Skip to content
subprocessors · procurement-ready

Subprocessors.

Public list of vendors Sumeru Systems engages to deliver the Service. Each is bound by a data processing agreement that meets our security + privacy requirements. We're responsible for each vendor's compliance with our DPA.

Last updated · 2026-05-11 · Total · 11 vendors
Vendor Category Purpose Region
Cloudflare Infrastructure CDN, edge runtime, Worker for lead-capture form, DNS USA · EU edge
AWS Infrastructure Primary application hosting, Postgres, BullMQ queues USA · EU multi-region
Google Cloud Platform Infrastructure Overflow + redundancy, BigQuery export targets USA · EU multi-region
Stripe Billing Payment processing for subscription billing USA
Resend Email Transactional email (account, billing, security) USA
Anthropic AI inference AI Copilot · Claude API · per-shop opt-in USA
OpenAI AI inference AI Copilot · GPT-4 / 4o-mini · per-shop opt-in USA
DataForSEO Data vendor Backlink + SERP intelligence · Competitor Engine only USA
Plausible Analytics Analytics Cookie-less aggregate site analytics for sumeru.systems EU (Germany)
Sentry Observability Error tracking · redacted before persistence USA
Cloudflare R2 Storage Backup snapshots · encrypted at rest USA · EU

Notification of changes

We will notify customers of changes to this list at least 30 days before a new subprocessor begins processing Personal Data. Customers may object on reasonable data-protection grounds within 15 days; the parties will work in good faith to find a solution, and if none is found, the customer may terminate the affected Services with a pro-rata refund. Full notification terms are in our Data Processing Agreement.

Subscribe to changes

To receive subprocessor change notifications, email privacy@sumeru.systems with the subject line "Subprocessor list — subscribe." We add you to the notification list within 2 business days.

Why we use each vendor

Every subprocessor we engage is selected because the alternative is to build the capability ourselves, at significant cost and operational risk. We do not engage vendors casually. Each must:

  • Sign a DPA meeting GDPR Article 28 requirements
  • Demonstrate appropriate technical and organisational measures (typically SOC 2 Type II, ISO 27001, or equivalent)
  • Provide a clear data-residency commitment
  • Pass internal security review by Sumeru's engineering team

Per-shop opt-in

Some subprocessors (Anthropic, OpenAI) are per-shop opt-in only — they receive Customer Data only if the customer has explicitly enabled the AI Copilot for their shop. Default state for new shops is opt-out.

Questions

For DPA counter-signature, vendor risk assessments, or specific subprocessor questions: email privacy@sumeru.systems or legal@sumeru.systems.