Subprocessors

Last updated: 30 June 2026

Keep-Ready uses the third-party services listed below to operate the application. Each of them processes some Keep-Ready user data on our behalf, under a written Data Processing Agreement that obliges them to use the data only for the purpose we authorise. We do not sell user data to any third party for any purpose.

Current subprocessors

VendorServiceRegionCompliance
VercelWeb hosting, serverless compute, edge functions
All request / response data, runtime logs
USA (primary), global edgeSOC 2 Type II, ISO 27001
Vercel BlobEncrypted file storage
Document file ciphertext (encrypted before upload)
USASOC 2 Type II (via Vercel)
NeonManaged Postgres database
All persisted application data: user profiles, asset metadata, encrypted document keys, encrypted OAuth tokens, audit logs
AWS ap-southeast-2 (Sydney)SOC 2 Type II
StripeSubscription billing and payment processing
Customer name, email, billing address, payment method token (never the raw card number)
USA, IrelandPCI DSS Level 1, SOC 1/2 Type II
PayPalAlternative subscription billing
Customer name, email, PayPal transaction id (never bank or card details)
USAPCI DSS Level 1
ResendTransactional email delivery (signup, password reset, suspicious-login alerts, share invitations, billing notices)
Recipient email + email body content
USASOC 2 Type II
AnthropicAI text + image inference (product scan, receipt scan, value estimate, manual lookup)
Photos and prompts submitted for AI inference. Not used to train models per Anthropic's commercial terms.
USASOC 2 Type II
CloudflareDNS for keep-ready.com (where used)
DNS query metadata only — no application data
GlobalSOC 2 Type II, ISO 27001, ISO 27018
Google WorkspaceInbound email to @keep-ready.com aliases
Email body + attachments sent to any address on the domain
USA (with regional storage)SOC 2 Type II, ISO 27001 / 27017 / 27018
SentryApplication error tracking
Stack traces, user agent, IP address. PII scrubbed at the SDK boundary.
USASOC 2 Type II, ISO 27001
GitHubSource code hosting and CI/CD (Actions for daily DB backup)
Source code; for daily backup workflow, backup token + DB connection string in encrypted Action secrets
USASOC 2 Type II, ISO 27001, ISO 27018

Notice of changes

We will update this page when we add, remove, or replace a subprocessor. Enterprise customers on a signed Data Processing Addendum will additionally receive an email notice at least 30 days before any new subprocessor begins processing their data, giving them the opportunity to object on reasonable grounds.

Onboarding criteria

Before engaging a new subprocessor, we require: (a) a written Data Processing Agreement, (b) a SOC 2 Type II report or equivalent independent attestation, and (c) a documented assessment of any cross-border data transfer safeguards needed for that vendor's region.

Questions

For privacy and security enquiries, contact privacy@keep-ready.com. See also our Privacy Policy and Data Processing Addendum page.