Subprocessors
UpDoc engages the following subprocessors to deliver Hiyer. Each is selected for its security posture and is bound by a Data Processing Addendum or equivalent. We update this list before onboarding a new subprocessor; see Section 4 of our Data Processing Addendum for the notice mechanism.
Current subprocessors
| Subprocessor | Purpose | Data | Region | Retention |
|---|---|---|---|---|
Supabase, Inc. SOC 2 Type II, HIPAA Business Associate (not used by Hiyer) | Managed Postgres (primary data store), authentication, row-level security. | All Customer Data in the application database: orgs, memberships, cohorts, cycles, PINs (bcrypt-hashed), responses (no user_id), benchmarks, alerts, invites, audit log. | United States (us-east-1) | Retained for the lifetime of the subscription. On account deletion, removed within 90 days except for backups, audit log, and billing records. |
Stripe, Inc. PCI-DSS Level 1, SOC 1 Type II, SOC 2 Type II | Subscription billing, invoicing, payment method vaulting. | Billing contact, company name, payment card details (vaulted at Stripe, never stored by Hiyer), invoices. | United States | Per Stripe policy; at least 7 years for tax and audit. Hiyer retains only the Stripe customer and subscription IDs linking back. |
Postmark (Wildbit, LLC, a subsidiary of ActiveCampaign) SOC 2 Type II, HIPAA-ready (not used by Hiyer) | Transactional email delivery. | Recipient email addresses and the content of sign-in links, welcome emails, survey invitations (on Customer's behalf), at-risk alert notifications, cycle-close summaries. | United States | 45 days of delivery logs, then automatically purged. |
Anthropic, PBC SOC 2 Type II | Large-language-model inference for the UpDoc AI narrative insights on Signal and Enterprise plans. | Aggregate dimension scores, at-risk rule breaches, and benchmark medians included in the prompt context. No individual response rows, no email addresses, no names, no free-text comments. | United States | Zero retention of API inputs or outputs beyond the request lifecycle. Anthropic does not train its models on API data by policy. |
Vercel, Inc. SOC 2 Type II, ISO 27001, HIPAA-ready (not used by Hiyer) | Web hosting, edge routing, build and deploy pipeline. | Request metadata (URL, method, status, duration, region) and build logs. Request bodies and responses are NOT written to Vercel logs by Hiyer's application code. | United States (iad1, North Virginia) | 30 days of function and build logs. |
What each one actually sees
The distinction matters for enterprise review: Hiyer is not a system that pipes the same customer data to every subprocessor. Supabase is the primary data store. Stripe sees billing only. Postmark sees email subject and body at send time and nothing thereafter. Anthropic sees an aggregated prompt context, not individual responses. Vercel sees routing metadata, not request bodies.
If a subprocessor is removed from this list, any data they previously processed on our behalf is deleted per their contract within 90 days, subject to legal-hold exceptions.
How we notify you of changes
For material changes to this list (adding a new subprocessor with access to Customer Data that a prior subprocessor did not have, or changing the region of processing), UpDoc will post the change here and email active owners at least 14 days before the change takes effect. Customers on Enterprise plans may object under Section 4 of the Data Processing Addendum.