Sub-processors

Last updated: May 7, 2026

This is an initial draft. It will be reviewed by a lawyer specialized in GDPR (Europe) and Habeas Data (LATAM) before public launch.

This page lists the sub-processors we use. We publish it for GDPR Art. 28.2 transparency and as a reference for clients who sign a Data Processing Agreement (DPA) with Guerki.

Active sub-processors

Sub-processor	Service	Data shared	Region	DPA
Vercel	Hosting + edge functions	HTTP requests and visitor IP address	EU+US	View DPA
Beehiiv	Newsletter (waitlist + welcome emails)	Subscriber email and UTM parameters	US	View DPA
Upstash	Distributed rate limiting	IP hash (rate limiting)	US	View DPA
PostHog	Product analytics	Post-consent product events (no PII)	EU	View DPA

Authorized sub-processors (Guerki HR product — not yet processing)

The following sub-processors are authorized for the Guerki HR product (Annex 2 of our DPA) but do not process personal data at this time. This list reflects planned integration; each effective onboarding moves the provider to the section above.

Sub-processor	Service	Data shared	Region	DPA
Neon	Postgres database	All HR product personal data (encrypted)	EU+US	View DPA
Cloudflare	CDN + network protection	All product HTTP requests	EU+US	View DPA
Clerk	Authentication and organization management	Administrator identifiers	US	View DPA
Anthropic	Artificial intelligence (Claude agents)	AI agent inputs and outputs	US	View DPA
AWS Rekognition	Facial recognition (attendance)	Facial images (with explicit consent)	US	View DPA
Stripe	Payment processing	Billing data	US	View DPA
Resend	Transactional email	Transactional emails (receipts, alerts)	US	View DPA

Change notification

We will notify clients under signed contract in writing at least 30 days before adding a new sub-processor or replacing an existing one. The client may object on reasonable grounds within 14 days of notification.

Contact

Questions about sub-processors: dpo@guerki.com