Trust · sub-processors

Sub-processors.

Every third party with the potential to access customer or scan data — named, scoped, and dated. Updated whenever a vendor is added or removed. Enterprise customers receive ≥ 30 days written notice before any new sub-processor with material data exposure is activated.

Cloudflare Pages + R2 + Workers

ACTIVE

Legal entity: Cloudflare, Inc. (US, with EU data plane)
Region: Global edge · EU storage by default
Purpose: Static site hosting, edge compute, encrypted object storage for report PDFs.
Data exposure: Server logs (IP, user-agent, URL), encrypted report PDFs, encrypted scan execution metadata.
DPA: Cloudflare DPA + SCCs + EU-US DPF

Resend

ACTIVE

Legal entity: Resend (Drama Labs, Inc., US)
Region: US (transactional only)
Purpose: Transactional email: beta activation, scan completion notifications, password reset.
Data exposure: Email address, account name, transactional message body.
DPA: Resend DPA + SCCs

Stripe (planned — paid GA)

PLANNED

Legal entity: Stripe Payments Europe Ltd. (Dublin, IE)
Region: EU (with US fallback)
Purpose: Subscription billing, customer portal, invoice generation. Activated when self-serve checkout opens.
Data exposure: Email, billing name, billing address, VAT-ID, plan tier. Card data is never seen by PromptShield (Stripe-hosted).
DPA: Stripe DPA

GitHub

ACTIVE

Legal entity: GitHub, Inc. (US, Microsoft subsidiary)
Region: Global
Purpose: Source control, CI for the PromptShield platform itself. No customer scan data.
Data exposure: No customer scan data. Internal-only.
DPA: Microsoft / GitHub DPA + SCCs + EU-US DPF

Plausible Analytics (privacy-first analytics)

PLANNED

Legal entity: Plausible Insights OÜ (Tallinn, EE)
Region: EU only (Hetzner Germany)
Purpose: Aggregated, cookieless web analytics for marketing pages. No personal data, no cross-site tracking.
Data exposure: Anonymised, hashed, daily-rotated salt. No IP retention, no cookies.
DPA: Plausible DPA

OpenAI / Anthropic (model providers — customer-controlled)

ACTIVE

Legal entity: OpenAI L.L.C. / Anthropic, PBC
Region: US
Purpose: Optional: only invoked when a customer points a scan at one of these providers using their own credentials. Their endpoint, their data flow.
Data exposure: Customer-supplied prompts to customer-supplied endpoints. PromptShield does not forward customer data to LLM providers on its own initiative.
DPA: Customer's own contract with the provider

Notification & objection

Subscribe to sub-processor change notifications by emailing trust@promptshield.ai with the subject line SUBPROCESSOR-NOTICES. Enterprise customers may object to a new sub-processor within 14 days of notice; PromptShield will work in good faith to provide an alternative configuration or, failing that, allow the customer to terminate the affected service without penalty.

Back to security → Privacy / retention →

Last reviewed: 26 April 2026 · v1