritative. Regions marked configurable depend on tenant or plan settings and should be confirmed for your specific deployment.
| Subprocessor | Purpose | Data Categories | Primary Region |
|---|---|---|---|
| Supabase | Primary application database, authentication, and file/object storage (Postgres with row-level security for tenant isolation). | Account identifiers, tenant/organization records, user credentials and auth tokens, application content, connector metrics, audit logs. | US East (AWS us-east-1) |
| Vercel | Application hosting, edge/serverless compute, and content delivery for the web application and APIs. | Request metadata, IP addresses, in-transit application data, operational logs. | Global edge; primary compute region configurable |
| Resend | Transactional and notification email delivery (e.g., verification, invitations, alerts, digests). | Recipient email addresses, names, and message content for transactional emails. | US (to confirm current region) |
| Anthropic | AI-powered features (e.g., summarization, drafting, and analysis) via the Anthropic Claude API. | Prompt content and data submitted to AI features; may include user-provided text. Outputs are returned to the product. | US (to confirm current region) |
| GitHub | Source/code connector enabling customers to link repositories and ingest engineering/DevOps metrics. | Repository and organization metadata, commit/PR/issue/CI metadata, and OAuth tokens for connected accounts (where authorized by the customer). | US / global (to confirm) |
| Stripe | Payment processing and subscription billing for paid plans (self-serve checkout and recurring charges). NOT CURRENTLY ENGAGED — billing is disabled and there is no self-serve checkout today, so Stripe processes no data for us at present; this row is listed in advance of enabling it. When enabled, Stripe is the card-data processor — ShipReady never stores full card numbers. | Billing contact name and email, organization identifier, subscription and plan status, and payment metadata. Card details are collected and held by Stripe, not by ShipReady. | US / global (to confirm) |
| Google Analytics | Website analytics on our PUBLIC MARKETING PAGES ONLY — never loaded on authenticated in-app pages. Consent-gated where consent is required. | Marketing-site visitor data: page views, referrer, approximate location, device/browser metadata. No tenant data, no in-app data. | US / global |
| Microsoft Clarity | Website session analytics (heatmaps/recordings) on our PUBLIC MARKETING PAGES ONLY — never loaded on authenticated in-app pages. Consent-gated where consent is required. | Marketing-site visitor interaction data: clicks, scrolls, device/browser metadata. No tenant data, no in-app data. | US / global |
This list is representative and not exhaustive. Cloud and DevOps connectors (such as GitHub and other engineering or cloud sources) are activated only when a customer chooses to connect that source; the corresponding provider then processes only the data required to enable the connector and only what the customer has authorized.
3. Infrastructure and Hosting
ShipReady Metrics is built on Next.js and Supabase and hosted on Vercel. Customer data is logically separated by tenant, and database-level access is enforced through Postgres row-level security (RLS) policies. The underlying physical infrastructure of our hosting and database providers runs on established cloud platforms operated by those providers.
We do not operate our own data centers. Physical and environmental security controls for the infrastructure are the responsibility of the relevant cloud and platform providers under their respective security programs.
4. International Data Transfers
Some subprocessors may process data in regions outside the country where your organization or its users are located (for example, in the United States). Where personal data is transferred internationally, we intend to rely on the transfer mechanisms made available by the relevant subprocessor and applicable law, which may include Standard Contractual Clauses or equivalent safeguards.
The specific transfer mechanisms and the adequacy of safeguards for each provider must be confirmed by counsel before this document is relied upon. Customers with data residency requirements should contact us to confirm whether their requirements can be met for a given deployment.
5. Subprocessor Due Diligence
Before engaging a subprocessor that processes customer personal data, we intend to perform proportionate due diligence on the provider, taking into account the nature of the data, the provider’s security posture, and the sensitivity of the processing.
- Reviewing the provider’s publicly available security and privacy documentation.
- Confirming that a written agreement with appropriate data protection terms is in place.
- Assessing the data categories and minimizing the data shared to what is necessary for the service.
- Periodically re-reviewing engaged subprocessors as part of vendor management.
The maturity and cadence of this program are evolving alongside the product. We do not claim a completed third-party audit (such as SOC 2 or ISO 27001) for our vendor-management program; the current status of those efforts is tracked in our Trust Center and is in progress / not yet obtained.
6. Changes to Subprocessors
We may add, remove, or replace subprocessors as the service evolves. When we make a material change to the subprocessors that process customer personal data, we intend to update this page and, where required by the applicable customer agreement or DPA, to provide advance notice and a mechanism to object.
The notification cadence, objection window, and any related rights are governed by the executed customer agreement and DPA, which take precedence over this draft.
7. Contact
Questions about our subprocessors, data processing, or transfer mechanisms can be directed to our security and privacy team.
- Security and privacy: security@persooninc.com
- Data protection contact: info@persooninc.com
- Legal entity: Persoon.ai Inc., 525 Randall Ave Ste 100 PMB 228, Cheyenne, WY 82001