Home / Legal / Subprocessors

Legal

Subprocessors

To deliver the Services we use a small number of trusted third parties, or "subprocessors". This page lists them and explains how we manage and notify changes.

Last updated June 28, 2026 · Version 2.0 Contact legal
Few, vetted, and contracted. Every subprocessor is bound by terms no less protective than our DPA, may only process data on our instructions, and must report security incidents to us.

This page lists the subprocessors that may process Customer Personal Data in connection with the Services, as referenced in our Data Processing Addendum. We keep the list current and notify customers of changes as described below.

1 How we choose and manage subprocessors

Before engaging a subprocessor, we assess its security and privacy practices and enter into a written contract that imposes data protection obligations no less protective than those in our DPA. Subprocessors may process Customer Personal Data only to provide their service to us, only on our instructions, and must maintain appropriate security measures and report incidents to us. We remain responsible to you for their performance.

2 Current subprocessors

The following third parties may process Customer Personal Data to provide the Services. Some, such as the AI providers and accounting sync, are used only when you enable the related feature or integration.

SubprocessorPurposePrimary region
SupabaseManaged Postgres database, authentication, object/file storage, and realtime — the core hosting and data layer for the Services.United States / EU
AnthropicAI model provider for the Aria assistant (Claude), used when you select Claude as your AI provider.United States
GoogleAI model provider for the Aria assistant (Gemini), used when you select Gemini as your AI provider.United States
StripePayment processing for subscriptions and invoices. Card data is handled by Stripe; we do not store full card numbers.United States / global
Intuit (QuickBooks)Optional accounting synchronization, used only if you connect QuickBooks to your workspace.United States
Transactional email providerDelivery of transactional and notification emails, such as sign-in, receipts, and workspace alerts.United States / EU

3 Infrastructure and hosting

Our core infrastructure — database, authentication, file storage, and realtime — runs on managed cloud infrastructure operated by our hosting subprocessor, which in turn relies on certified underlying cloud data centers for physical security.

4 Notification of changes

When we add or replace a subprocessor that processes Customer Personal Data, we will update this page and, at least 30 days before the new subprocessor begins processing, notify customers who have subscribed to subprocessor change notices. To subscribe, email privacy@stelaah.com.

5 Objecting to a change

If you have a reasonable, data protection–related objection to a new subprocessor, tell us within the notice period and we will work in good faith to address it. If we cannot, you may, as your sole remedy, terminate the affected Services as described in the DPA.

6 Contact

Questions about our subprocessors? Email privacy@stelaah.com.

Questions about this policy? Email legal@stelaah.com.

Back to top