Sub-processors
Last updated 2026-05-22
Unwarp uses the following sub-processors to deliver the service. Each receives only the data needed for the function it provides. This page is the canonical, dated list referenced from our privacy notice and from our Data Processing Addendum for B2B customers.
Current sub-processors
| Processor | Role | Region | Data shared | Transfer mechanism |
|---|---|---|---|---|
| Supabase | Managed Postgres, Auth, object storage | EU (Frankfurt) | All persistent data: notes, transcripts, profile, embeddings, memory, dictionary, audit log, billing, push tokens | In-EU; no third-country transfer |
| AssemblyAI | Primary speech-to-text (streaming + pre-recorded, speaker diarisation) | United States | Raw audio (deleted on our side within one hour) | SCCs (2021/914) via AssemblyAI DPA; supplementary measure: hourly purge |
| Groq | Speech-to-text fallback (Whisper Large v3) | United States | Raw audio (deleted on our side within one hour); used only when AssemblyAI fails | SCCs via Groq Terms; supplementary measure: hourly purge |
| Anthropic | Claude models for note cleanup, chat, reorganisation, meeting summarisation | United States | Note transcripts, personal memory blob, workspace memory, conversational context | SCCs via Anthropic Commercial Terms / DPA |
| OpenAI | Embeddings (text-embedding-3-small), TTS (tts-1) | United States | Note text chunks for embedding, note text for text-to-speech | SCCs via OpenAI API DPA |
| Resend | Transactional email (magic-link, welcome, deletion, invitations) | United States / EU | Recipient email address, recipient display name, message body | SCCs via Resend DPA |
| Google Firebase Cloud Messaging | Android push notifications (digest) | United States | Device push token (opaque), notification payload (digest summary text) | EU–US Data Privacy Framework + SCCs |
| Apple Push Notification Service | iOS push notifications (digest) | United States | Device push token (opaque), notification payload (digest summary text) | SCCs via Apple Developer Program Licence Agreement |
| Google OAuth | Optional sign-in provider | United States | Google account email + display name (only if the user chooses Google sign-in) | EU–US Data Privacy Framework |
| Stripe | Payment processor (paid subscriptions) | Ireland (EU) / United States | Payer name, billing address, card data (held by Stripe, never by Unwarp) | EU controller; SCCs apply to any onward US transfers within Stripe |
| Let's Encrypt | TLS certificate issuance | EU | Domain name, contact email for renewal notices | In-EU |
User-selected sub-processors (MCP)
If you connect an external AI host to your Unwarp account via the Model Context Protocol endpoint (Claude, ChatGPT, Cursor, or any other MCP-capable client), that host becomes a sub-processor of your choosing. You can review and revoke connected hosts at any time from /you/connections. Connecting an MCP host shares the same data the host can read through its granted scope — by default that includes your notes, action items, events, and meetings. Read-only scopes are available; see the consent screen when connecting.
Changes
Material changes to this list are announced 30 days in advance for Unwarp Team customers under a signed DPA, by email to the workspace owner. For Unwarp Personal and free-trial users, the change appears here with a bumped “Last updated” date.
DPA copies
We hold signed Data Processing Addenda (incorporating EU Standard Contractual Clauses 2021/914 where applicable) with each processor above. Unwarp Team customers can request copies through their DPA with us; data subjects can request to see the SCCs in force by writing to privacy@pentaeon.dev.