Every vendor in the data path, named in full.
The complete list of third parties that process personal data on Habeo's behalf — what each one does, what data it sees, where it runs, and the certifications it holds.
Section 01Overview
A “subprocessor” is a third party that Habeo engages to process personal data on behalf of our customer institutions in order to provide the Services. We publish the complete list here so that every Habeo customer, prospect, and privacy office sees exactly the same picture.
This page is updated whenever we add, remove, or replace a subprocessor. Customers are notified at least 30 daysbefore a change takes effect — see Notification policy below.
Section 02Core infrastructure subprocessors
The platform itself runs on these.
| Subprocessor | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| Amazon Web Services Amazon Web Services, Inc. | Primary cloud infrastructure — compute, storage, networking, KMS | All Customer Data at rest and in transit; backups | United States (us-east-2, us-west-2) | SOC 2 Type II · ISO 27001 · ISO 27017 · ISO 27018 · FedRAMP High |
| Vercel Vercel Inc. | Web frontend and edge runtime hosting | Authentication cookies; cached non-personal page fragments | United States (iad1, sfo1) | SOC 2 Type II · ISO 27001 · HIPAA |
| Neon Neon Inc. | Managed PostgreSQL for application data | All Customer Data records | United States (AWS us-east-2) | SOC 2 Type II · ISO 27001 · HIPAA |
| Upstash Upstash Inc. | Managed Redis for caching and rate limiting | Session identifiers; rate-limit counters | United States (AWS us-east-1) | SOC 2 Type II |
| Cloudflare Cloudflare, Inc. | DNS, WAF, DDoS protection, edge image optimization | IP addresses; HTTP request metadata | Global edge; no persistent Customer Data storage | SOC 2 Type II · ISO 27001 · ISO 27018 · FedRAMP Moderate |
Section 03Product-service subprocessors
Specific in-product features depend on these.
| Subprocessor | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| Clerk Clerk Inc. | Identity, SAML/OIDC SSO, SCIM provisioning | Authorized User authentication identifiers and session data | United States (AWS us-east-2) | SOC 2 Type II · HIPAA · GDPR |
| Stripe Stripe, Inc. / Stripe Payments Europe Ltd. | Subscription billing and payment processing | Billing contact data; payment instrument tokens (no full card data on Habeo systems) | United States and (for EU customers) Ireland | PCI DSS Level 1 · SOC 2 Type II · ISO 27001 |
| Resend Resend Inc. | Transactional email delivery (account, security, notifications) | Recipient email; message content | United States (AWS us-east-1) | SOC 2 Type II |
| Anthropic Anthropic, PBC | LLM inference for the in-product Habeo Copilot assistant | Prompts derived from the requesting user's tenant only; zero-retention enterprise tier | United States | SOC 2 Type II · ISO 27001 · ISO 42001 · HIPAA |
Section 04Operations & observability subprocessors
These help us run the platform but never store Customer Data records.
| Subprocessor | Purpose | Data processed | Location | Certifications |
|---|---|---|---|---|
| PostHog PostHog, Inc. | First-party product analytics | Authenticated user identifier; feature usage events; IP truncated to /24 | United States (self-hosted in Habeo AWS account) | SOC 2 Type II (PostHog Cloud); Habeo self-hosts the EU OSS build |
| Sentry Functional Software, Inc. dba Sentry | Application error and performance monitoring | Stack traces; HTTP request metadata; scrubbed user identifiers | United States | SOC 2 Type II · ISO 27001 · HIPAA |
| Datadog Datadog, Inc. | Infrastructure monitoring and log aggregation | Service logs; metadata; scrubbed PII | United States (us5.datadoghq.com) | SOC 2 Type II · ISO 27001 · HIPAA · FedRAMP Moderate |
| Linear Linear Orbit, Inc. | Internal issue tracking — for support escalations referencing Customer | Customer name; redacted ticket content; no Customer Data records | United States | SOC 2 Type II · ISO 27001 |
| Slack Slack Technologies, LLC | Customer-facing shared Slack Connect channels (opt-in) | Messages and files Customer chooses to share in the channel | United States | SOC 2 Type II · ISO 27001 · ISO 27017/18 · FedRAMP Moderate |
Section 05Notification policy
Habeo notifies customers of changes to this list in two ways:
- Email.Every customer’s designated security contact receives an email at least 30 days before a new subprocessor begins processing personal data, or before an existing subprocessor is replaced.
- RSS feed. A machine-readable feed is available at
https://usehabeo.com/subprocessors/feed.xmlfor procurement teams that automate vendor monitoring.
Customers may object to a new subprocessor on reasonable data-protection grounds within 15 days of notice in accordance with our Data Processing Addendum.
Section 06Subprocessor due diligence
Before onboarding any subprocessor, Habeo:
- completes a HECVAT-aligned security questionnaire and reviews the vendor’s SOC 2 or ISO 27001 report;
- signs a data-processing agreement that imposes obligations no less protective than those in our customer DPA;
- incorporates the EU SCCs or UK IDTA where the vendor processes personal data outside the EEA / UK;
- verifies that the vendor’s data-residency and certification posture matches what we publish on this page.
Each subprocessor is re-assessed at least annually, and any material change (region change, certification lapse, ownership change) triggers an out-of-cycle review.
Section 07Previously used subprocessors
We list removals here for the trailing 24 months so that customers have visibility into the historical data path.
| Subprocessor | Replaced by | Effective | Reason |
|---|---|---|---|
| Mixpanel | PostHog (self-hosted) | 2025-09-15 | First-party analytics; remove third-party processor |
| SendGrid | Resend | 2025-06-01 | Improved deliverability; better data-residency commitments |
Section 08Questions about a subprocessor
For data-protection questions about a specific subprocessor, email privacy@usehabeo.com. For security-posture questions, our security team responds at security@usehabeo.com. We can share each subprocessor’s SOC 2 or ISO 27001 report under NDA on request.
Questions about this policy?
For legal questions write to legal@usehabeo.com. Privacy requests, data-subject access, and FERPA-related inquiries go to privacy@usehabeo.com and are routed to our Data Protection Officer.