We use trusted vendors to operate the Services. This page lists subprocessors that may process Customer Content.
We will provide at least 30 days' notice before adding a new subprocessor that processes Customer Content (except in emergencies where immediate action is required for security or operational reasons).
Last updated: December 22, 2025
| Vendor Name | Purpose | Data Categories | Regions | Trust/Security |
|---|---|---|---|---|
|
Microsoft Azure
Microsoft Corporation
|
Cloud hosting and infrastructure services | Application data, customer content, usage data | United States | Azure Trust Center → |
|
Stripe
Stripe, Inc.
|
Payment processing | Payment information, billing data | Global | Stripe Security → |
|
Cloudflare
Cloudflare, Inc.
|
CDN, DDoS protection, security services | Network traffic data, IP addresses | Global | Cloudflare Trust Hub → |
|
Azure OpenAI (OpenAI API)
Microsoft Corporation
|
Language model inference for AI Coding Guide; vector embeddings for org guidelines | AI chat messages (session only, not stored); text embeddings. No PHI on self-serve tiers. | United States | Azure OpenAI Data Privacy → |
|
Twilio Verify
Twilio Inc.
|
SMS OTP for account verification and anti-abuse | Phone number (E.164) for OTP only. Not linked to PHI. | United States | Twilio Privacy → |
|
Google / Microsoft OAuth
Google LLC; Microsoft Corporation
|
Federated user authentication (sign-in) | OAuth identity tokens. No PHI transmitted. | United States | Provider Privacy → |
Enterprise customers may object to the use of a new subprocessor by contacting us within the 30-day notice period. We will work with you in good faith to find a commercially reasonable solution, which may include not using the new subprocessor for your data or allowing you to terminate the affected services.
To object to a subprocessor or ask questions, contact: [email protected]