A "subprocessor" is a third-party vendor that processes personal information on Goodspeed's behalf to operate the Service. Goodspeed remains accountable for its subprocessors and contractually requires each one to maintain appropriate security and confidentiality.
This list is part of and incorporated into our Privacy Policy and is provided for transparency and to support GDPR Article 28 obligations.
Current Subprocessors
| Subprocessor | Purpose | Data Categories | Region | Transfer Mechanism |
|---|---|---|---|---|
| Stripe, Inc. | Payment processing, billing, subscription management, dispute handling | Billing details, last-four card digits, transaction history, customer ID | United States | SCCs + UK Addendum; SOC 1 & 2, PCI-DSS Level 1 |
| Supabase, Inc. | Database, authentication, file storage, real-time sync | Account info, app content, audit logs, files | United States (AWS us-east-1) | SCCs; SOC 2 Type II |
| Vercel, Inc. | Application hosting and edge network for goodspeed.app, admin.goodspeed.app, and user app subdomains | Web traffic logs, deployment metadata | Global (Vercel Edge Network) | SCCs; SOC 2 Type II |
| Cloudflare, Inc. (Workers + R2) | Object storage for uploaded files and generated assets; CDN for some routes | File contents, file metadata, IP-level traffic logs | Global (R2 stored in primary region with replication) | SCCs; SOC 2 Type II |
| Anthropic, PBC | Large-language-model inference (Claude family) for app generation, analysis, and agent flows | Prompts, prompt context, response outputs | United States | SCCs; commercial terms prohibit training on customer data |
| OpenAI, OPCO LLC | Large-language-model inference (GPT family) for app generation and analysis | Prompts, prompt context, response outputs | United States | SCCs; API terms prohibit training on customer data by default |
| Voyage AI, Inc. | Embedding generation for retrieval, clustering, and semantic search | Text inputs to be embedded | United States | SCCs; commercial terms prohibit training on customer data |
| Resend, Inc. | Transactional and marketing email delivery | Recipient email addresses, email content, delivery telemetry | United States and EU regions | SCCs; SOC 2 Type II |
| PostHog, Inc. | Product analytics (page views, feature usage, funnel analysis) | Pseudonymized usage events, IP-derived geo, session identifiers | United States (PostHog Cloud US) | SCCs; SOC 2 Type II |
| GitHub, Inc. (Microsoft Corporation) | Source-code hosting and issue tracking for generated application code that customers elect to export to GitHub; OAuth identity provider for sign-in | GitHub username, OAuth tokens, repository contents (only when customer initiates) | United States | SCCs; Microsoft EU Data Boundary commitments |
| Apple, Inc. | App-store distribution of mobile applications you build using the Service (only when you elect to distribute) | App binaries, app metadata, your developer account info | Global | Apple Developer Program License Agreement |
| Google LLC | Play-store distribution of mobile applications you build using the Service (only when you elect to distribute) | App binaries, app metadata, your developer account info | Global | Google Play Developer Distribution Agreement |
| Sentry / FunctionalSoftware, Inc. | Application error monitoring | Stack traces, error context, request metadata (PII scrubbed where possible) | United States | SCCs; SOC 2 Type II |
Notes
- "Region" indicates where the subprocessor primarily processes data; many subprocessors use globally-distributed infrastructure for redundancy and edge delivery.
- "Transfer Mechanism" describes how each subprocessor lawfully receives personal information from the EU/UK to the US or other regions. Standard Contractual Clauses (SCCs) are the European Commission's approved set of contractual safeguards.
- Apple and Google are listed because if you elect to publish a Goodspeed-built application to their stores, distribution flows through them and they receive the relevant data. They are not subprocessors for the operation of Goodspeed itself.
- We do not currently use third-party advertising networks, behavioral-advertising platforms, or data brokers.
Changes to This List
We will update this page when we add, remove, or replace a subprocessor that processes personal information. For material changes, we will notify active customers at least 30 days before the change takes effect, where reasonably practicable. If you object to a new subprocessor, your remedy is to stop using the Service before the change takes effect; we will not be able to continue the Service for you without the subprocessor.
For Customer Content (your prompts, your generated application code, your uploaded files), we do not switch subprocessors mid-contract without notice. For ancillary processors (e.g., a swap from one error-monitoring vendor to another that affects only diagnostic telemetry), we may make changes without individual notice, but the list above will be kept current.
Enterprise Customers and DPAs
Enterprise customers requiring a Data Processing Agreement (DPA) under GDPR Article 28 or under state privacy laws should contact legal@goodspeed.app. We will provide our standard DPA on request and review reasonable redlines.
Questions
Questions about our subprocessors or our diligence on them: privacy@goodspeed.app