Subprocessors
Effective date: 2026-05-18
This page lists the third-party companies (“subprocessors”) that Spanlens engages to operate the service. Each subprocessor processes Customer Personal Data only on documented instructions from Spanlens and under contractual confidentiality and security obligations consistent with our Data Processing Addendum.
Customers who have signed our DPA receive at least 30 days' advance email notice before we engage a new subprocessor or change the role of an existing one. To subscribe to subprocessor change notifications, email support@spanlens.io from your account address with subject “Subprocessor notifications”.
Infrastructure subprocessors
These providers store or transmit Customer Personal Data as part of normal service operation.
| Subprocessor | Purpose | Data categories | Processing location | Transfer mechanism |
|---|---|---|---|---|
| Vercel Inc. (San Francisco, CA, USA) | Compute and hosting for the API server (proxy + REST API) and the marketing / dashboard web app. Edge cache for static assets. | All Customer Personal Data in transit; serverless function memory only (no persistent storage beyond logs). | Functions: iad1 (Washington D.C., US East).Edge cache: global anycast (no body persistence). | EU Standard Contractual Clauses (Module 2), Vercel DPA. |
| Supabase Inc. (San Francisco, CA, USA) | PostgreSQL database (auth, organizations, projects, encrypted provider keys, subscription state). Authentication (sign-in, sessions). | Account profile, organization membership, encrypted (AES-256-GCM) provider keys, billing state, authentication tokens. | ap-northeast-2 Seoul (AWS Asia Pacific). | EU SCCs; Korea has EU adequacy decision (2021/1772). |
| ClickHouse, Inc. (Portola Valley, CA, USA) | Columnar database for the LLM requests table (high-volume proxy log storage), accessed via ClickHouse Cloud. | Request / response bodies (truncated to 10 KB), token counts, latency, cost, model identifiers, security flags. | ClickHouse Cloud (US region). | EU SCCs, ClickHouse DPA. |
| Upstash, Inc. (San Francisco, CA, USA) | Redis-compatible store for rate-limit counters (sliding window). | Hashed organization identifiers and API key hashes only; no request bodies or PII. TTL 60 seconds. | IAD1 (US East). | EU SCCs. |
| Paddle.com Market Ltd. (Dublin, Ireland) | Merchant of Record for all paid subscriptions: invoicing, payment processing, tax (VAT / GST / sales tax) collection and remittance, refunds, chargeback handling. | Customer name, billing address, card / IBAN (held by Paddle, not by Spanlens), Paddle customer and subscription identifiers. | Ireland (EU). | Intra-EU transfer (no SCCs required between EU controller and EU processor). |
Communications subprocessors
These providers deliver transactional emails and (optionally) error monitoring data.
| Subprocessor | Purpose | Data categories | Processing location | Transfer mechanism |
|---|---|---|---|---|
| Resend, Inc. (San Francisco, CA, USA) | Transactional email delivery (workspace invitations, quota warnings, leak alerts, billing notifications). | Recipient email address, subject, message body. | USA. | EU SCCs. |
| Functional Software, Inc. (Sentry) (San Francisco, CA, USA) | Application error monitoring (stack traces and breadcrumb logs from server and dashboard runtime errors). | Stack traces with secrets and authorization headers redacted by pre-transmission filters (beforeSend). | USA (Sentry US tenant). | EU SCCs. |
Upstream LLM providers
Spanlens is a proxy. When you send a request to the Spanlens proxy targeting an upstream LLM provider, we forward that request, including any prompt content you submit, to the provider you chose, using API credentials you supplied.
The upstream providers are independent controllers with respect to the requests you route through them, governed by their own terms and privacy policies. They are not Spanlens subprocessors in the GDPR Art. 28 sense; we enumerate them here for transparency.
| Provider | When data flows there | Provider terms |
|---|---|---|
| OpenAI, L.L.C. | When you target an OpenAI endpoint (e.g. /proxy/openai/v1/chat/completions). | Privacy policy / Business terms |
| Anthropic, PBC | When you target an Anthropic endpoint (e.g. /proxy/anthropic/v1/messages). | Privacy policy / Commercial terms |
| Google LLC | When you target a Gemini endpoint (e.g. /proxy/gemini/v1beta/...). | Gemini API terms / Privacy policy |
Spanlens affiliates and contractors
Spanlens (Oceancode) is a sole proprietorship registered in the Republic of Korea. We do notcurrently engage affiliate entities or external contractors who process Customer Personal Data. If this changes, the affiliate / contractor will be added to this page with at least 30 days' advance notice as described above.
Change history
| Date | Change |
|---|---|
| 2026-05-18 | Initial dedicated subprocessors page extracted from the Privacy Policy. Added ClickHouse, Inc. and Upstash, Inc. (newly engaged 2026-05); split Sentry and Resend into the Communications section; clarified that LLM upstream providers are independent controllers rather than processors. |
Questions about subprocessors should be directed to support@spanlens.io. See also our Privacy Policy and Data Processing Addendum.