TMSub-Processor List & Third-Party Data Source Disclosure
Effective date: June 12, 2026
About This Document
This page discloses (1) all third-party sub-processors that Excede Inc. engages to process customer personal data in connection with the Excede Unified Platform, and (2) third-party services that customers may elect to connect to the Platform as data sources.
This list is maintained in compliance with GDPR Article 28(2) and CCPA/CPRA service-provider disclosure requirements. Customers with a signed Data Security Addendum (DSA) are entitled to object to the addition of new sub-processors with 30 days' written notice. To receive notifications of changes to this list, email privacy@excede.ai with subject "Sub-Processor Notification Request".
Section 1 — Sub-Processors (Engaged by Excede)
Infrastructure & Hosting
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Supabase Inc. | Database hosting, authentication, file storage, real-time subscriptions | All customer data (projects, contacts, financials, user accounts) | USA | Executed — Supabase DPA signed June 2026; EU SCCs provided | supabase.com/privacy |
| Vercel Inc. | Application hosting, serverless functions, CDN, CI/CD | Request logs, IP addresses, usage telemetry, build artifacts | USA | Executed — Vercel DPA; EU SCCs for EEA traffic | vercel.com/legal/privacy-policy |
| Amazon Web Services (AWS) | Underlying cloud infrastructure (via Supabase) | Customer data at rest and in transit | USA (us-east-1) | Executed — AWS DPA / SCCs | aws.amazon.com/privacy |
| Cloudflare Inc. | CDN, DNS proxy, DDoS protection, TLS termination | IP addresses, request metadata, all inbound traffic | USA (global network) | Executed — June 2026 | cloudflare.com/privacypolicy |
| Ottomatik | Database backup automation | Full database backup — all personal data stored in Supabase (excluding regenerable AI embedding tables per backup configuration) | USA | Executed — June 2026 | ottomatik.io/privacy |
Code Repository & Security
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| GitHub (Microsoft) | Primary source code repository, CI/CD | Source code, developer identities, commit metadata | USA | Executed — GitHub DPA / Microsoft OST | GitHub privacy statement |
| GitLab Inc. | Backup source code repository | Source code, developer identities, commit metadata | USA | Executed — June 2026 | about.gitlab.com/privacy |
| Snyk Ltd. | Security vulnerability scanning | Source code, dependency manifests | USA / UK | Executed — June 2026 | snyk.io/policies/privacy |
Monitoring, Logging & Uptime
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Functional Software Inc. (Sentry) | Error monitoring, performance tracking | Stack traces, request metadata, user IDs (PII scrubbing via beforeSend) | USA | Executed — June 2026 | sentry.io/privacy |
| Axiom Inc. | Application log management | Application logs — may include user IDs, IP addresses, email addresses, request parameters | USA | Executed — June 2026 | axiom.co/privacy |
| Better Stack Inc. | Uptime monitoring, incident alerting | Endpoint URLs, ping/response metadata | USA | Executed — June 2026 | betterstack.com/privacy |
Caching & Queuing
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Upstash Inc. | Redis — session caching, rate limiting, queuing (QStash) | Session tokens, hashed user identifiers, rate-limit keys, cached payloads | USA | Executed — verified June 2026 | upstash.com/trust/privacy.pdf |
Consent Management
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Cybot A/S (Cookiebot) | Cookie consent management | Consent records, visitor preferences | Denmark (EU) | Executed — June 2026 | cookiebot.com/en/privacy-policy |
Email Delivery
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Resend Inc. | Transactional email delivery | Recipient email addresses, message content | USA | Executed — June 2026 | resend.com/legal/privacy-policy |
Payments
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Stripe Inc. | Payment processing, subscription billing | Customer billing contact data, payment method data (card data held by Stripe, never stored by Excede) | USA | Executed — June 2026 | stripe.com/privacy |
Productivity & Business Operations
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Google LLC (Google Workspace) | Email, document collaboration, support communications | Customer contact data and support correspondence that transits Excede’s Workspace | USA | Executed — June 2026 | policies.google.com/privacy |
AI / ML Processing
| Vendor | Purpose | Data Processed | HQ | DPA Status | Privacy Policy |
|---|---|---|---|---|---|
| Google LLC (Vertex AI / Gemini) | AI model inference for platform features (lead scoring, content generation) | Prompt inputs which may include contact and project data | USA | Executed — June 2026 | cloud.google.com/terms/data-processing-addendum |
Section 2 — Internal Vendors (Excede as Controller)
These vendors process Excede's own business records (in which Excede acts as data controller). They do not process customer platform data and are tracked in the internal Vendor Register rather than as sub-processors.
| Vendor | Purpose | Data Processed | HQ | Privacy Policy |
|---|---|---|---|---|
| Intuit Inc. (QuickBooks Online) | Excede corporate accounting and invoicing | Excede financial records; customer billing contact details on invoices | USA | intuit.com/privacy |
Section 3 — Tenant-Authorized Data Sources
The Excede Platform allows Customers to connect third-party business systems as data sources. These services are selected, connected, and authorized by the Customer via OAuth or API credentials. They are governed by the Customer's own agreements with the respective providers and are not sub-processors of Excede. Excede accesses these systems solely on the Customer's documented instructions to provide the Services.
Security controls applied by Excede to tenant integrations: OAuth tokens and API credentials are encrypted at rest in dedicated encrypted columns; permissions and OAuth scopes are limited to the product features the Customer enables (broader vendor permissions may require Customer admin consent); credentials are used server-side only; stored credentials are cleared when an integration is disconnected, with vendor-side OAuth revocation attempted where supported, and integration credential records are removed when a Customer workspace is deleted.
| Service | Typical Data Accessed | Connection Method |
|---|---|---|
| Microsoft 365 (Graph API) | Email, calendar, user directory | Customer-authorized OAuth |
| Zoho Corporation (Zoho Books / CRM) | Financial data, invoices, vendor records | Customer-authorized OAuth |
| Intuit QuickBooks Online (customer instance) | Financial data, invoices | Customer-authorized OAuth |
| BambooHR LLC | Employee roster, roles, employment data | Customer-authorized API key |
| Cake.com Inc. (Clockify) | Time entries, project codes | Customer-authorized API key |
| Toggl OÜ (Toggl Track) | Time entries, project codes | Customer-authorized API key |
Customer responsibility: Customer represents and warrants that it has all rights, consents, and authority necessary to connect third-party integrations to the Service. See DSA Section 3 (Customer Compliance Obligations).
Change Notification
Excede will provide 30 days' written notice (via email to subscribed customers) before adding any new sub-processor in Section 1. Changes to Section 3 reflect platform capability additions and do not require notice, as connection of any data source is at the Customer's sole election.
Document history: v1.1 — Clarified tenant integration security controls; v1.0 — Initial release.