# Snack Subprocessors List **Last Updated:** March 2026 **Document Version:** 1.0 ## Overview This document lists the third-party service providers (subprocessors) that Snack uses to deliver our services. Each subprocessor has been vetted for security and privacy compliance. ## Infrastructure & Hosting | Subprocessor | Purpose | Data Processed | Location | Certifications | |--------------|---------|----------------|----------|----------------| | Vercel | Application hosting | Application data, user requests, runtime diagnostics | US (primary), Global (edge) | SOC 2 Type II | | Supabase | Database, Authentication | User data, content metadata, transcripts, first-party behavior analytics | US | SOC 2 Type II | | Cloudflare | CDN, DDoS protection | Request metadata, cached content | Global | SOC 2 Type II, ISO 27001 | ## Video Processing & Delivery | Subprocessor | Purpose | Data Processed | Location | Certifications | |--------------|---------|----------------|----------|----------------| | Mux | Video hosting, streaming | Video files, playback data | US | SOC 2 Type II | ## AI & Machine Learning | Subprocessor | Purpose | Data Processed | Retention | Location | |--------------|---------|----------------|-----------|----------| | Vercel AI Gateway | LLM API routing | Prompt content for supported AI workflows | Workflow-dependent; ZDR is enabled on eligible configurations | US | | OpenAI | Language model provider | Text prompts for configured workflows | Provider-path dependent | US | | Anthropic | Language model provider | Text prompts for configured workflows | Provider-path dependent | US | | Modal (WhisperX) | Video transcription | Signed video URLs | Process and delete | US | ### AI Data Practices Snack documents the following AI controls: 1. **Workflow-Specific Retention**: Zero Data Retention (ZDR) is enabled on eligible AI Gateway and provider configurations; other workflows follow the configured provider path for that feature 2. **Organization Controls**: Workspace admins can manage AI improvement opt-in, human review, and transcript retention settings 3. **K-12 Restrictions**: AI improvement remains disabled for K-12 organizations 4. **Signed URLs**: Video access uses time-limited signed URLs that expire after processing 5. **Text-Only LLM Inputs**: LLM workflows are designed to send transcript or prompt text rather than raw video files ## Email & Communications | Subprocessor | Purpose | Data Processed | Location | |--------------|---------|----------------|----------| | Resend | Transactional email | Email addresses, notification content | US | ## Analytics & Monitoring | Subprocessor | Purpose | Data Processed | Location | |--------------|---------|----------------|----------| | Vercel | Runtime logging and operational monitoring | Request metadata, runtime diagnostics | US (primary), Global (edge) | | Supabase | First-party behavioral analytics storage | Privacy-gated route templates, key-action clicks, funnel steps, and error signals | US | Snack does not currently use a third-party session replay, heatmap, or product analytics vendor for in-product behavior analytics. ## Payment Processing | Subprocessor | Purpose | Data Processed | Location | Certifications | |--------------|---------|----------------|----------|----------------| | Stripe | Payment processing | Payment methods, billing info | US | PCI DSS Level 1 | ## Data Protection Measures All subprocessors: - Are bound by data processing agreements (DPAs) - Maintain industry-standard security certifications - Provide data breach notification procedures - Support data deletion requests ## Changes to Subprocessors Snack provides notification of subprocessor changes through: - Updates to this document - Email notification to organization administrators (for material changes) - Changelog entries in the application ## Questions For questions about our subprocessors: - **Email**: support@snack.io - **DPA Requests**: support@snack.io --- *This document is updated periodically. Please check for the latest version.*