Subprocessors
BrainstormMSP works with trusted third-party service providers to deliver our platform. This page lists all subprocessors with access to customer data.
Last updated: December 22, 2024
01.Our Commitment to Data Security
We carefully vet all third-party service providers to ensure they meet our high standards for data security, privacy, and compliance. All subprocessors are SOC 2 Type II certified or equivalent. Data Processing Agreements (DPAs) are in place with all vendors. Regular security audits and compliance reviews are conducted.
Notification of Changes: New subprocessors receive 30 days advance notice via email. Removed subprocessors are updated on this page within 5 business days. Customers may object to new subprocessors within 30 days.
02.Digital Ocean -- Infrastructure and Hosting
Purpose: Application hosting, compute, and networking infrastructure.
Data Processed: All customer data stored and processed through the platform.
Location: United States.
Certifications: SOC 2 Type II, ISO 27001, PCI DSS.
Website: https://www.digitalocean.com
03.Supabase -- Database and Authentication
Purpose: Authentication and real-time services.
Data Processed: User authentication tokens and session data.
Location: United States.
Certifications: SOC 2 Type II, GDPR compliant.
Website: https://supabase.com
04.Anthropic -- AI Services
Purpose: Claude API for AI-powered security control evaluation and analysis.
Data Processed: Control evaluation data, security configurations, compliance assessment data.
Location: United States.
Certifications: SOC 2 Type II, does not train on customer data.
Website: https://www.anthropic.com
05.Stripe -- Payment Processing
Purpose: Payment processing, subscription billing, and invoice management.
Data Processed: Payment information, billing details, transaction history.
Location: United States.
Certifications: PCI DSS Level 1, SOC 2 Type II.
Website: https://stripe.com
06.SendGrid -- Email Delivery
Purpose: Transactional email delivery (alerts, reports, notifications).
Data Processed: Email addresses, email content, delivery metrics.
Location: United States.
Certifications: SOC 2 Type II, GDPR compliant.
Website: https://sendgrid.com
07.Resend -- Email Delivery
Purpose: Marketing emails and product update communications.
Data Processed: Email addresses, communication preferences.
Location: United States.
Certifications: GDPR compliant.
Website: https://resend.com
08.PostHog -- Product Analytics
Purpose: Product usage analytics and feature tracking (self-hosted instance).
Data Processed: Anonymized usage data, feature interactions, session analytics.
Location: United States (self-hosted).
Certifications: SOC 2 Type II, GDPR compliant.
Website: https://posthog.com
09.Cloudflare -- CDN and Security
Purpose: Content delivery network, DDoS protection, and edge security.
Data Processed: IP addresses, request headers, traffic data.
Location: Global network.
Certifications: SOC 2 Type II, ISO 27001, PCI DSS.
Website: https://www.cloudflare.com
10.Data Processing Agreements
We have Data Processing Agreements (DPAs) in place with all subprocessors that handle customer data. These agreements ensure compliance with GDPR, CCPA, and other data protection regulations. Enterprise customers may request copies of relevant DPAs.
11.International Data Transfers
Most of our subprocessors process data within the United States. For subprocessors with global networks (e.g., Cloudflare), appropriate safeguards such as Standard Contractual Clauses (SCCs) are in place for international data transfers.
12.Subprocessor Security Requirements
All subprocessors must meet or exceed our security requirements:
SOC 2 Type II or equivalent certification. Encryption in transit (TLS 1.2+) and at rest (AES-256). Regular security audits and penetration testing. Incident response and breach notification procedures. Data deletion and retention policies.
13.Questions or Concerns?
If you have questions about our subprocessors or data processing practices, please contact our privacy team:
Email: [email protected]
Questions About Our Subprocessors?
Our privacy team can provide additional details about any of our third-party service providers.