To deliver ReplyLabs, we engage trusted third-party providers ("subprocessors") to process customer data on our behalf. This page lists every subprocessor we currently use, what they do, what data they receive, and where they process it. We update this list as subprocessors change.
A short summary of the most-relevant subprocessors also appears in our Privacy Policy. This page is the canonical comprehensive list.
Recent changes
- 2026-05-18. Replaced the previous third-party job queue with self-managed workflow orchestration running on Hetzner cloud infrastructure in the European Union (Falkenstein, Germany). Added web scraping providers (Jina and Firecrawl) as first-class subprocessors. Clarified the AI provider list and how bring-your-own-key (BYOK) affects the processing relationship.
Infrastructure
| Provider | Role | Data processed | Region |
|---|---|---|---|
| Supabase | Primary database, authentication, file storage | Account data, organization data, batch metadata, encrypted bring-your-own-key (BYOK) credentials | EU (London, UK) |
| Vercel | Application hosting, request routing | All API and dashboard requests, server logs | Global edge (request-routed) |
| Hetzner Cloud | Compute for workflow orchestration | Batch row content in transit during processing. Not retained on this layer. | EU (Falkenstein, Germany) |
| Upstash | Rate limiting (Redis) | IP addresses and request identifiers (transient, for abuse prevention) | Global edge |
Workflow processing
Multi-step pipelines (AI prompts, web scraping, email verification, and any custom step you define) run on the Hetzner compute layer listed above. Row content is read from your spreadsheet, passed step-to-step in memory, and results are written back to your sheet. We persist a working copy of input and output content in our database for a limited window (see the Privacy Policy for retention details) so that retries, refunds, and support requests can be handled accurately; that copy is purged on the published schedule.
Payments
| Provider | Role | Data processed | Region |
|---|---|---|---|
| Stripe | Subscription billing, payment processing, prepaid balance recharges | Billing details and payment metadata. We never see or store full card numbers. | US (Stripe Inc.) and EU (Stripe Payments Europe Ltd.) |
Email and notifications
| Provider | Role | Data processed | Region |
|---|---|---|---|
| Resend | Transactional email (signup confirmation, password reset, batch completion, billing receipts, balance alerts) | Email address, message metadata | US |
| LogSnag | Internal operational notifications to the ReplyLabs team (signups, errors, revenue, consent decisions) | Event metadata, user identifiers (email, plan) | EU |
AI providers
When you run an AI step, the prompt content is routed to the model provider you selected. ReplyLabs sends every AI request with a per-request flag instructing the provider not to use your content to train or improve their models, in line with our Google™ Limited Use commitment.
The active provider list below covers the models we surface in the sidebar by default. Additional providers may be available through bring-your-own-key (BYOK). When you bring your own key, the call to the provider happens under your account and contract with them, not ours.
| Provider | Role | Data processed | Region |
|---|---|---|---|
| OpenAI | AI model inference (GPT family) | Prompt content, response metadata | US |
| Anthropic | AI model inference (Claude family) | Prompt content, response metadata | US |
| Google™ (Gemini) | AI model inference | Prompt content, response metadata | US / EU |
| Mistral | AI model inference | Prompt content, response metadata | EU |
| OpenRouter | Public model catalog sync (we fetch the list of available models; no customer prompt content is sent) | No customer data, public metadata only | US |
Web scraping
When you run a Scrape step, the URLs you provide are sent to a scraping provider, which fetches and returns the page content. We currently use:
| Provider | Role | Data processed | Region |
|---|---|---|---|
| Jina AI | Primary web scraping provider (page text extraction) | URL, fetched page content, request metadata | EU (operator entity) |
| Firecrawl | Web scraping provider (JavaScript-rendered pages, fallback) | URL, fetched page content, request metadata | US |
On the Scale plan you may bring your own keys for these providers, in which case the request runs under your own provider account.
Email verification
| Provider | Role | Data processed | Region |
|---|---|---|---|
| No2Bounce | Email deliverability verification | Email addresses being verified, verification result | EU |
Analytics and observability
| Provider | Role | Data processed | Region |
|---|---|---|---|
| PostHog | Product analytics (the client-side SDK is loaded only after you accept the cookie banner) | Pageviews, feature usage, anonymous identifiers; once signed in, also email and plan | US |
| Sentry | Application error reporting (no session replay, no personal identifiers, secrets redacted) | Stack traces, error breadcrumbs | US |
| Better Stack | Uptime monitoring and log aggregation | HTTP request metadata and server log lines | EU |
Customer relationship
| Provider | Role | Data processed | Region |
|---|---|---|---|
| HubSpot | Internal customer relationship management. No HubSpot tracking script runs on the marketing site. | Customer contact details, account metadata, plan, usage metrics | EU |
| Slack | Internal team workspace. Receives operational alerts and a notification when a paid plan is activated. | Company name, owner email (paid plans only) | US |
Bring-your-own-key (BYOK) note
When you bring your own API key for a provider (AI on Pro and Scale; AI, scraping, and verification on Scale), the request to that provider is made under youraccount and your contract with the provider. ReplyLabs orchestrates the request and logs operational metadata such as model, token counts, latency, and cost class, but does not log the content of your prompt or the provider's response. The provider, not ReplyLabs, is the controller for that specific call. Your key itself is stored encrypted at rest and is never exposed to other teammates or to provider-side training pipelines.
Changes to subprocessors
We will update this list as subprocessors change. The "Last updated" date at the top of this page reflects the most recent revision. If you need advance notice of subprocessor changes for compliance reasons, email hello@replylabs.io and we will add you to a notification list.
Need a Data Processing Addendum (DPA)? Email hello@replylabs.io. We provide a DPA on request and can sign your standard DPA where reasonable.