Sub-processors

[DRAFT — confirm before publishing] The list below is verified from our codebase. The exact contracting legal entity and data region for each [NEEDS MATTHEW] before this is published.

Sub-processor	Purpose	Data processed
Vercel	Application hosting / serverless compute + product analytics	All application data in transit; aggregate usage/page-view analytics
MongoDB Atlas	Primary database (system of record for all application data)	All application data at rest — account, business records, customer PII (identity fields encrypted at rest)
Stripe	Payment processing (subscriptions + Connect)	Billing contact + payment details (card data tokenized by Stripe; never stored by ThothOS)
OpenAI	AI/LLM provider for in-app AI features	Prompt / conversation content submitted to AI features
Mailgun	Transactional & customer-facing email delivery	Recipient email addresses + email message content
Twilio	SMS phone-number verification (Twilio Verify)	Phone numbers + one-time SMS verification codes
EasyPost	Shipping rates, labels, and tracking	Shipping / recipient addresses + parcel details
Cloudflare (R2 + Images)	Audit-log archive storage + tenant image hosting/CDN	Audit-log archive files (R2) + uploaded images (Images/CDN)

Optional, customer-enabled integrations

These process data only if a customer explicitly connects them: calendar sync via Google, Microsoft, or Apple (OAuth — the customer authorizes their own account), and Google Analytics if a tenant configures a measurement ID. They are off unless enabled.

See our DPA and Privacy Policy.

Sub-processors

[DRAFT — confirm before publishing] The list below is verified from our codebase. The exact contracting legal entity and data region for each [NEEDS MATTHEW] before this is published.

Sub-processor	Purpose	Data processed
Vercel	Application hosting / serverless compute + product analytics	All application data in transit; aggregate usage/page-view analytics
MongoDB Atlas	Primary database (system of record for all application data)	All application data at rest — account, business records, customer PII (identity fields encrypted at rest)
Stripe	Payment processing (subscriptions + Connect)	Billing contact + payment details (card data tokenized by Stripe; never stored by ThothOS)
OpenAI	AI/LLM provider for in-app AI features	Prompt / conversation content submitted to AI features
Mailgun	Transactional & customer-facing email delivery	Recipient email addresses + email message content
Twilio	SMS phone-number verification (Twilio Verify)	Phone numbers + one-time SMS verification codes
EasyPost	Shipping rates, labels, and tracking	Shipping / recipient addresses + parcel details
Cloudflare (R2 + Images)	Audit-log archive storage + tenant image hosting/CDN	Audit-log archive files (R2) + uploaded images (Images/CDN)

Optional, customer-enabled integrations

See our DPA and Privacy Policy.