Transparency · vendors · data flows
Subprocessors for Guardian and this site
This list exists so procurement and security reviewers can see which third parties sit behind hosting, delivery, and operations—and what categories of processing they typically touch. It is a summary, not a substitute for your Data Processing Agreement (DPA), order form, or the published security policy.
Where a provider is outside the EU, we describe the narrow purpose (for example, code-only) so the scope stays legible alongside the security page's boundary framing.
Current subprocessors
Regions reflect our current deployment intent; confirm live regions, subprocessors, and retention in your contractual pack—this table is for orientation during review.
| Subprocessor | Role | Region | Typical processing |
|---|---|---|---|
| Vercel | Application hosting | EU Edge | Web and app delivery; deployment and edge request metadata per provider defaults. |
| Neon (PostgreSQL) | Managed database | EU Central | Guardian tenant application data you store through normal product use (operational records). |
| Resend | Transactional email | EU | Outbound email delivery; recipient and message metadata for sends you trigger from the product or site. |
| Cloudflare | DNS / CDN | EU | DNS resolution, caching, and edge security; request metadata—not your model training data store. |
| GitHub | Source code | US (code only) | Repository hosting for Guardian source; no production Guardian tenant payloads. |
We update this page when subprocessors change materially. For the authoritative register and legal wording, rely on your executed agreements and the latest security policy PDF—not this summary alone.
Vendor and procurement questions
For DPA-aligned subprocessor wording, questionnaires, and updates beyond this summary, use security contact. For commercial entry and integration assumptions: