Subprocessors
The vetted third-party services that help Contexta run — what they do, where they are, and exactly what data they touch.
Last updated: 2026-05-17
Notice and approval
Contexta engages third-party subprocessors to run parts of the service. We vet every subprocessor for security, legal compliance, and data-protection posture before activation. We notify customers of new subprocessors at least 30 days before activation via email to account administrators and via this page.
To receive new-subprocessor notifications by email, subscribe by sending a message to dpo@contexta.aiwith subject line “Subscribe: subprocessors”. Customers under signed enterprise agreements receive these notifications automatically.
Current subprocessors
| Subprocessor | Purpose | Location | Data accessed |
|---|---|---|---|
| Amazon Web Services | Primary cloud infrastructure (compute, storage, network). | us-east-1 (N. Virginia) and eu-west-1 (Ireland). | All customer content and usage telemetry, encrypted at rest. |
| Google Cloud Platform | Secondary cloud infrastructure for managed services and failover. | us-east4 and europe-west1. | Customer content and telemetry routed to GCP-hosted services, encrypted at rest. |
| Stripe | Subscription billing, payment processing, and tax handling. | United States (with EU data residency for EU customers). | Account contact details and billing information. No customer content. |
| Anthropic | Optional LLM inference for agent reasoning and summarization. | United States. | Prompts and context windows generated by the agent at runtime. Customer opt-in. Disabled by default. Not used to train Anthropic models. |
| OpenAI | Optional LLM inference for agent reasoning and summarization. | United States. | Prompts and context windows generated by the agent at runtime. Customer opt-in. Disabled by default. Not used to train OpenAI models. |
| Sentry | Error monitoring and stack-trace aggregation. | United States. | Stack traces, request metadata, scrubbed of customer content. |
| PostHog | Product analytics (page views, feature usage, funnel metrics). | European Union (EU Cloud). | Pseudonymous event data. No customer content. |
| Resend | Transactional email delivery (sign-up, password reset, alerts). | United States. | Recipient email address and the body of the transactional message. |
| Pinecone | Optional managed vector storage for retrieval augmentation. | Customer-configured region (US or EU). | Embeddings and associated metadata for the customer's namespace. Customer-configured. Disabled by default. Self-hosted alternative available. |
Subprocessor obligations
Every subprocessor is bound by a written agreement that imposes data-protection terms at least as strict as our own — including SCCs where applicable, breach notification timelines compatible with our 72-hour customer notice, and limits on use of customer data to providing services back to us. We review subprocessor compliance annually and as part of any material change to their service.
Changes to this list
We will update this page when subprocessors change. Material changes (a new subprocessor with access to customer content) trigger the 30-day notice described above. Non-material changes (e.g. a vendor rebrands or relocates within the same region) are reflected here without separate notice but always before the change takes effect.
To subscribe to new-subprocessor notifications, raise an objection on data-protection grounds, or request the full vendor due-diligence packet, email dpo@contexta.ai.