The third parties we route data through.

This Sub-Processor List supplements the Data Processing Agreement and the Privacy Policy. It identifies the Sub-processors we engage in the provision of the VeryQuery service.

Each entry states:

• The Sub-processor's legal name and the service we use.
• The categories of data the Sub-processor receives or processes.
• The jurisdiction in which the Sub-processor processes the data.

A Sub-processor under Article 28 GDPR is a third party we engage to process Personal Data on a customer's behalf. Software we run on our own infrastructure, including the operating system, the database engine, the vector index, and the application framework, is not a Sub-processor; the software vendor has no access to and no operational role with respect to the data. This list covers only entities with actual data access in the course of providing the service.

Customers who have entered into the DPA are notified by email at least thirty (30) days before a new Sub-processor takes effect. The list is the source of truth; the notification email points here.

Vendor

OVHcloud US, LLC.

Service

Virtual machines, networking, attached block storage. Hosts our application, primary database, and vector index.

Data received

All Personal Data we process on a customer's behalf resides on hosted volumes managed by this vendor. Operational logs and metrics emitted by our application.

Jurisdiction

United States.

Vendor

Google LLC, via the Google Cloud Vertex AI service.

Service

Text and image embedding generation; LLM-assisted normalization and enrichment of catalog text.

Data received

Catalog text and image inputs we submit for embedding or enrichment. Shopper query text we submit for query embedding and intent classification.

Jurisdiction

United States and other Google Cloud regions as routed by the Vertex AI API. We do not pin processing to a specific region today.

Data-handling

Per Google's enterprise terms for Vertex AI, inputs are not used to train Google's foundation models.

Vendor

Stripe, Inc.

Service

Subscription billing, payment-method storage, invoice generation, payout to partners via Stripe Connect.

Data received

Billing contact information you provide for your VeryQuery subscription (name, email, billing address). Payment-card or bank-account details you enter during checkout (held by Stripe, not by us). For partners, identity-verification information you submit during Stripe Connect Express onboarding (held by Stripe, not by us).

Jurisdiction

United States, with cross-border transfers as part of Stripe's normal operations and consistent with Stripe's published data-processing documentation.

Vendor

Shopify Inc., where billing is via the Shopify App Store.

Service

Subscription billing for merchants who pay for the VeryQuery Shopify app through their Shopify account.

Data received

The merchant's Shopify shop domain and the subscription state for the VeryQuery app. We do not receive payment-card data through this path; Shopify holds it.

Jurisdiction

Canada and the United States.

Vendor

Cloudflare, Inc.

Services

Three related services from the same vendor, treated as one relationship:

• Edge and CDN. Content delivery, DDoS mitigation, bot detection, TLS termination for the marketing site, dashboard, and legal-document domain.
• Object storage ("R2"). Storage for legal-document source and rendered HTML served from legal.veryquery.com.
• Email delivery. Transactional email (sign-up verification, password reset, billing notifications, partner-program notifications, breach notifications).

Data received

HTTP request metadata (IP address, User-Agent, requested URL) at the edge, transiently for security and routing. Static assets and rendered legal-document HTML. Recipient email addresses and the rendered body of each transactional email we send.

Jurisdiction

Cloudflare's global edge network. R2 buckets are pinned to a hint region; we specify North America for the legal-document bucket.

Vendor

Google LLC, via Google Analytics 4.

Service

Aggregated visitor and usage analytics on the VeryQuery marketing site, dashboard, and admin console.

Data received

Pseudonymous identifiers associated with each visit, page paths, timing, referrer, browser User-Agent. We do not pass named-user identifiers to Analytics, do not enable advertising features, and do not enable Google Signals.

Jurisdiction

United States and Google's global Analytics processing infrastructure.

As of the effective date we do not use a dedicated third-party helpdesk system. Support is handled by direct email to addresses on the support page; the inbound mail flows through Cloudflare Email (see §05). If we adopt a helpdesk vendor we will update this list on the timeline stated in §08 before any data is routed to it.

We update this list when we add or remove a Sub-processor. The DPA-governed notification rules are:

• Customers who have entered into the DPA are notified by email at least thirty (30) days before a new Sub-processor takes effect.
• Customers who have not entered into the DPA may rely on the list and on the Privacy Policy without separate notification.
• Removals (we stop using a Sub-processor) are not notified; we update the list at the time of removal.
• A change in a Sub-processor's corporate name, ownership, or address (without a change in the underlying service or processing) is a list update, not a new Sub-processor.

You may object to a new Sub-processor under §07 of the DPA. The objection mechanism is described there.

For Sub-processor questions, including requests for further information about a specific vendor, the data they receive, or the regional configuration of our deployment:

Email

[email protected]

Subject line

"Sub-processor inquiry: <your Org name>"

We aim to respond within ten (10) business days.