ReplyLabs
FeaturesPricingCompareFAQUse casesBlogHelpSetup
Sign inInstall
Install

Product

  • Install
  • Features
  • Pricing
  • Compare
  • Roadmap

Resources

  • Use cases
  • Blog
  • Glossary
  • Cost calculator

Support

  • Setup Guide
  • Help Center
  • Contact Support
  • Report an Issue
  • Feature Requests

Company

  • Opt Out of Testing

Legal

  • Privacy Policy
  • Terms of Service
  • Cookie list
  • Subprocessors

Empra Consultancy LTD
hello@replylabs.io

ReplyLabs|PrivacyTermsCookiesSubprocessors

© 2026 Empra Consultancy LTD. All rights reserved.

Subprocessors

Subprocessors

Last updated May 18, 2026

Contents
  1. Recent changes
  2. Infrastructure
  3. Flow processing
  4. Payments
  5. Email and notifications
  6. AI providers
  7. Web scraping
  8. Email verification
  9. Analytics and observability
  10. Customer relationship
  11. Bring-your-own-key (BYOK) note
  12. Changes to subprocessors

To deliver ReplyLabs, we engage trusted third-party providers ("subprocessors") to process customer data on our behalf. This page lists every subprocessor we currently use, what they do, what data they receive, and where they process it. We update this list as subprocessors change.

A short summary of the most-relevant subprocessors also appears in our Privacy Policy. This page is the canonical comprehensive list.

Recent changes

  • 2026-05-18. Replaced the previous third-party job queue with self-managed workflow orchestration running on Hetzner cloud infrastructure in the European Union (Falkenstein, Germany). Added web scraping providers (Jina and Firecrawl) as first-class subprocessors. Clarified the AI provider list and how bring-your-own-key (BYOK) affects the processing relationship.

Infrastructure

ProviderRoleData processedRegion
SupabasePrimary database, authentication, file storageAccount data, organization data, batch metadata, encrypted bring-your-own-key (BYOK) credentialsEU (London, UK)
VercelApplication hosting, request routingAll API and dashboard requests, server logsGlobal edge (request-routed)
Hetzner CloudCompute for workflow orchestrationBatch row content in transit during processing. Not retained on this layer.EU (Falkenstein, Germany)
UpstashRate limiting (Redis)IP addresses and request identifiers (transient, for abuse prevention)Global edge

Flow processing

Multi-step Flows (AI prompts, web scraping, email verification, and any custom step you define) run on the Hetzner compute layer listed above. Row content is read from your spreadsheet, passed step-to-step in memory, and results are written back to your sheet. We persist a working copy of input and output content in our database for a limited window (see the Privacy Policy for retention details) so that retries, refunds, and support requests can be handled accurately; that copy is purged on the published schedule.

Payments

ProviderRoleData processedRegion
StripeSubscription billing, payment processing, prepaid balance rechargesBilling details and payment metadata. We never see or store full card numbers.US (Stripe Inc.) and EU (Stripe Payments Europe Ltd.)

Email and notifications

ProviderRoleData processedRegion
ResendTransactional email (signup confirmation, password reset, batch completion, billing receipts, balance alerts)Email address, message metadataUS
LogSnagInternal operational notifications to the ReplyLabs team (signups, errors, revenue, consent decisions)Event metadata, user identifiers (email, plan)EU

AI providers

When you run an AI step, the prompt content is routed to the model provider you selected. ReplyLabs sends every AI request with a per-request flag instructing the provider not to use your content to train or improve their models, in line with our Google™ Limited Use commitment.

The active provider list below covers the models we surface in the sidebar by default. Additional providers may be available through bring-your-own-key (BYOK). When you bring your own key, the call to the provider happens under your account and contract with them, not ours.

ProviderRoleData processedRegion
OpenAIAI model inference (GPT family)Prompt content, response metadataUS
AnthropicAI model inference (Claude family)Prompt content, response metadataUS
Google™ (Gemini)AI model inferencePrompt content, response metadataUS / EU
MistralAI model inferencePrompt content, response metadataEU
OpenRouterPublic model catalog sync (we fetch the list of available models; no customer prompt content is sent)No customer data, public metadata onlyUS

Web scraping

When you run a Scrape step, the URLs you provide are sent to a scraping provider, which fetches and returns the page content. We currently use:

ProviderRoleData processedRegion
Jina AIPrimary web scraping provider (page text extraction)URL, fetched page content, request metadataEU (operator entity)
FirecrawlWeb scraping provider (JavaScript-rendered pages, fallback)URL, fetched page content, request metadataUS

On the Scale plan you may bring your own keys for these providers, in which case the request runs under your own provider account.

Email verification

ProviderRoleData processedRegion
No2BounceEmail deliverability verificationEmail addresses being verified, verification resultEU

Analytics and observability

ProviderRoleData processedRegion
PostHogProduct analytics (the client-side SDK is loaded only after you accept the cookie banner)Pageviews, feature usage, anonymous identifiers; once signed in, also email and planUS
SentryApplication error reporting (no session replay, no personal identifiers, secrets redacted)Stack traces, error breadcrumbsUS
Better StackUptime monitoring and log aggregationHTTP request metadata and server log linesEU

Customer relationship

ProviderRoleData processedRegion
HubSpotInternal customer relationship management. No HubSpot tracking script runs on the marketing site.Customer contact details, account metadata, plan, usage metricsEU
SlackInternal team workspace. Receives operational alerts and a notification when a paid plan is activated.Company name, owner email (paid plans only)US

Bring-your-own-key (BYOK) note

When you bring your own API key for a provider (AI on Pro and Scale; AI, scraping, and verification on Scale), the request to that provider is made under youraccount and your contract with the provider. ReplyLabs orchestrates the request and logs operational metadata such as model, token counts, latency, and cost class, but does not log the content of your prompt or the provider's response. The provider, not ReplyLabs, is the controller for that specific call. Your key itself is stored encrypted at rest and is never exposed to other teammates or to provider-side training pipelines.

Changes to subprocessors

We will update this list as subprocessors change. The "Last updated" date at the top of this page reflects the most recent revision. If you need advance notice of subprocessor changes for compliance reasons, email hello@replylabs.io and we will add you to a notification list.

Need a Data Processing Addendum (DPA)? Email hello@replylabs.io. We provide a DPA on request and can sign your standard DPA where reasonable.

Questions?

Email us at hello@replylabs.io. We respond within 24 hours.

Email Us