Subprocessors
The third-party service providers that process customer personal data on behalf of TheAccessible.org.
- Version
- 1.0
- Published
- April 21, 2026
- Next review
- April 21, 2027
- Approved by
- Larry Anglin
1. What this page is
TheAccessible.org uses a small number of third-party service providers ("subprocessors") to operate the Service. Under our Privacy Policy and our Data Processing Addendum, we are transparent about who those providers are, what they process, and where they process it.
A subprocessor is a vendor that processes Customer Personal Data on our behalf — as distinct from general-purpose business software we use internally (accounting, HR, etc.) which does not receive customer data.
2. Current subprocessors
| Vendor | Purpose | Data categories | Processing location |
|---|---|---|---|
| Amazon Web Services (AWS) | Compute, object storage, queueing, backups | All Customer Content, account data, logs | United States (us-east-1, us-west-2) |
| Cloudflare | CDN, edge workers, DNS, DDoS protection | Request metadata, IP addresses, short-lived content fragments | Global edge; primary region United States |
| Supabase | Managed database, authentication | Account data, user profiles, document metadata | United States |
| Anthropic | AI document analysis and remediation (Claude) | Document pages and elements submitted for AI-assisted features | United States |
| Google Cloud (Gemini API) | AI classification and bulk processing (Gemini) | Document pages and elements submitted for AI-assisted features | United States |
| Mathpix | OCR and mathematical-equation recognition within submitted documents | Page images and extracted text fragments from documents that contain equations, handwriting, or scanned content | United States |
| Datalab (Marker API) | PDF structure extraction and conversion to structured text | Full PDF pages submitted for structural conversion | United States |
| Stripe | Payment processing, subscription billing, tax | Billing name, email, subscription status, partial payment-method identifiers | United States, with global edge |
| Resend | Transactional email delivery | Recipient email address, email content we send | United States |
For each vendor we have signed a Data Processing Agreement that flows down our commitments under the DPA and GDPR, and binds the vendor to standard contractual clauses for international transfers where applicable.
3. What vendors do not receive
- AI providers (Anthropic, Google) — receive only the document pages and elements needed to complete the requested AI-assisted task. They do not receive your account credentials, payment data, or data from other customers' accounts. See our AI & ML Disclosure for details.
- OCR and document-extraction providers (Mathpix, Datalab) — receive only the pages being processed for OCR or structural extraction. They do not receive account credentials, payment data, or data from other customers' accounts.
- Stripe — does not receive the contents of documents you process, usage metrics, or account data beyond what is needed for billing.
- Resend — receives only the transactional emails we send (receipts, security alerts, password resets, etc.) and the recipient address. It does not receive document contents.
4. International transfers
Where personal data originating in the EEA, UK, or Switzerland is transferred to a subprocessor in the United States or another jurisdiction, we and the subprocessor rely on the European Commission's Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum, or equivalent safeguards as appropriate.
5. Notice of changes
We will update this page whenever we add or change a subprocessor. For any new subprocessor that processes Customer Personal Data, we will provide at least 30 days' advance notice before the change takes effect, via:
- An updated version of this page (prior versions remain available at version history).
- Email to the primary contact on affected customer accounts.
Customers who have entered into a DPA with us have the right to object to a new subprocessor on reasonable data-protection grounds during that notice period. If we cannot address the objection, the customer may terminate the affected services as described in the DPA.
6. Objections and questions
Questions about this list or about a specific subprocessor: privacy@theaccessible.org.
Formal objections to a newly announced subprocessor should be sent to the same address within the 30-day notice window, with "Subprocessor objection" in the subject line.