Every vendor who touches customer data, what they're used for, where they store it, and what specifically they see. Updated whenever the list changes — at least 30 days before any new vendor goes live.
Most of these are foundational infrastructure. A handful are the AI models we measure on your behalf — we use their public APIs and never embed customer data in training calls.
| Vendor | Purpose | Region | What data is shared |
|---|---|---|---|
| Cloudflare cloudflare.com | Edge compute, CDN, WAF, DDoS protection, R2 storage, D1 database, Workers KV. | Global edge | All customer requests transit the edge. Storage is U.S.-region by default. |
| OpenAI openai.com | ChatGPT API queries for consensus scoring (GPT-4, GPT-4o). | US | Generated scan queries only. No customer PII. Zero-retention header set. |
| Google AI (Gemini) ai.google.dev | Gemini API queries for consensus scoring. | US | Generated scan queries only. No customer PII. Data-not-used-for-training flag set. |
| Anthropic anthropic.com | Claude API queries for consensus scoring. | US | Generated scan queries only. No customer PII. Workspace-level retention disabled. |
| Perplexity perplexity.ai | Perplexity API queries for consensus scoring with web search. | US | Generated scan queries only. No customer PII. |
| PlanetScale planetscale.com | Primary relational database for accounts, scans, reports, billing references. | US | Account data, scan metadata, report indexes. Encrypted at rest with AES-256. |
| Stripe stripe.com | Payment processing, subscription management, invoicing. | Global | Billing email, card token, subscription state. We never see card numbers. |
| Resend resend.com | Transactional and notification email delivery. | US | Recipient email, subject, body of system-generated emails. |
| AWS S3 aws.amazon.com | Long-term cold storage for archived reports and audit logs. | US-East | Archived scan artifacts after 90 days. Encrypted with per-customer KMS keys. |
Before adding a new sub-processor, we publish a notice on this page and email customers on monitoring plans at least 30 days in advance. Enterprise customers with signed DPAs receive direct notice. If you have objections, write to privacy@misquoted.ai — we'll work with you on alternatives where feasible.