Legal
Last updated: March 1, 2026
Cassian™ uses a select group of third-party service providers ("subprocessors") to help deliver, maintain, and improve the platform. Each subprocessor is bound by data processing agreements that require them to protect your data in accordance with GDPR and applicable data protection law.
This page lists all subprocessors that may process personal data on behalf of Cassian and our customers. It is maintained as a living document and updated whenever subprocessors are added or removed.
| Subprocessor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting, authentication, and real-time data services | United States (us-east-1) |
| Vercel Inc. | Application hosting, serverless functions, and edge network | United States / Global |
| Stripe Inc. | Payment processing, subscription management, and invoicing | United States |
| Cloudflare Inc. | Content delivery network (CDN) and R2 object storage for screenshots and documents | United States / Global |
| Scrapfly SAS | Managed web crawling and data extraction for store scanning (primary) | France (EU) |
| Mendable Inc. (Firecrawl) | Failover web crawling when primary provider is unavailable | United States |
| Resend Inc. | Transactional email delivery (scan results, weekly digests, account notifications) | United States |
| Inngest Inc. | Background job processing and scheduled task orchestration | United States |
| Fly.io Inc. | Isolated compute for security vulnerability scanning (Cassian Shield™) | United States / Europe |
| Anthropic PBC | AI-powered content analysis via the Claude API | United States |
| OpenAI Inc. | AI-powered content analysis via the GPT-5 API | United States |
| Google LLC | AI-powered content analysis via the Gemini API | United States |
Anthropic (Claude), OpenAI (GPT-5), and Google (Gemini) process store data exclusively via their respective APIs. This processing is transient — your data is sent for analysis, the results are returned, and no data is retained by these providers after processing.
Neither Anthropic nor OpenAI uses data submitted through their APIs to train or improve their models. Both providers operate under data processing agreements with Cassian that include strict confidentiality and security obligations.
Cassian will provide at least 30 days' advance notice before adding a new subprocessor or replacing an existing one. Notifications are sent to the email address associated with your account.
If you object to a new subprocessor, you may contact us at dpo@getcassian.com within 30 days of the notification. We will work with you to find a resolution. If we cannot resolve your objection, you may terminate the affected service without penalty.
To subscribe to subprocessor change notifications, email dpo@getcassian.com with the subject line "Subscribe to subprocessor updates."
Where subprocessors are located outside the EU/UK, Cassian ensures that appropriate transfer mechanisms are in place. These include Standard Contractual Clauses (SCCs) as approved by the European Commission and, where applicable, supplementary measures in line with the Schrems II decision.
Our primary database (Supabase) is hosted in the United States (us-east-1). GDPR compliance is ensured via the Data Privacy Framework (DPF) and Standard Contractual Clauses (SCCs). EU data residency is on the roadmap.
For questions about our subprocessors or data processing practices, contact:
Data Protection Officer
Cassian
New Zealand
Email: dpo@getcassian.com
We use cookies to keep you signed in and improve your experience. See our Cookie Policy for details.