Skip to content
Legal

Subprocessor List

The vendors we use to deliver the Service, and the data each one receives.

Effective May 19, 2026 · Last updated May 19, 2026

About this list

A “subprocessor” is a third party we engage to process Customer Data on our behalf to provide the Service. We engage each subprocessor under a written contract requiring at least the data protection commitments we owe you under our Privacy Policy and Data Processing Addendum.

We notify subscribers by email or in-app notice at least 30 days before adding a new subprocessor that processes personal data. If you have an active DPA with us and object to the addition, you may terminate the affected portion of the Service for a pro-rated refund.

To receive subprocessor change notices, ensure your account email is current, or email legal@chartofaccounts.ai to be added to the notification list.

Active subprocessors

SubprocessorPurposeDataLocation
Stripe, Inc.
Stripe SCCs / DPA
Payment processing, billing, customer portal
  • Billing contact
  • Payment card token
  • Transaction history
United States
Supabase, Inc.
Supabase DPA / SCCs
Authentication and application database (PostgreSQL) hosting
  • Account credentials
  • Application data
  • Customer Data
United States (AWS us-east-1)
Vercel Inc.
Vercel DPA / SCCs
Application hosting, edge delivery, server logs
  • Request metadata
  • IP address
  • User-Agent
  • Server logs
United States
Anthropic, PBC
Anthropic Commercial Terms / Zero-Retention API
AI inference for chart-of-accounts analysis and optimization
  • Customer Data submitted to the AI workflow (chart of accounts names, types, balances)
Anthropic does not retain or train on data submitted via the commercial API.
United States
Intuit Inc. (QuickBooks Online)
Intuit Developer Terms
Source data integration via QuickBooks Online OAuth 2.0
  • Chart of Accounts (read-only)
  • OAuth refresh token
Read-only scope. We never write back to your QuickBooks Online company file.
United States
Resend, Inc.
Resend DPA / SCCs
Transactional email delivery (receipts, password resets, alerts)
  • Email address
  • Email content
  • Delivery metadata
Active when RESEND_API_KEY is configured; otherwise email delivery is disabled and no data is sent.
United States
Functional Software, Inc. (Sentry)
Sentry DPA / SCCs
Error monitoring, exception tracking, and performance telemetry for the Service
  • IP address
  • User-Agent
  • Stack traces
  • Account identifier (when available)
  • Request URL and timing
PII scrubbing is enabled. We do not intentionally send Customer Data; if it appears in an exception payload it is treated as transient diagnostic data.
United States
OpenAI, L.L.C.
OpenAI Business Terms / DPA
Secondary AI inference provider used as a fallback or for experimental Labs features
  • Prompts and minimum chart-of-accounts fields submitted to the workflow
Active only when OPENAI_API_KEY is configured. Used under OpenAI API Business Terms, which prohibit training on API inputs by default.
United States

Affiliates

We may also engage our own affiliates and personnel to process Customer Data, subject to confidentiality obligations no less protective than this list and our DPA.

Questions

Subprocessor questions or DPA execution requests: legal@chartofaccounts.ai.

TermsPrivacyRefundsSubprocessorsCookiesDPAAcceptable Use