Subprocessors
BrainstormMSP works with trusted third-party service providers to deliver our platform. This page lists all subprocessors with access to customer data.
Last updated: December 22, 2024
Our Commitment to Data Security
We carefully vet all third-party service providers to ensure they meet our high standards for data security, privacy, and compliance.
- All subprocessors are SOC 2 Type II certified or equivalent
- Data Processing Agreements (DPAs) in place with all vendors
- Regular security audits and compliance reviews
Notification of Changes
We will notify customers of any changes to our list of subprocessors:
- •New subprocessors: 30 days advance notice via email
- •Removed subprocessors: Updated on this page within 5 business days
- •Right to object: Customers may object to new subprocessors within 30 days
Current Subprocessors
8 trusted service providers power the BrainstormMSP platform
Digital Ocean
Infrastructure & Hosting
Purpose
Application hosting, compute, and networking infrastructure
Data Processed
All customer data stored and processed through the platform
Location
United States
Certifications
SOC 2 Type II, ISO 27001, PCI DSS
Supabase
Database & Authentication
Purpose
PostgreSQL database, authentication, and real-time services
Data Processed
All platform data including user accounts, client records, security evaluations
Location
United States
Certifications
SOC 2 Type II, GDPR compliant
Anthropic
AI Services
Purpose
Claude Sonnet 4.5 API for AI-powered security control evaluation and analysis
Data Processed
Control evaluation data, security configurations, compliance assessment data
Location
United States
Certifications
SOC 2 Type II, does not train on customer data
Stripe
Payment Processing
Purpose
Payment processing, subscription billing, and invoice management
Data Processed
Payment information, billing details, transaction history
Location
United States
Certifications
PCI DSS Level 1, SOC 2 Type II
SendGrid
Email Delivery
Purpose
Transactional email delivery (alerts, reports, notifications)
Data Processed
Email addresses, email content, delivery metrics
Location
United States
Certifications
SOC 2 Type II, GDPR compliant
Resend
Email Delivery
Purpose
Marketing emails and product update communications
Data Processed
Email addresses, communication preferences
Location
United States
Certifications
GDPR compliant
PostHog
Product Analytics
Purpose
Product usage analytics and feature tracking (self-hosted instance)
Data Processed
Anonymized usage data, feature interactions, session analytics
Location
United States (self-hosted)
Certifications
SOC 2 Type II, GDPR compliant
Cloudflare
CDN & Security
Purpose
Content delivery network, DDoS protection, and edge security
Data Processed
IP addresses, request headers, traffic data
Location
Global network
Certifications
SOC 2 Type II, ISO 27001, PCI DSS
Additional Information
Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with all subprocessors that handle customer data. These agreements ensure compliance with GDPR, CCPA, and other data protection regulations. Enterprise customers may request copies of relevant DPAs.
International Data Transfers
Most of our subprocessors process data within the United States. For subprocessors with global networks (e.g., Cloudflare), appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place for international data transfers.
Subprocessor Security Requirements
All subprocessors must meet or exceed our security requirements:
- SOC 2 Type II or equivalent certification
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Regular security audits and penetration testing
- Incident response and breach notification procedures
- Data deletion and retention policies
Questions or Concerns?
If you have questions about our subprocessors or data processing practices, please contact our privacy team:
Email: [email protected]