HeuristicworksHeuristicworks Trust Center

Sub-Processor List

Version 1.0Effective 2026-06-01Heuristicworks LLC

Subprocessor List

Spexsure — Version 1.0 · Effective June 2026

This page lists the third-party subprocessors that Heuristicworks LLC ("Spexsure") engages to process personal data on your behalf in connection with the Spexsure platform ("Service"). A subprocessor is a third-party entity that Spexsure authorises to access or process personal data in the course of providing the Service.

This list is maintained in accordance with our obligations under GDPR Article 28(4) and equivalent data protection laws. If you have executed a Data Processing Agreement (DPA) with Spexsure, this list forms part of that DPA.

For questions about this list or to receive advance notice of subprocessor changes, email legal@heuristicworks.com.


Current Subprocessors

Subprocessor Entity Purpose Data Processed Location Security Certification
Anthropic Anthropic PBC AI processing — gap detection, PRD enrichment, ticket generation PRD content (text submitted by users); system prompts United States SOC 2 Type II (API customers)
Supabase Supabase Inc. Database hosting and management All platform data: account data, PRD content, AI output, tickets, OAuth tokens (encrypted), subscription data, journey events, error reports United States (AWS us-east-1) SOC 2 Type II
Vercel Vercel Inc. Application hosting, serverless compute, edge network All data processed by the application: request data, session data, IP addresses, user agent strings, response payloads United States (global edge) SOC 2 Type II
Stripe Stripe Inc. Payment processing and subscription billing Email address, billing name, payment method metadata (card type, last four digits, expiry), invoice history United States PCI DSS Level 1; SOC 2 Type II
Resend Resend Inc. Transactional email delivery Email address, first name, email content (welcome emails, credit warning emails, invitation emails, system notifications) United States SOC 2 Type II
Sentry Functional Software Inc. (Sentry) Application error monitoring and crash reporting Error stack traces, request metadata, user ID (where associated with an error session), IP address United States SOC 2 Type II
PostHog PostHog Inc. Product analytics and session recording Journey event identifiers, anonymised usage behaviour, session IDs (client-generated), feature interaction data United States or EU (configurable) SOC 2 Type II
Upstash Upstash Inc. Redis-backed rate limiting IP addresses and anonymised request counts (within 60-second sliding window only; not persisted beyond the window) United States SOC 2 Type II
Google Google LLC OAuth 2.0 identity provider (sign-in with Google) Email address, name, profile picture URL, OAuth subject ID United States ISO 27001; SOC 2 Type II
Microsoft Microsoft Corporation OAuth 2.0 identity provider (sign-in with Microsoft / Entra ID) Email address, name, profile picture URL, Entra ID object ID United States ISO 27001; SOC 2 Type II
Cloudflare Cloudflare Inc. WAF, DDoS protection, bot mitigation, SSL/TLS termination, global CDN — all traffic to spexsure.com passes through Cloudflare IP addresses, HTTP request metadata (headers, URL paths, user agent strings, geolocation derived from IP), request and response payloads in transit United States (global edge) SOC 2 Type II; ISO 27001; PCI DSS Level 1
Atlassian Atlassian Pty Ltd Jira integration — OAuth 2.0 token exchange and ticket push OAuth access and refresh tokens (encrypted at rest); Jira project metadata; generated ticket content pushed on user instruction Australia (HQ); data processed globally SOC 2 Type II; ISO 27001

Data Processing Details by Subprocessor

Anthropic PBC

Anthropic processes PRD content submitted by users as input to its large language model API. Anthropic's current API terms prohibit use of API customer data to train models without consent. Spexsure does not send personal data to Anthropic beyond what users include in their PRD content. Users on BYOK plans make API calls under their own Anthropic account, subject to their own agreement with Anthropic.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021) where applicable.

Supabase Inc.

Supabase provides the managed PostgreSQL database in which all platform data is stored, including account records, PRD content, AI output, encrypted OAuth tokens, subscription and billing data, journey events, error reports, and audit logs. Data is stored in AWS us-east-1 by default. Spexsure encrypts sensitive fields (OAuth tokens, BYOK keys) before storage using AES-256-GCM.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).

Vercel Inc.

Vercel hosts the Next.js application, serverless API routes, and edge middleware. All HTTP requests to spexsure.com pass through Vercel's infrastructure. Vercel processes IP addresses, user agent strings, and request/response payloads as part of application serving. Vercel's edge network operates globally; requests are served from the nearest edge location.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021); Vercel participates in the EU-US Data Privacy Framework.

Stripe Inc.

Stripe processes all payment transactions. Spexsure does not receive or store raw payment card data. Stripe is a PCI DSS Level 1 certified payment processor. Spexsure receives from Stripe only billing metadata (card type, last four digits, expiry) and Stripe customer/subscription identifiers.

Transfer mechanism: Stripe participates in the EU-US Data Privacy Framework.

Resend Inc.

Resend delivers transactional emails on behalf of Spexsure. Email content is generated by Spexsure and transmitted to Resend for delivery. Resend retains email logs for deliverability troubleshooting in accordance with its own retention policy.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).

Functional Software Inc. (Sentry)

Sentry receives error reports generated by the Spexsure application, including stack traces and contextual request data. Spexsure configures Sentry to scrub known sensitive fields before transmission. Sentry may receive user IDs and IP addresses where an error is associated with an active session.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021); Sentry participates in the EU-US Data Privacy Framework.

PostHog Inc.

PostHog receives journey event data for product analytics. Events contain journey IDs, outcome labels (succeeded/failed), and timestamps. PRD content is never sent to PostHog. PostHog is configurable to use EU-based infrastructure; Spexsure's PostHog region is noted in our internal configuration.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021) or EU hosting.

Upstash Inc.

Upstash provides a managed Redis instance used exclusively for rate limiting in the application middleware. Only IP addresses and rolling request counts are stored. This data is not persisted beyond the rate limit window (60 seconds) and does not constitute personal data in any meaningful sense under GDPR; it is listed here for completeness and transparency.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).

Google LLC

Google acts as an identity provider via OAuth 2.0. When you sign in with Google, Google authenticates your identity and returns your email address, name, profile picture URL, and a unique subject identifier to Spexsure. Spexsure does not access any other Google account data. Your use of Google Sign-In is subject to Google's own terms and privacy policy.

Transfer mechanism: Google participates in the EU-US Data Privacy Framework.

Microsoft Corporation

Microsoft acts as an identity provider via OAuth 2.0 (Microsoft Entra ID). When you sign in with Microsoft, Microsoft authenticates your identity and returns your email address, name, profile picture URL, and a unique Entra ID object identifier to Spexsure. Spexsure does not access any other Microsoft account data. Your use of Microsoft Sign-In is subject to Microsoft's own terms and privacy policy.

Transfer mechanism: Microsoft participates in the EU-US Data Privacy Framework.

Cloudflare Inc.

Cloudflare sits in front of Spexsure's infrastructure as a reverse proxy. All HTTP and HTTPS traffic to spexsure.com passes through Cloudflare's global edge network before being forwarded to Vercel. Cloudflare enforces TLS 1.3, provides Web Application Firewall (WAF) rules, detects and mitigates DDoS attacks, and blocks malicious bots. As part of this role, Cloudflare processes IP addresses, HTTP headers, and request metadata. Cloudflare does not process PRD content — it only handles the network layer. Cloudflare's own privacy policy and data processing addendum govern its handling of this data.

Transfer mechanism: Cloudflare participates in the EU-US Data Privacy Framework; Standard Contractual Clauses (EU SCCs 2021) available.

Atlassian Pty Ltd

Atlassian provides the Jira integration via OAuth 2.0. When you connect a Jira workspace, Atlassian issues access and refresh tokens to Spexsure. Spexsure encrypts these tokens at rest (AES-256-GCM) and uses them solely to push generated tickets to your designated Jira project on your instruction. Spexsure does not read, store, or process Jira issue content beyond confirming successful ticket creation.

Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).


Subprocessor Changes

We review and update this list when we add, replace, or remove subprocessors. We will provide 30 days' advance notice of any new subprocessor or material change to an existing subprocessor by:

  • Updating this page with the effective date of the change
  • Sending an email notification to account holders registered for subprocessor change notifications

To register for advance notifications, email legal@heuristicworks.com with the subject line "Subprocessor Notifications".

If a proposed new subprocessor is objectionable for data protection reasons, customers with an executed DPA may raise a written objection within 14 days of notification. Spexsure will work in good faith to address the objection. If agreement cannot be reached, either party may terminate the DPA and associated subscription on 30 days' written notice.


Former Subprocessors

Subprocessor Removed Reason
Clerk (Clerk Inc.) June 2026 Replaced with NextAuth v5 (self-hosted, no third-party auth service)

Contact

For questions about this subprocessor list, data processing agreements, or international data transfers:

Email: legal@heuristicworks.com Subject: "Subprocessors — [your question]"


Heuristicworks LLC · Spring City, PA, USA Last updated: June 2026