Current sub-processors
Raksa.one Limited engages the sub-processors below to deliver the platform. Optional integrations only process data for organisations that enable them. Where a contractual or regional detail has not yet been independently confirmed, we mark it “under review” rather than assert it.
| Sub-processor | Purpose | Data categories | Region | Transfer mechanism (UK → third country) |
|---|---|---|---|---|
| Supabase | Primary datastore — database, authentication, and file storage | All platform data, including customer compliance records, account data, and data subject request submissions | EU — Frankfurt (eu-central-1) | UK → EU: UK adequacy regulations |
| Vercel | Application hosting and serverless compute | All request data in transit and during processing | EU — serverless functions pinned to Frankfurt (fra1) | UK → EU: UK adequacy regulations; DPA under review |
| Anthropic PBC | AI assistance features (drafting, summarisation, chat) | Content submitted to AI features — user prompts and selected platform contentAnthropic may not train models on customer content (Anthropic Commercial Terms of Service, Section B). API inputs and outputs are retained by Anthropic for up to 30 days by default. Organisations using their own Anthropic API key (BYOK) have a direct contractual relationship with Anthropic under the same standard commercial terms. | US (data at rest); inference may run in other regions | EU Standard Contractual Clauses (Modules 2/3) + UK Addendum, incorporated in the Anthropic Data Processing Addendum |
| Resend | Transactional email delivery | Recipient email addresses, subject lines, and message content (including data subject request correspondence) | Under review | Under review |
| Stripe | Payment processing and subscription billing | Billing contact email, organisation name, subscription state | US | Under review |
| SlackOptional — enabled per organisation | ChatOps notifications and the Raksa Slack agent | Compliance notification content and messages addressed to the Raksa bot. Messages addressed to the bot are also processed by Anthropic (above). | US | Under review |
| Upstash | Distributed rate limiting | Short-lived rate-limit keys, which may include user identifiers and client IP addresses | Under review | Under review |
| Browserless.io | Remote browser infrastructure for cookie compliance scans | Scanned website content; website login credentials where a customer configures an authenticated scan | UK and Ireland scans use London / Amsterdam regions; other scans currently run on US infrastructure. Region-pinning hardening is in progress. | Under review |
| VantaOptional — enabled per organisation | Compliance-evidence synchronisation | OAuth credentials; controls, vulnerability, and policy metadata pulled into Raksa | US | Under review |
| DocuSignOptional — enabled per organisationIntegration not yet live | Electronic signature for contracts | Contract documents and signer name / email | US | Listed for transparency — no customer data is currently sent to DocuSign |
Other recipients (no personal data, listed for transparency)
- Vendor logo services (Apistemic Logos, Google favicon service) — Vendor domain names appear in image requests made directly from your browser when vendor logos are displayed. No personal data is sent.
- Customer-configured webhooks and endpoints — Event payloads are delivered to URLs the customer chooses (including the customer's own websites during scans). These recipients are designated by, and act under the instructions of, the customer.
- Public regulatory sources (ICO, EDPB, national authorities, public registries) — Read-only retrieval of public pages for regulatory intelligence and registry lookups. No personal data is sent.
Entries marked “Under review” are being confirmed as part of our ongoing sub-processor due-diligence programme; we list the sub-processor rather than assert an unverified safeguard. Last updated: 11 June 2026. Questions: privacy@raksa.one.
Changes to this list
We update this page before engaging a new sub-processor that will process customer personal data, and we reflect removals and material changes by updating the “Last updated” date above. Customers with notification terms in their agreement will also be notified per that agreement.
Questions about this list or our data protection practices: privacy@raksa.one. See also our Privacy Notice.