Sub-processors
Service providers acting on our instructions under written data protection terms.
Last updated: 16 May 2026
The processors below act under our instructions and under written data-protection terms. "Scope" indicates whether the processor handles the desktop app, the marketing site, or both.
Auth0 / Okta
app + landingAuthentication and identity management
Data: Email, user ID, access tokens
Location: United States
Transfer mechanism: EU-US Data Privacy Framework (Okta certified) and SCCs Module 2
Stripe
app + landing checkout flowBilling, subscription management, and fraud prevention
Data: Email, limited billing details, transaction IDs
Location: United States
Transfer mechanism: SCCs Module 2 (and DPF where certified)
OpenAI
appLLM inference for AI sorting, entity extraction, and chat
Data: Filenames, folder paths, prompts, and (only with content sorting enabled) extracted text
Location: United States
Transfer mechanism: SCCs Module 2
Anthropic
Optional (BYOK)appLLM inference when selected via Bring-Your-Own-Key
Data: Filenames, folder paths, prompts, and (only with content sorting enabled) extracted text
Location: United States
Transfer mechanism: SCCs Module 2
Postmark
appTransactional email delivery
Data: Email address, message content
Location: United States
Transfer mechanism: SCCs Module 2
Sentry
app + landingError monitoring and crash diagnostics
Data: App version, platform, stack traces, error context, timestamps
Location: United States (with EU region available)
Transfer mechanism: SCCs Module 2
Neon (Postgres hosting)
appManaged Postgres for application data
Data: Account data, sorting metadata, classifier prompts (30-day window)
Location: United States (primary region)
Transfer mechanism: SCCs Module 2
Google Cloud Run (compute)
appCompute hosting for Sortio API services
Data: All service-side data processed by our API
Location: United States (us-east1)
Transfer mechanism: EU-US Data Privacy Framework (Google certified) and SCCs Module 2
Cloudinary
If usedlandingMedia hosting and delivery (testimonials, marketing imagery)
Data: Uploaded media assets
Location: United States
Transfer mechanism: SCCs Module 2
Microsoft Clarity
landingSession analytics (clicks, scrolls, replays) on the marketing site
Data: Anonymized pointer events, page-render snapshots; loads only with analytics consent
Location: United States
Transfer mechanism: EU-US Data Privacy Framework (Microsoft certified) and SCCs Module 2
Google Analytics 4
landingWeb analytics on the marketing site
Data: Page views, IP address (truncated), device and browser metadata; loads only with analytics consent
Location: United States
Transfer mechanism: EU-US Data Privacy Framework (Google certified) and SCCs Module 2
Vercel
landingLanding site hosting plus Analytics and Speed Insights
Data: Edge logs, page views, Core Web Vitals; analytics products load only with analytics consent
Location: United States (Edge presence worldwide)
Transfer mechanism: SCCs Module 2
Rewardful
landing + checkoutAffiliate referral tracking
Data: Referral codes, anonymized click identifiers; loads only with marketing consent
Location: United States
Transfer mechanism: SCCs Module 2
International transfers. For transfers of EEA, Swiss, or UK personal data to the United States or other third countries, we rely on the EU-US Data Privacy Framework (and its UK and Swiss extensions) where the processor is certified, and Standard Contractual Clauses (Module 2, Controller to Processor) in all other cases, with supplementary measures described in our DPA.
Notification of changes. We give at least 30 days' notice before adding or replacing a sub-processor by updating this page. Subscribe to changes by emailing marcus@getsortio.com.
Questions about a specific processor or our data protection practices? Email marcus@getsortio.com.