Subprocessors
Effective: 10 May 2026 · Last updated: 10 May 2026
These third-party services process Proparion customer data on our behalf. Each is governed by a Data Processing Agreement and processes only the data needed for its specific purpose.
We give 30 days written notice via email + this page before adding any new subprocessor that processes customer content. To be notified, email hello@proparion.com with subject "Subprocessor notifications".
| Subprocessor | Purpose | Data accessed | Region | Certifications |
|---|---|---|---|---|
| Supabase | Postgres database, authentication, file storage | All customer content (proposals, RFPs, drafts, embeddings), account metadata, files, audit logs | AP-South-1 (Mumbai, India) | SOC 2 Type II, HIPAA-eligible, ISO 27001 |
| Vercel | Web hosting, edge functions, CDN | Request metadata (IP, headers, paths), no persistent customer content | Global edge; primary BOM1 (Mumbai) for Indian users | SOC 2 Type II, ISO 27001 |
| OpenAI | LLM drafting, embeddings, extraction | RFP question text + retrieved past-proposal chunks at draft time | United States (data may transit globally) | SOC 2 Type II, CCPA/GDPR aligned. Enterprise zero-retention terms — we do not allow training on customer content. |
| Inngest | Background job orchestration (deadline reminders, ingestion) | Job metadata only — no document contents | United States | SOC 2 Type II |
| Dodo Payments | Payments (Merchant of Record for India + global) | Customer billing email, name, billing address, payment instrument metadata. Card numbers held by Dodo only — never reach Proparion. | India + global | PCI-DSS Level 1, ISO 27001 |
| Google Workspace (Gmail SMTP) | Transactional email delivery (welcome, drafts-ready, alerts) | Recipient email + email body | Global | ISO 27001, SOC 2/3, FedRAMP |
| Google Analytics 4 | Anonymised website usage analytics | IP-anonymised pageviews, screen size, browser, country, referrer. No proposal/RFP content. We honour Do-Not-Track signals. | Global | ISO 27001 |
| Sentry | Application error tracking and performance monitoring | Server + browser error stacks, request URL, user-agent, internal user/org ID hashes. We scrub raw request bodies; no proposal/RFP content is sent to Sentry. | United States / European Union | SOC 2 Type II, ISO 27001 |
| LlamaCloud | PDF parsing for uploaded proposals (when enabled) | Uploaded PDF/DOCX during parsing only. Documents deleted within 24 hours of parsing per LlamaCloud policy. | United States | SOC 2 Type II |
Related policies
- Privacy Policy — what we collect, how we use it, your rights
- Data Processing Addendum — B2B contractual terms
- Security & Trust Center — encryption, isolation, audit, incident response
- Terms of Service