Sub-Processors

Last updated: February 11, 2026

AmbientMeta uses the following third-party sub-processors to deliver the Privacy Gateway service. Each sub-processor is bound by data protection obligations consistent with our Data Processing Agreement and applicable data protection laws.

Current Sub-Processors

Sub-Processor	Location	Purpose	Data Processed
Fly.io, Inc.	United States	Application hosting	Customer Data (transient processing only), Account Data
Upstash, Inc.	United States	Session cache (Redis, 24-hour TTL)	Session data (PII-to-placeholder mappings), rate limit counters
Supabase, Inc.	United States	Database (PostgreSQL)	Account Data, detection metadata (anonymized), request logs
Stripe, Inc.	United States	Payment processing	Billing data, payment information
Resend, Inc.	United States	Transactional email	Email addresses (for verification and password reset emails)

Self-Hosted Deployments

For self-hosted customers, Customer Data is processed entirely on your own infrastructure. The sub-processors listed above apply only to Account Data (authentication, billing) and not to the text content you process through the Privacy Gateway. The detection engine, session cache, and database all run within your environment.

Change Notification

We will notify customers of changes to our sub-processor list at least 30 days before any new sub-processor begins processing Customer Data. Notifications are sent via:

Email to the account owner's registered email address
Update to this page with the "Last updated" date revised

If you object to a new sub-processor, you may notify us in writing within 14 days of receiving notice. See Section 4 of our Data Processing Agreement for the objection procedure.

Change Log

Date	Change
February 11, 2026	Initial sub-processor list published

Contact

For questions about our sub-processors or to subscribe to change notifications:

Email: legal@ambientmeta.com
Data Protection Officer: dpo@ambientmeta.com