Legal

Sub-processors

Last updated: April 19, 2026

Calcis uses the third-party vendors below to operate the Service. Each one is bound by a data-processing agreement (DPA) or equivalent contractual safeguards where one is offered by the vendor. This page is the canonical list; if we add, remove, or replace a vendor we will update this page and the Privacy Policy together.

Vercel Inc.

View DPA →

Hosting, edge delivery, static asset serving, and runtime metrics (Vercel Analytics and Speed Insights).

Data categories
  • · Request metadata (IP, user-agent, path)
  • · Application logs
Processing location
United States (global edge network)
Safeguards
  • · Standard Contractual Clauses
  • · EU-US Data Privacy Framework (self-certified)
  • · SOC 2 Type II

Clerk Inc.

View DPA →

Authentication, user profile management, session handling.

Data categories
  • · Email address
  • · Password hash (plaintext never exposed to us)
  • · OAuth profile identifiers when used
  • · Session cookies
  • · Account metadata (tier, consent record)
Processing location
United States
Safeguards
  • · Standard Contractual Clauses
  • · SOC 2 Type II

Stripe, Inc.

View DPA →

Payment processing and subscription billing.

Data categories
  • · Email address at checkout
  • · Billing country and postcode
  • · Payment method tokens (we never see card numbers)
  • · Subscription lifecycle events
Processing location
United States (global payment network)
Safeguards
  • · Standard Contractual Clauses
  • · PCI DSS Level 1 service provider
  • · SOC 1 Type II and SOC 2 Type II

Upstash Inc.

View DPA →

Redis storage for rate limits, weekly quota counters, prompt-hash analytics log, and prediction feedback.

Data categories
  • · Rate-limit buckets keyed by user or API key
  • · Weekly request counts
  • · SHA-512 hash of submitted prompts (non-reversible)
  • · Thumbs-up/down feedback paired with the prompt hash
  • · Truncated SHA-512 hash of the client IP for feedback dedup
Processing location
United States (AWS us-east-1)
Safeguards
  • · Standard Contractual Clauses
  • · SOC 2 Type II

Neon Inc.

View DPA →

Managed Postgres for API key hashes and audit tables.

Data categories
  • · Salted hash of Calcis API keys
  • · API key labels and creation/last-used timestamps
  • · Account identifiers
Processing location
United States (AWS)
Safeguards
  • · Standard Contractual Clauses
  • · SOC 2 Type II

Resend, Inc.

View DPA →

Transactional email: receipts, password-reset links, security notices, service announcements.

Data categories
  • · Recipient email address
  • · Email subject and body
  • · Send status and bounce events
Processing location
United States
Safeguards
  • · Standard Contractual Clauses
  • · SOC 2 Type II

Anthropic, PBC

View DPA →

On paid tiers, refined output-length prediction via a short call to the Claude Haiku API.

Data categories
  • · A structural fingerprint of the prompt (length and feature signals)
  • · Not the prompt text itself
Processing location
United States
Safeguards
  • · Standard Contractual Clauses
  • · Anthropic commercial terms (no training on API data by default)

Google LLC (Google Workspace)

View DPA →

Hosting of the calcis.dev@gmail.com support mailbox.

Data categories
  • · Anything users choose to include in a support email
Processing location
United States (and Google global regions)
Safeguards
  • · Standard Contractual Clauses
  • · EU-US Data Privacy Framework
  • · ISO 27001 / 27017 / 27018

For the full privacy story, see the Privacy Policy. To exercise rights about your data handled by any sub-processor, contact Calcis at calcis.dev@gmail.com first; we will coordinate with the vendor as needed.