Third-Party Services & Subprocessors
This document lists all active third-party services and subprocessors used by Startuped.AI that process customer data. This disclosure is provided for transparency and SOC2 Type 1 compliance purposes.
Last Updated: January 2025
Data Processing Summary
We process the following categories of data through our third-party service providers:
- Personal Identifiable Information (PII): Names, emails, phone numbers, addresses
- Authentication Data: OAuth tokens, session tokens, API keys (encrypted)
- Business Data: Company information, leads, campaigns, marketing data
- Content Data: User-generated content, AI-generated content, files, media
- Usage Data: Analytics events, error logs, performance metrics
- Payment Data: Tokenized payment information (via Stripe)
- Communication Data: Email content, SMS content, message data
Data Storage Locations: Primary database (MongoDB), File storage (Google Cloud Storage), Vector database (Weaviate), Application hosting (Vercel global edge network)
Data Transmission: All integrations use encrypted connections (HTTPS/TLS). API keys are stored encrypted in the database. OAuth tokens are securely managed through integration platforms.
Authentication & User Management
Clerk
Purpose: Primary authentication and user management service
Data Processed: User authentication, user profiles, organization management, session management
Integration Type: OAuth, Webhooks (via Svix)
NextAuth.js
Purpose: Alternative authentication provider (used for Oflo tenant)
Data Processed: User sessions, OAuth tokens
Integration Type: OAuth
Google OAuth
Purpose: OAuth authentication for Oflo tenant
Data Processed: User authentication, profile information
Integration Type: OAuth 2.0
Database & Data Storage
MongoDB
Purpose: Primary database for application data
Data Processed: User data, organizations, leads, campaigns, integrations, files metadata
Integration Type: Database service (multi-tenant with separate databases per tenant)
Supabase
Purpose: Additional database/storage service
Data Processed: Application data (specific use cases)
Integration Type: Database API
Weaviate
Purpose: Vector database for AI/ML operations
Data Processed: Vector embeddings, search data
Integration Type: Vector database API
Cloud Storage & File Management
Google Cloud Storage (GCS)
Purpose: File storage for user uploads, images, videos, documents
Data Processed: User-uploaded files, generated content, media assets
Integration Type: Cloud storage API
Google Cloud Tasks
Purpose: Background task queue management
Data Processed: Task metadata, job scheduling
Integration Type: Cloud service API
Payment Processing
Stripe
Purpose: Payment processing, subscription management, billing
Data Processed: Payment card information (tokenized), billing information, subscription data, webhook events
Integration Type: Payment API, Webhooks
Note: PCI DSS compliant service
Communication Services
SendGrid
Purpose: Email delivery service
Data Processed: Email content, recipient addresses, delivery status
Integration Type: Email API (configurable via API keys)
Resend
Purpose: Modern email API service
Data Processed: Email content, recipient addresses
Integration Type: Email API (configurable via API keys)
Twilio
Purpose: SMS, RCS messaging, and voice communication
Data Processed: Phone numbers, message content, call recordings
Integration Type: Communication API (configurable via API keys)
Nodemailer
Purpose: SMTP email sending (for custom SMTP configurations)
Data Processed: Email content, SMTP credentials (encrypted)
Integration Type: SMTP client
AI & Machine Learning Services
OpenAI
Purpose: AI language models (GPT), text generation, embeddings
Data Processed: User prompts, generated content, conversation data
Integration Type: AI API (configurable via API keys)
Anthropic (Claude)
Purpose: AI language models, text generation
Data Processed: User prompts, generated content
Integration Type: AI API (configurable via API keys)
Google Gemini AI
Purpose: AI language models, text generation, content analysis
Data Processed: User prompts, generated content, website content for analysis
Integration Type: AI API (configurable via API keys)
FAL.ai
Purpose: AI image and video generation (Imagen 4, Stable Video Diffusion)
Data Processed: Image/video generation prompts, generated media
Integration Type: AI API
HeyGen
Purpose: AI video generation with avatars
Data Processed: Text input, video generation requests, generated videos
Integration Type: AI API
Deepgram
Purpose: Voice transcription and speech-to-text
Data Processed: Audio recordings, transcribed text
Integration Type: Voice API
Analytics & Monitoring
PostHog
Purpose: Product analytics, user behavior tracking, feature flags
Data Processed: User interactions, page views, events, user properties
Integration Type: Analytics API
Sentry
Purpose: Error tracking, performance monitoring, application monitoring
Data Processed: Error logs, stack traces, performance metrics, user context
Integration Type: Error tracking API
Google Analytics
Purpose: Website analytics and traffic analysis
Data Processed: Page views, user interactions, traffic data
Integration Type: Analytics script (gtag.js)
Background Jobs & Workflow Automation
Inngest
Purpose: Event-driven background job processing, workflow automation
Data Processed: Event data, job metadata, workflow state
Integration Type: Background job service API
Real-time Collaboration
Liveblocks
Purpose: Real-time collaboration, presence tracking, collaborative editing
Data Processed: User presence, cursor positions, collaborative data
Integration Type: Real-time API
Pusher
Purpose: Real-time notifications, presence tracking, event broadcasting
Data Processed: User presence, notification data, real-time events
Integration Type: Real-time messaging API
Integration Platforms & APIs
Composio
Purpose: Unified integration platform for connecting to external services
Data Processed: OAuth tokens, integration configurations, API responses
Integration Type: Integration platform API
Note: Connected services: Gmail, Google Calendar, Google Drive, Google Docs, Google Meet, Google Analytics, Slack, Twitter/X, Instagram, LinkedIn, Facebook
Social Media & Marketing Platforms
Purpose: Social media integration, lead generation
Data Processed: Profile data, connection data, posts
Integration Type: OAuth, API (via Composio and direct OAuth)
Twitter/X
Purpose: Social media integration, content posting
Data Processed: Tweets, profile data, engagement metrics
Integration Type: OAuth, API (via Composio)
Facebook/Meta
Purpose: Social media integration, advertising
Data Processed: Posts, profile data, ad data
Integration Type: OAuth, API
Purpose: Social media integration, content management
Data Processed: Posts, stories, profile data, webhook events
Integration Type: OAuth, API, Webhooks (via Composio and direct integration)
Ayrshare
Purpose: Social media management and posting
Data Processed: Social media posts, scheduling data
Integration Type: API (configurable via API keys)
CRM & Sales Platforms
HubSpot
Purpose: CRM integration, lead management
Data Processed: Contact data, deal information, company data
Integration Type: API (configurable via API keys)
Salesforce
Purpose: CRM integration, sales data management
Data Processed: Contact data, opportunity data, account data
Integration Type: API (configurable via API keys)
Data & Lead Generation
People Data Labs (PDL)
Purpose: Lead generation, people search, contact enrichment
Data Processed: Person data, company data, contact information
Integration Type: API (configurable via API keys)
Firecrawl (Mendable)
Purpose: Web scraping, content extraction
Data Processed: Website content, scraped data
Integration Type: API
Webhook & Event Management
Svix
Purpose: Webhook delivery and management (used by Clerk)
Data Processed: Webhook payloads, event data
Integration Type: Webhook service
Slack Webhooks
Purpose: Internal notifications, alerts
Data Processed: Notification messages, alert data
Integration Type: Webhook
Cloud Infrastructure & Hosting
Vercel
Purpose: Application hosting, deployment, edge functions
Data Processed: Application code, environment variables, deployment data
Integration Type: Platform as a Service (PaaS)
Google Cloud Platform (GCP)
Purpose: Cloud infrastructure, storage, compute services
Data Processed: Application data, files, compute resources
Integration Type: Cloud platform
Note: Services used: Cloud Storage, Cloud Tasks, Compute Engine (if applicable)
Development & Build Tools
GitHub
Purpose: Source code repository, version control
Data Processed: Source code, commit history
Integration Type: Version control system (via Vercel deployments)
Compliance & Security Notes
PCI DSS Compliance
Payment card data is processed exclusively through Stripe, a PCI DSS Level 1 compliant service provider. No card data is stored on our systems.
Data Encryption
- Data in transit: All API communications use TLS/HTTPS
- Data at rest: Database encryption, encrypted file storage
API Key Management
API keys can be configured per workspace/organization. Keys are stored encrypted in the database with fallback to environment variables for system-level keys.
Multi-Tenancy
Separate databases per tenant for data isolation. Workspace-based access controls and tenant-specific configurations ensure proper data separation.
Webhook Security
All webhooks use signature verification. Svix for secure webhook delivery. Stripe webhook signature validation ensures authenticity.
This document is reviewed and updated quarterly as part of our SOC2 compliance review, or when significant changes are made to our data processing practices.
For questions about our third-party services, please contact security@startuped.ai