Subprocessor List
Last Updated: May 27, 2026
Aeopic LLC (“Aeopic”) uses the following third-party service providers (subprocessors) to deliver services to our clients. Each subprocessor has been evaluated for its security practices and data handling capabilities.
This page is maintained as part of our commitment to transparency under applicable data protection regulations, including the Texas Data Privacy and Security Act (TDPSA). For questions about our subprocessors, contact us at privacy@aeopic.com.
| Subprocessor | Purpose | Data Handled | Location | Compliance |
|---|---|---|---|---|
| Supabase | Database, Authentication, File Storage | Application data, user credentials, uploaded files | United States (AWS) | SOC 2 Type II, HIPAA BAA available |
| Vercel | Application Hosting, Edge Functions, CDN | Application code, static assets, server-side logic | United States / Global Edge | SOC 2 Type II |
| Stripe | Payment Processing, Billing | Payment card data, billing information | United States | PCI DSS Level 1, SOC 2 Type II |
| Twilio | SMS and Voice Communications | Phone numbers, message content | United States | SOC 2 Type II, HIPAA eligible |
| Resend | Transactional Email Delivery | Email addresses, email content | United States | SOC 2 Type II |
| Anthropic | AI Processing (Claude API) | Prompts and conversation context | United States | SOC 2 Type II, ISO 27001, ISO 42001, BAA available, Zero Data Retention available |
| SignatureAPI | Electronic Signatures | Contract data, signature records | United States | ESIGN Act and UETA compliant |
| Google Analytics | Website Traffic Analytics | Anonymized usage data, page views, session data | United States | Google Cloud SOC 2, DPA available |
Changes to This List
We will notify clients of subprocessor changes as specified in applicable Data Processing Agreements. If you have an active DPA with Aeopic, you will receive written notice before any new subprocessor is engaged that processes your data.
Clients may object to a new subprocessor within 30 days of receiving notice. If an objection cannot be resolved, either party may terminate the affected services as described in the applicable agreement.
Our Data Handling Principles
- All subprocessors are contractually required to maintain appropriate security measures.
- Client data is processed only for the purposes described in the applicable Service Level Agreement.
- We select subprocessors with independently audited security programs (SOC 2, ISO 27001, or equivalent) wherever possible.
- All data processing occurs within the United States unless otherwise specified and agreed upon with the client.