Sub-processors
Every external service that may process data on behalf of SymaOS users. We update this list when sub-processors are added, removed, or materially changed.
Draft document
This text is an engineering placeholder pending review by qualified legal counsel. It is published so SymaOS can be evaluated end-to-end before public launch, but it is not legal advice and must not be relied upon for production decisions. The launch gate (SYMAOS_LEGAL_APPROVED=false) keeps public signup, paid plan activation, and App Store submission blocked until lawyer-reviewed versions ship.
Effective date
June 12, 2026
1. Current sub-processors
| Sub-processor | Purpose | Data | Region |
|---|---|---|---|
| Fly.io | Application hosting and runtime | Application logs, request metadata, in-flight payloads | Multi-region (configurable) |
| Vercel | Web dashboard and marketing hosting | Request metadata, build artifacts | Global edge |
| Neon / managed PostgreSQL | Primary database | All durable application data (encrypted at rest) | EU or US (per environment) |
| Upstash Redis | Cache and background queues | Short-lived task payloads, deduplication keys | EU or US (per environment) |
| Stripe | Payments and subscription billing | Customer identifiers, billing addresses, card data (handled exclusively by Stripe) | Stripe global |
| Google LLC | Optional Gmail / Calendar integration on user request | OAuth tokens (encrypted), normalized email and calendar metadata | Google global |
| Microsoft Corporation | Optional Microsoft 365 sign-in and calendar / mail integration | OAuth tokens (encrypted), normalized email and calendar metadata | Microsoft global |
| OpenAI / Anthropic (configurable) | Large language model inference for task extraction and briefs | Evidence snippets and structured prompts (zero-retention where supported) | Vendor-managed |
| Sentry | Error tracking and performance monitoring | Stack traces, request IDs, environment metadata (PII scrubbed) | Sentry SaaS |
2. International transfers
Where data is transferred outside the EEA, UK, or another jurisdiction you reside in, SymaOS relies on Standard Contractual Clauses (SCCs) or equivalent safeguards published by the sub-processor.
3. Changes
We will update this list at least 14 days before any new sub-processor begins processing user data, except where a security incident requires an emergency change. Material changes will also be announced in-product.
4. Contact
Sub-processor questions: privacy@symaos.com.