Trust
Procurement-grade transparency for B2B SMB buyers. Last updated 2026-05-22.
Sub-processors
Per FR-COMPLIANCE-SUBPROCESSORS, the third parties below process customer data on our behalf. Updated on each new vendor introduction.
| Vendor | Purpose | Region | Legal basis |
|---|---|---|---|
| Anthropic | LLM inference (primary) | US, no EU-only routing for free tier | DPA + Standard Contractual Clauses |
| OpenAI | LLM inference (failover via CF AI Gateway) | US | DPA + SCCs |
| Cloudflare | WAF, Turnstile, R2 storage, AI Gateway | EU edge | DPA + SCCs |
| Neon | Postgres database (Databricks) | EU (Frankfurt) | DPA |
| Vercel | Compute + edge hosting | EU (fra1/cdg1) | DPA + SCCs |
| Sentry | Error tracking | EU Data Region | DPA |
| PostHog | Product analytics + session replay | EU Cloud | Signed DPA pre-launch |
| Clerk | Authentication | EU residency available | DPA + SCCs |
| Resend | Transactional + lifecycle email | US (SCCs + EU-US DPF) | DPA |
| Cal.com | Calendar bookings | EU-compatible | DPA |
| Attio | CRM | EU-compatible | DPA |
| Stripe | Payments | EU residency | DPA |
| Upstash | Redis rate-limit store | EU region | DPA |
Data residency
Application compute and primary datastores run in the EU (Vercel fra1/cdg1; Neon Frankfurt; Cloudflare EU edge; Upstash EU; Sentry EU Data Region; PostHog EU Cloud). Email delivery via Resend is US-stored, covered by SCCs + the EU-US Data Privacy Framework per FR-COMPLIANCE-EMAIL-RESIDENCY. LLM inference (Anthropic primary, OpenAI failover via Cloudflare AI Gateway) is US-processed and covered by DPAs + SCCs.
Encryption at rest
All persisted customer artifacts (Postgres rows in Neon, object storage in Cloudflare R2, ephemeral cache/rate-limit state in Upstash Redis) are encrypted at rest by the underlying provider. Transit is TLS 1.3 end-to-end across the Cloudflare → Vercel → datastore path.
Data deletion SLA
5-minute self-serve target (NFR-COMP-1); 30-day hard SLA (NFR-COMP-2).
Data Processing Agreement
Request a DPA at legal@welaunch.dev. Standard GDPR Article 28 terms, SCCs included for any non-EU transfers.
SOC 2 status
SOC 2 Type I planned Q3-Q4 2026; Type II target Year 2.
Vulnerability disclosure
Report a vulnerability via our security.txt at /.well-known/security.txt. Contact: security@welaunch.dev.
Accessibility
See our Accessibility statement (EAA Art. 13).