Third-party vendors that process data
As a data processor, ProdForm uses a small set of vendors to deliver the service. This page lists all active subprocessors in accordance with GDPR Art. 28 and the data processing agreement. All vendors have signed data processing agreements with us.
- Primary data in EU
- GDPR Art. 28
- 30-day notice
- No lock-in
Active subprocessors
| Vendor | Purpose | Data location | Data type |
|---|---|---|---|
| Supabase | Database, authentication, file storage | EUStockholm, Sweden | All test and participant data, user accounts, uploaded files |
| Vercel | Hosting and edge network | EUEU region + global edge | HTTP request logs (no persistent personal data), static assets |
| Anthropic (Claude) | AI features — analysis, copilot, generation | USUnited States | Test text sent to the AI (questions, answers). No participant identifiers. Anthropic does not retain prompt data beyond processing (zero-retention). |
| Resend | Transactional email (invitations, notifications) | EUIreland (eu-west-1) | Recipient email addresses and message content |
| Sentry | Error monitoring | EUEU region | Stack traces and context about code errors. PII is redacted automatically before sending (emails, tokens, UUIDs). |
Supabase
EU- Purpose
- Database, authentication, file storage
- Data location
- Stockholm, Sweden
- Data type
- All test and participant data, user accounts, uploaded files
Vercel
EU- Purpose
- Hosting and edge network
- Data location
- EU region + global edge
- Data type
- HTTP request logs (no persistent personal data), static assets
Anthropic (Claude)
US- Purpose
- AI features — analysis, copilot, generation
- Data location
- United States
- Data type
- Test text sent to the AI (questions, answers). No participant identifiers. Anthropic does not retain prompt data beyond processing (zero-retention).
Resend
EU- Purpose
- Transactional email (invitations, notifications)
- Data location
- Ireland (eu-west-1)
- Data type
- Recipient email addresses and message content
Sentry
EU- Purpose
- Error monitoring
- Data location
- EU region
- Data type
- Stack traces and context about code errors. PII is redacted automatically before sending (emails, tokens, UUIDs).
Transfers outside the EEA
Primary data is stored in the EU. Only AI features (Anthropic) involve transfers to the US. Such transfers rely on the EU Commission's Standard Contractual Clauses (SCC) supplemented by technical measures (zero-retention, no participant identifiers in prompts).
Changes and notification
We notify customers by email at least 30 days before adding a new subprocessor that processes personal data. Customers may then raise reasonable objections within that period. To opt out of these notifications, contact kontakt@prodform.no.
Questions
Questions about subprocessors or data flow? Write to kontakt@prodform.no.
kontakt@prodform.no