Subprocessors
Last updated: 30 June 2026
Keep-Ready uses the third-party services listed below to operate the application. Each of them processes some Keep-Ready user data on our behalf, under a written Data Processing Agreement that obliges them to use the data only for the purpose we authorise. We do not sell user data to any third party for any purpose.
Current subprocessors
| Vendor | Service | Region | Compliance |
|---|---|---|---|
| Vercel | Web hosting, serverless compute, edge functions All request / response data, runtime logs | USA (primary), global edge | SOC 2 Type II, ISO 27001 |
| Vercel Blob | Encrypted file storage Document file ciphertext (encrypted before upload) | USA | SOC 2 Type II (via Vercel) |
| Neon | Managed Postgres database All persisted application data: user profiles, asset metadata, encrypted document keys, encrypted OAuth tokens, audit logs | AWS ap-southeast-2 (Sydney) | SOC 2 Type II |
| Stripe | Subscription billing and payment processing Customer name, email, billing address, payment method token (never the raw card number) | USA, Ireland | PCI DSS Level 1, SOC 1/2 Type II |
| PayPal | Alternative subscription billing Customer name, email, PayPal transaction id (never bank or card details) | USA | PCI DSS Level 1 |
| Resend | Transactional email delivery (signup, password reset, suspicious-login alerts, share invitations, billing notices) Recipient email + email body content | USA | SOC 2 Type II |
| Anthropic | AI text + image inference (product scan, receipt scan, value estimate, manual lookup) Photos and prompts submitted for AI inference. Not used to train models per Anthropic's commercial terms. | USA | SOC 2 Type II |
| Cloudflare | DNS for keep-ready.com (where used) DNS query metadata only — no application data | Global | SOC 2 Type II, ISO 27001, ISO 27018 |
| Google Workspace | Inbound email to @keep-ready.com aliases Email body + attachments sent to any address on the domain | USA (with regional storage) | SOC 2 Type II, ISO 27001 / 27017 / 27018 |
| Sentry | Application error tracking Stack traces, user agent, IP address. PII scrubbed at the SDK boundary. | USA | SOC 2 Type II, ISO 27001 |
| GitHub | Source code hosting and CI/CD (Actions for daily DB backup) Source code; for daily backup workflow, backup token + DB connection string in encrypted Action secrets | USA | SOC 2 Type II, ISO 27001, ISO 27018 |
Notice of changes
We will update this page when we add, remove, or replace a subprocessor. Enterprise customers on a signed Data Processing Addendum will additionally receive an email notice at least 30 days before any new subprocessor begins processing their data, giving them the opportunity to object on reasonable grounds.
Onboarding criteria
Before engaging a new subprocessor, we require: (a) a written Data Processing Agreement, (b) a SOC 2 Type II report or equivalent independent attestation, and (c) a documented assessment of any cross-border data transfer safeguards needed for that vendor's region.
Questions
For privacy and security enquiries, contact privacy@keep-ready.com. See also our Privacy Policy and Data Processing Addendum page.
