Subprocessors
Last updated: 2026-04-24
A subprocessor is a third party that Unshift LLC ("Unshift") engages to process personal data on behalf of our customers in the course of delivering the Services (the Unshift Studio and hosted websites). This page lists our current subprocessors and is incorporated by reference into our Privacy Policy and our Data Processing Addendum.
If you are a customer who requires advance notice of new subprocessors, subscribe to this page's changes at subprocessors@unshift.ai and we will email you at least 30 days before adding or replacing a subprocessor that processes Customer Personal Data.
Current subprocessors
| Vendor | Service used | Category | Customer personal data processed | Location of processing | Transfer mechanism |
|---|---|---|---|---|---|
| Supabase Inc. | Managed PostgreSQL, Auth, Storage, Realtime | Infrastructure / database | Account identifiers, project metadata, user-submitted content, session tokens | United States (AWS us-east-1) | EU SCCs + UK IDTA |
| Cloudflare, Inc. | CDN, Workers for Platforms, R2 object storage, DNS | Infrastructure / hosting | All data served to and from published sites; request logs (IP, user agent, URL) | Global edge; metadata in US | EU SCCs + UK IDTA |
| Stripe, Inc. | Payment processing, billing, tax, Customer Portal | Payments | Name, email, billing address, tax ID, card details (Stripe is PCI-DSS Level 1) | United States (global edge) | EU SCCs + UK IDTA |
| Amazon Web Services | SES (transactional email), S3 (legacy file storage) | Infrastructure / email | Recipient email addresses, email content, file contents | United States (us-east-1) | EU SCCs + UK IDTA |
| Functional Software, Inc. (Sentry) | Error and performance monitoring | Observability | Stack traces, user ID, IP address (scrubbed after collection), browser metadata | United States | EU SCCs + UK IDTA |
| Google LLC | Google Analytics 4 (GA4) on marketing site only | Analytics | IP address (anonymized), device identifiers, page views; loaded only after cookie consent | United States | EU SCCs + UK IDTA |
| PostHog, Inc. | Product analytics and session replay in the Studio (optional, separate opt-ins) | Analytics | Pseudonymous user ID, page views, interaction events, masked session replay (if separately opted in); loaded only after cookie consent | Germany (EU Cloud, Frankfurt) | EU SCCs + UK IDTA |
| OpenAI, L.L.C. | GPT-class models via OpenAI API | AI inference | Prompt content (including any personal data the customer inputs), generated output | United States | EU SCCs (OpenAI DPA) |
| Anthropic PBC | Claude models via Anthropic API | AI inference | Prompt content (including any personal data the customer inputs), generated output | United States | EU SCCs (Anthropic DPA) |
| GitHub, Inc. | Source-control integration for exported projects (when customer chooses to connect) | Developer tooling | Repository content created by the customer, GitHub username, access token | United States | EU SCCs + UK IDTA |
| Netlify, Inc. | Optional production hosting for exported projects (when customer chooses to connect) | Deployment | Site content, environment variables, deployment logs | United States | EU SCCs + UK IDTA |
Customer-initiated integrations (for example, connecting a customer's own GitHub or Netlify account, or configuring a custom analytics provider in their site) add additional data flows that are outside the scope of Unshift's subprocessor obligations because the customer is controlling them directly.
How we select subprocessors
We require every subprocessor to:
- Execute a Data Processing Agreement (DPA) that includes the EU Standard Contractual Clauses (Module Three or Module Four as applicable) and the UK International Data Transfer Addendum where relevant.
- Maintain security certifications appropriate to the data they handle (SOC 2 Type II, ISO 27001, or equivalent).
- Notify us of security incidents affecting our tenant within a defined timeframe (24 to 72 hours depending on the vendor).
- Be contractually prohibited from using Customer Personal Data to train their own models, except as strictly necessary to provide the service we purchased.
Our AI providers (OpenAI and Anthropic) have published commitments that API customer data is not used to train their foundation models. See their enterprise API terms:
- OpenAI API data usage policies: https://openai.com/policies/api-data-usage-policies
- Anthropic Commercial Terms of Service: https://www.anthropic.com/legal/commercial-terms
How we notify you of changes
We maintain this page as the single source of truth. When we add, remove, or replace a subprocessor that processes Customer Personal Data, we:
- Update this page.
- Email customers on the notification list (subscribe at subprocessors@unshift.ai) at least 30 days in advance.
- If a customer objects to a new subprocessor on reasonable grounds related to data protection, we work with the customer to find an alternative. If no alternative is possible, the customer may terminate the affected part of the Services with a pro-rata refund.
In emergency cases (for example, a subprocessor suffers a material breach and we must replace them faster than 30 days allows), we notify as far in advance as practical and document the reason.
Historical changes
| Date | Change | Reason |
|---|---|---|
| 2026-04-20 | Initial publication of subprocessor list | Launch of Unshift Studio |
Future additions, removals, and replacements will be appended here.
Contact
- Subprocessor questions or objections: privacy@unshift.ai
- Subscribe to subprocessor change notifications: subprocessors@unshift.ai
- Postal address: Unshift LLC, 1309 Coffeen Avenue STE 1200, Sheridan, Wyoming 82801, United States