HoneLabs
Last Updated: 2026-03-23

Sub-Processor List

Every service that processes, stores, or transmits client data, along with what data they receive, where it is processed, and how long they retain it.

AI Providers

These providers process client content to deliver AI-powered features. None store your data or use it for training.

Anthropic

Document generation, AI assistant, research, knowledge extraction

Data processed: Document text, conversation messages, knowledge base excerpts

ZDR requested (pending)USNot Used for TrainingDPA via Commercial Terms

Google (Gemini API)

Vector representations for semantic search

Data processed: Document chunk text, search queries

Zero RetentionUSNot Used for TrainingCDPA via Cloud Console

Cohere

Search result relevance reranking

Data processed: Document chunk excerpts, search queries

ZDR requested (pending)USNot Used for TrainingSaaS Agreement

Infrastructure Providers

Supabase (AWS)

Primary database, authentication, file storage

Data processed: All application data — documents, knowledge base, conversations, accounts, embeddings, files

Persistent (primary store). Backups: 7 days (Supabase Pro plan)US (AWS)DPA Executed

Railway

Backend API and worker hosting

Data processed: API traffic in transit. Redis: operational metadata only (ephemeral)

Logs: 30 days. Redis: session-onlyUSSelf-Service DPA

Vercel

Frontend hosting, CDN, AI Gateway, analytics

Data processed: Browser requests, session cookies, document text via AI Gateway

AI Gateway: pass-through. Analytics: per Vercel policyUS (global CDN)DPA Executed

Monitoring & Error Tracking

Sentry

Error monitoring, performance monitoring

Data processed: Error stack traces (PII scrubbed), performance traces

90 daysUSDPA Executed

Authentication Providers

Google (OAuth)

Optional Google Sign-In identity provider

Data processed: Email address, Google profile (standard OAuth flow)

Per Google account termsUS

Google OAuth is optional. Users may authenticate via magic link (email OTP) instead.

Source Control & CI/CD

GitHub

Source code hosting, CI pipeline

Data processed: Source code only — no client data

Indefinite (source code)US

Research & Enrichment Providers

These providers are used by the AI Assistant, Document Generator, and Research modules to enrich outputs with web-sourced context. They may be invoked automatically during normal platform operation.

Perplexity AI

Web search for AI Assistant, Document Generator, and Research modules

Data processed: AI-generated search queries derived from conversation context and document content

Zero RetentionUSNot Used for Training

Firecrawl

Web content extraction for Research module

Data processed: User-specified public URLs only — no client content transmitted. SSRF protection prevents scraping of internal/private URLs

Per Firecrawl API terms (public URLs only)USNot Used for Training

Services We Do NOT Use

  • No advertising networks or tracking pixels
  • No data brokers or marketing analytics
  • No third-party email marketing
  • No social media tracking (beyond optional Google OAuth)
  • No third-party payment processors within the Platform
  • No service that aggregates data across clients

Change Notification

  1. Update this page 30 days before new sub-processor begins processing data
  2. Email notification to client administrators
  3. Clients with contractual objection rights may object within the notification period

Related Documents

Security Practices

Platform security architecture, encryption, authentication, and multi-tenant isolation

Read
AI Governance

How we use AI, what data it sees, safeguards, and what it will never do

Read
Privacy Policy

How we collect, use, store, share, and protect your information

Read