Sub-processors

Last updated: 2026-04-11 • ← Privacy

A sub-processor is a third party engaged by Backbuild to process customer personal data on Backbuild's behalf. Sub-processors are subject to a due diligence review before engagement and to contracts that impose substantially the same data protection obligations as those in Backbuild's Data Processing Agreement with its customers.

Current sub-processors

Sub-processor	Purpose	Data categories	Location	Certifications
Cloudflare, Inc.	CDN, edge compute (Workers), Hyperdrive, Pages, DNS	All customer data in transit; session state; static assets	Global edge network	SOC 2 Type II, ISO 27001
Cloudflare Hyperdrive (managed PostgreSQL / Citus)	Primary data store	All customer data at rest	Primary region plus replicas	Inherited from Cloudflare
Stripe, Inc.	Payment processing	Billing contact; tokenized payment methods	US primary; EU for EU customers	PCI DSS Level 1 Service Provider, SOC 1, SOC 2
Anthropic PBC	Claude model inference (optional AI features)	Content that customers send to AI features	United States	SOC 2 Type II
OpenAI LLC	GPT model inference (optional AI features)	Content that customers send to AI features	United States	SOC 2 Type II
Google LLC (Gemini API)	Gemini model inference (optional AI features)	Content that customers send to AI features	United States	SOC 2, ISO 27001
Deepgram, Inc.	Speech-to-text (optional transcription features)	Audio content submitted for transcription	United States	SOC 2
Resend	Transactional email delivery	Recipient email addresses and message content	United States	SOC 2

Certifications listed are as published by the sub-processor on their own trust centers as of the Last updated date shown above. Backbuild does not independently verify sub-processor certifications — customers requiring independent verification should contact the sub-processor directly for their current attestations. We review sub-processors annually and update this list promptly upon material changes.

Optional AI sub-processors

Anthropic, OpenAI, Google (Gemini API), and Deepgram are engaged only when customers enable the corresponding optional AI features. Customers that do not enable these features do not have their data processed by these providers. AI features can be disabled at the organization level, which prevents data from being sent to any of these pipelines.

Change notifications

Backbuild maintains a mailing list for sub-processor change notifications. Customers who subscribe receive at least 30 days' advance notice of any new sub-processor, along with the details needed to assess the change. Customers who object to a new sub-processor within the notice window can exercise the termination right documented in the Data Processing Agreement. To subscribe, email privacy@backbuild.ai.

Due diligence

Before engagement, each sub-processor is reviewed against criteria including security posture, privacy program maturity, third-party certifications, geographic footprint, and the categories of data it will access. Contracts with sub-processors include data protection addenda that pass through the obligations Backbuild owes to its customers. Sub-processors are reviewed on a recurring schedule.

Contact

Sub-processor questions or to subscribe to change notifications: privacy@backbuild.ai