To deliver ReplyLabs, we engage trusted third-party providers (subprocessors) to process customer data on our behalf. This page lists every subprocessor we currently use, what they do, and where they process data. We update this list when subprocessors change; the Last Updated date at the top of this page reflects the most recent revision.
A summary of the most-relevant subprocessors also appears in our Privacy Policy §5. This page is the canonical comprehensive list.
Infrastructure
| Provider | Role | Data processed | Region |
|---|
| Supabase | Database, authentication, storage | All application data (account, organization, batch metadata, BYOK keys encrypted at rest) | EU (Frankfurt) |
| Vercel | Application hosting and edge delivery | All routed requests, server logs | Global edge (request-routed) |
| Upstash | Rate limiting (Redis) | IP addresses and request identifiers (transient, for abuse prevention) | Global edge |
Email and notifications
| Provider | Role | Data processed | Region |
|---|
| Resend | Transactional email (signup confirmations, password resets, billing receipts, balance alerts) | Email addresses, message metadata | US |
| LogSnag | Internal founder notifications (signups, errors, revenue, consent decisions) | Event metadata, user identifiers (email, plan) | EU |
Payments
| Provider | Role | Data processed | Region |
|---|
| Stripe | Subscription billing, payment processing, prepaid balance recharges | Payment information, billing details (we never see full card numbers) | US (Stripe Inc.) and EU (Stripe Payments Europe Ltd.) |
AI providers
When you run an AI prompt through ReplyLabs, the prompt content is routed to the model provider you selected. If you supply your own API key (BYOK), the request goes directly to the provider under your own agreement and ReplyLabs does not log the content. Without BYOK, ReplyLabs invokes the provider on your behalf using our own keys.
| Provider | Role | Data processed | Region |
|---|
| OpenAI | AI model inference (GPT models, when configured/used) | Prompt content, response metadata | US |
| Anthropic | AI model inference (Claude models, when configured/used) | Prompt content, response metadata | US |
| Google (Gemini) | AI model inference (when configured/used) | Prompt content, response metadata | US/EU |
| Mistral | AI model inference (when configured/used) | Prompt content, response metadata | EU |
| OpenRouter | Public model catalog sync (we fetch the list of available models; no customer prompt content is sent) | No customer data — metadata only | US |
Email verification
| Provider | Role | Data processed | Region |
|---|
| No2Bounce | Email deliverability checks (when running Verify batch jobs) | Email addresses being verified | EU |
Job processing
| Provider | Role | Data processed | Region |
|---|
| Inngest | Asynchronous job queue (batch AI runs, batch verify, batch scrape, scheduled cron jobs) | Row data being processed (transient — not retained after the job completes) | US |
Analytics and observability
| Provider | Role | Data processed | Region |
|---|
| PostHog | Product analytics (only loaded after you accept the cookie banner) | Pageviews, feature usage, anonymous identifiers; once signed in, also email and plan | US (per Privacy Policy §4.2) |
| Sentry | Application error reporting (no session replay, no personal identifiers) | Stack traces, error breadcrumbs | US |
| Better Stack | Uptime monitoring of the public site (pings public URLs from external probes) | No customer data — public HTTP request metadata only | EU |
Customer relationship
| Provider | Role | Data processed | Region |
|---|
| HubSpot | Internal CRM (lead and customer record-keeping). No HubSpot tracking script runs on our marketing site. | Customer contact details, account metadata, plan, usage metrics | EU |
| Slack | Internal team workspace. Receives company name + owner email when a paid plan is activated, plus internal ops alerts. | Company name, owner email (paid plans only) | US |
Changes to subprocessors
We will update this list as subprocessors change. The Last Updated date at the top of this page reflects the most recent revision. We do not currently offer email subscriptions for change notifications; if you require advance notice of subprocessor changes for compliance reasons, contact hello@replylabs.io and we will add you to a notification list.
Need a Data Processing Addendum (DPA)? Email hello@replylabs.io. We provide a DPA on request for enterprise customers and can sign your standard DPA where reasonable.