Back to Trust Center
Sub-processors

Sub-processors we rely on

We use a small set of vetted vendors to operate BillSlash Apex. Each one is bound by a written agreement that includes confidentiality, security, and breach-notification obligations equivalent to our own.

Last updated: ยท Material changes are emailed to workspace owners at least 30 days in advance.

Infrastructure

Amazon Web Services

Primary cloud compute & object storage

Data: All tenant data (encrypted at rest)

US-East / EU-West
Supabase

Managed PostgreSQL, Auth, file storage

Data: All tenant data, auth identity

US / EU multi-region
Cloudflare

CDN, DDoS protection, Workers edge runtime

Data: Request metadata, IP, cached assets

Global edge

Payments

Stripe

Payment processing, subscription billing

Data: Billing contact, payment method tokens

US (PCI Level 1)
Plaid

Bank account aggregation (opt-in)

Data: Bank tokens, transactions (tenant-opted)

US

Observability

Sentry

Error & performance monitoring

Data: Stack traces, user id (no PII payloads)

US-West
PostHog

Product analytics (opt-in)

Data: Anonymous event metadata

US / EU
UptimeRobot

Public status page monitoring

Data: URL availability metrics only

US

Communications

Resend

Transactional email delivery

Data: Recipient email, subject, body

US / EU

AI

OpenAI

LLM inference for AI copilot (opt-in)

Data: Prompt content (no training)

US (zero-retention)
Google AI (Gemini)

LLM inference for document extraction (opt-in)

Data: Document text + prompt

US (zero-retention)

Object to a sub-processor

Enterprise customers may object to a new sub-processor in writing within 30 days of notice. We will work in good faith to provide a commercially reasonable alternative; if none is possible, you may terminate the affected service for cause.

privacy@billslash.app