Subprocessors

Last updated · 19 June 2026

Overview

This document lists the third-party subprocessors that Stazion ApS ("Stazion") engages to process personal data on behalf of our customers. This list is maintained pursuant to our Data Processing Agreement and GDPR Article 28.

Notification of Changes

Customers will be notified at least 14 days in advance of any intended changes to our subprocessors. To receive notifications:

Subscribe to updates via your account settings
Contact vb@stazion.ai to be added to the notification list

Current Subprocessors

Infrastructure & Hosting

Subprocessor	Purpose	Location	Data Processed
Supabase (Supabase, Inc.)	Database, authentication, and file storage — primary data store	EEA	All application data: user accounts, organization data, uploaded documents and extracted content, search embeddings, RFQ data, encrypted integration tokens
Vercel (Vercel, Inc.)	Application hosting and serverless compute	EEA (Stockholm, Sweden)	All application data in transit, logs, operational metrics
Google Cloud Platform (Google LLC)	PDF text extraction and optical character recognition (Document AI), and temporary processing storage (Cloud Storage)	EEA region	Uploaded document content (PDF/image content processed for extraction, not retained beyond processing)

AI & Document Processing

Subprocessor	Purpose	Location	Data Processed
Anthropic (Anthropic, PBC)	AI model (Claude) for product extraction, RFQ line and requirement extraction, compliance assessment, and proposal and chat generation	United States	Document content, RFQ content, user queries
OpenAI (OpenAI, L.L.C. — EEA contracting via OpenAI Ireland Ltd)	Document chunk contextualization and generation of search embeddings	United States	Document text and chunks, queries
Cohere (Cohere Inc.)	Reranking of search results to improve relevance (optional)	United States / Canada	Search queries and candidate document snippets

Identity & Communications

Subprocessor	Purpose	Location	Data Processed
Microsoft Corporation	OAuth authentication, Microsoft Graph for directory access, sending email as the representative, and capturing teammate replies via Microsoft Teams	EEA / Global (varies by customer tenant)	User identity, OAuth tokens, organization directory, email content and metadata, Teams message content, sign-in activity
Resend (Plus Five Five, Inc.)	Inbound and transactional email handling	United States	Email content and metadata, identity data

Integrations

Subprocessor	Purpose	Location	Data Processed
Merge.dev (Merge API, Inc.) (only if the Customer connects an integration)	Unified API for CRM, file storage, and knowledge base sync	United States	Integration credentials, account data, business contact data, synced document content

Analytics & Monitoring

Subprocessor	Purpose	Location	Data Processed
Amplitude (Amplitude, Inc.)	Product analytics, usage tracking, and sampled session replay	EU data region	User ID, session ID, product usage events, session data, device and browser information, sampled session replays

Note: Analytics (Amplitude) runs in our production environment only — it is not active on local or development environments.

Detailed Subprocessor Information

Supabase (Supabase, Inc.)

Entity: Supabase, Inc. Privacy Policy: https://supabase.com/privacy DPA: https://supabase.com/legal/dpa

Services Used:

PostgreSQL database (primary data store)
Authentication
File storage

Data Center Location: EEA

Data Processed:

User account information
Organization directory data
Uploaded documents and extracted content
Search embeddings
RFQ/RFx data
Encrypted integration tokens

Transfer Mechanism: Data hosted within the EEA

Vercel (Vercel, Inc.)

Entity: Vercel, Inc. Privacy Policy: https://vercel.com/legal/privacy-policy DPA: https://vercel.com/legal/dpa

Services Used:

Application hosting (frontend and backend)
Serverless compute

Data Center Location: EEA (Stockholm, Sweden)

Data Processed:

All application data in transit
Application logs
Operational metrics

Transfer Mechanism: Data hosted within the EEA

Google Cloud Platform (Google LLC)

Entity: Google LLC Address: 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA Privacy Policy: https://cloud.google.com/terms/cloud-privacy-notice DPA: https://cloud.google.com/terms/data-processing-addendum

Services Used:

Document AI (PDF text extraction and optical character recognition)
Cloud Storage (temporary processing storage)

Data Center Location: EEA region

Data Processed:

Uploaded document files
PDF/image content processed for text extraction (not retained beyond processing)

Transfer Mechanism: Data processed within the EEA region

Anthropic (Anthropic, PBC)

Entity: Anthropic, PBC Privacy Policy: https://www.anthropic.com/legal/privacy DPA: https://www.anthropic.com/legal/commercial-terms

Services Used:

Claude models for product extraction, RFQ line and requirement extraction, compliance assessment, and proposal and chat generation

Data Center Location: United States

Data Processed:

Document content
RFQ/RFx content
User queries

Transfer Mechanism: Standard Contractual Clauses and/or EU-US Data Privacy Framework. Anthropic is engaged under terms that prohibit using customer content to train its models.

OpenAI (OpenAI, L.L.C.)

Entity: OpenAI, L.L.C. (EEA contracting via OpenAI Ireland Ltd) Privacy Policy: https://openai.com/policies/privacy-policy/ DPA: https://openai.com/policies/data-processing-addendum/

Services Used:

Document chunk contextualization
Generation of search embeddings

Data Center Location: United States

Data Processed:

Document text and chunks
Queries

Transfer Mechanism: Standard Contractual Clauses. OpenAI is engaged under terms that prohibit using customer content to train its models.

Cohere (Cohere Inc.)

Entity: Cohere Inc. Privacy Policy: https://cohere.com/privacy DPA: https://cohere.com/dpa

Services Used:

Reranking of search results to improve relevance (optional feature)

Data Center Location: United States / Canada

Data Processed:

Search queries
Candidate document snippets

Transfer Mechanism: Standard Contractual Clauses and/or reliance on the EU adequacy decision for Canada

Microsoft Corporation

Entity: Microsoft Corporation Address: One Microsoft Way, Redmond, WA 98052, USA Privacy Policy: https://privacy.microsoft.com/ DPA: https://www.microsoft.com/licensing/docs/view/Microsoft-Products-and-Services-Data-Protection-Addendum-DPA

Services Used:

Microsoft Entra ID (OAuth authentication)
Microsoft Graph API (directory, send email as the representative)
Microsoft Teams (teammate questions and reply capture)

Data Center Location: Varies by the customer's Microsoft 365 tenant location

Data Processed:

User identity and profile information
OAuth access and refresh tokens (encrypted at rest)
Organization directory
Email content and metadata
Teams message content
Sign-in activity logs

Transfer Mechanism: Microsoft DPA includes EU SCCs; data location depends on the customer tenant

Resend (Plus Five Five, Inc.)

Entity: Plus Five Five, Inc. (Resend) Privacy Policy: https://resend.com/legal/privacy-policy DPA: https://resend.com/legal/dpa

Services Used:

Inbound and transactional email handling

Data Center Location: United States

Data Processed:

Email content and metadata
Identity data

Transfer Mechanism: Standard Contractual Clauses and/or EU-US Data Privacy Framework

Merge.dev (Merge API, Inc.) — only if the Customer connects an integration

Entity: Merge API, Inc. Privacy Policy: https://www.merge.dev/legal/privacy-policy DPA: https://www.merge.dev/legal/dpa

Services Used:

Unified API for CRM, file storage, and knowledge base sync

Data Center Location: United States

Data Processed:

Integration credentials
Account data and business contact data
Synced document content

Transfer Mechanism: Standard Contractual Clauses (Module 3). This subprocessor processes personal data only where the Customer enables and connects an integration.

Amplitude (Amplitude, Inc.)

Entity: Amplitude, Inc. Privacy Policy: https://amplitude.com/privacy DPA: https://amplitude.com/legal/data-processing-addendum

Services Used:

Product analytics
Event tracking
Sampled session replay

Data Center Location: EU data region

Data Processed:

User ID and session ID
Product usage events (page views, feature interactions)
Session data
Device and browser information
Sampled session replays

Transfer Mechanism: EU data residency; data processed within the EEA. Analytics is active in production only.

Data Flow Summary

User Authentication
    └─> Email/password or Microsoft Entra ID (OAuth)
            └─> Stazion (Supabase Auth - EEA)
                    └─> User Session Created

Document Upload & Indexing
    └─> Uploaded File (PDF/Word/Excel/PowerPoint)
            └─> Supabase Storage (EEA)
                    └─> Google Document AI (EEA) — text extraction / OCR
                            └─> OpenAI (US) — contextualization + embeddings
                                    └─> Embeddings stored in Database (Supabase - EEA)

Sales Engineer & RFQ/RFx Workflow
    └─> User Query / RFQ Document
            └─> OpenAI (US) — query embedding
                    └─> Cohere (US/Canada) — rerank (optional)
                            └─> Anthropic Claude (US) — extraction / drafting / answering
                                    └─> Result stored in Database (Supabase - EEA)

Outbound Communications
    └─> Email sent as representative
            └─> Microsoft Graph (tenant location)
    └─> Teammate question
            └─> Microsoft Teams (tenant location) — reply captured back
    └─> Inbound / transactional email
            └─> Resend (US)

Integrations (optional)
    └─> CRM / file storage / knowledge base
            └─> Merge.dev (US)
                    └─> Synced context to Database (Supabase - EEA)

Application Hosting
    └─> User Browser
            └─> Stazion Frontend & API (Vercel - EEA, Stockholm)

Analytics (production only)
    └─> User Activity ──> Amplitude (EU data region)

Previous Subprocessors

Subprocessor	Purpose	Removed	Reason
None to date	—	—	—

How to Object

If you object to a new subprocessor, please contact us within 14 days of notification:

Email: vb@stazion.ai

Include:

Your organization name
The specific subprocessor you object to
The basis for your objection

We will work with you in good faith to address your concerns. If we cannot resolve the objection, you may have the right to terminate the affected part of the service agreement.

Contact

For questions about our subprocessors:

Email: vb@stazion.ai

Stazion ApS CVR: 46244028 Husumgade 31, 4. 15, 2200 København N, Denmark