GrantLock uses a small set of third-party service providers (subprocessors) to operate the website and the Cloud product. Each entry below names the provider, what we use them for, where the data sits, and a link to their data-processing addendum.
Customers under a Data Processing Addendum (see /dpa) are notified of new subprocessors before they begin processing customer data, and may object on reasonable grounds.
| Provider | Purpose | Region | DPA | Effective |
|---|---|---|---|---|
| Cloudflare, Inc. | Workers compute, DNS, WAF, KV (rate-limit state), R2 (release artifacts), and Turnstile (anti-abuse on public forms). | Global edge (data plane); United States (account record) | Link | 2026-04-30 |
| Neon, Inc. (a Databricks company) | Managed Postgres database — account, organization, membership, audit, signup, contact, waitlist, and download records.Neon was acquired by Databricks; Neon's DPA is now served by Databricks' legal hub. | AWS us-east-2 | Link | 2026-04-30 |
| Clerk, Inc. | User authentication, organization management, and session issuance for the Cloud product (app.grantlock.ai).Clerk's own subprocessors include AWS (us-east-1) and Cloudflare; their list is published at https://clerk.com/legal/subprocessors. | United States | Link | 2026-05-07 |
| Resend, Inc. | Transactional email delivery — download links, contact-form acknowledgements, security advisories, and sign-in messages. | United States | Link | 2026-04-30 |
| Axiom (Vercel Labs Inc.) | Application logging and observability — request logs, error reports, and deploy health metrics. Logs are scrubbed of customer configuration content and PII before send.Axiom does not publish a standalone DPA URL; their data-protection terms are included in the Axiom MSA on request via support@axiom.co. | United States | Link | 2026-04-30 |
For a full list of Clerk's own subprocessors (which support our authentication path), see clerk.com/legal/subprocessors. For Cloudflare's, see the Cloudflare customer DPA.