Subprocessors
Last updated: 6 June 2026
Smoothly uses the third-party companies listed below (“Subprocessors”) to help deliver our service. Each Subprocessor is contractually bound to data protection obligations consistent with our Data Processing Agreement.
For details about how we secure customer data, see our Security page. This page is the single source of truth for the subprocessor list — our Privacy Policy and DPA reference it directly rather than maintaining a separate copy. The canonical machine-readable URL is https://smoothly.dev/subprocessors.
| Subprocessor | Purpose | Region | Privacy Policy |
|---|---|---|---|
| Vercel | Application hosting and edge network | United States / Global edge | View |
| Supabase | Authentication and PostgreSQL database | EU | View |
| Cloudflare | CDN, DNS, and R2 object storage | Global edge (R2 EU jurisdiction where configured) | View |
| Anthropic | AI code generation (Claude API) | United States | View |
| Google LLC | Gemini AI inference and analytics measurement where enabled | United States / Global | View |
| OpenAI | AI review, fallback inference, and Codex-assisted workflows | United States | View |
| Stripe | Payment processing and subscription billing | EU / Global | View |
| Sentry | Error monitoring and crash reporting | EU | View |
| PostHog | Product analytics and session replay | EU | View |
| RudderStack | Event pipeline and marketing attribution routing | United States | View |
| Modal | Sandboxed code execution containers | United States | View |
| Customer.io | Lifecycle and transactional email | United States | View |
| Resend | Transactional email delivery and customer-authorized email connector | United States (sending region may vary by domain) | View |
| Upstash | Redis cache, rate limiting, and vector recall | EU | View |
| Axiom | Application logging and observability | United States | View |
| Temporal Cloud | Workflow orchestration for sandbox lifecycle | EU (eu-central-1) | View |
International Transfers
Where a Subprocessor is located outside the European Economic Area, transfers are protected by the European Commission's Standard Contractual Clauses and supplementary measures where applicable. Personal data sent to AI providers (Anthropic, Google, OpenAI) is transmitted via API integrations under agreements that prohibit training on customer data.
Updates
We update this list whenever we add or remove a Subprocessor. Customers with an active Data Processing Agreement receive at least 30 days' advance notice of new Subprocessors via email to the technical contact on file. To subscribe to changes, email legal@smoothly.dev.
Questions
For questions about our Subprocessors or data processing arrangements, contact legal@smoothly.dev.