Subprocessors

Last updated: 2026-03-04

AuraMetrics.io uses the following subprocessors to provide the service. All comply with the GDPR and have their own Data Processing Agreements (DPA). If a new subprocessor is added, this page will be updated at least 30 days in advance.

Subprocessor	Purpose	Data processed	Location	Compliance
Supabase Inc.DPA ↗	Database, authentication, storage	Email, name, audit data, history	United States (AWS us-east-1)	SOC 2 Type IIGDPRHIPAA
Vercel Inc.DPA ↗	Hosting, edge network, deployment	IP address, HTTP headers, access logs	Global (edge), United States (origin)	SOC 2 Type IIGDPRISO 27001
Google LLCDPA ↗	OAuth (authentication), Google Analytics 4 API (read-only)	Email, name, profile photo, access tokens, GA4 data (transient)	United States	SOC 2SOC 3ISO 27001ISO 27017ISO 27018GDPR
OpenAI Inc.DPA ↗	Natural language processing for audit modules	Analyzed web page content, audit prompts (no user personal data)	United States	SOC 2 Type IIGDPRCCPA
PayPal Inc.DPA ↗	Payment and subscription processing	PayPal email, transaction data (we don't store card data)	United States / Luxembourg (EU)	PCI DSS Level 1SOC 1 & 2GDPR
CookieYes Ltd.DPA ↗	Cookie consent management (CMP)	Consent preferences, IP address (anonymized)	United Kingdom	GDPRCCPAIAB TCF v2.2
Anthropic PBCDPA ↗	AI assistant in the dashboard (Aura)	User messages, aggregated audit scores (no personal data)	United States	SOC 2 Type IIGDPRCCPA
Resend Inc.DPA ↗	Transactional email delivery	Email address, email content	United States	SOC 2 Type IIGDPR
Google Tag ManagerDPA ↗	Tag and analytics script management	Page events, navigation data (anonymizable)	United States	SOC 2ISO 27001GDPR

Change notification

We will update this page at least 30 days in advance before adding a new subprocessor. If you have objections about a new subprocessor, you can contact us at hello@aurametrics.io within 30 days of the notification.

← Back to DPA