Legal
Data Use & Subprocessors
Last updated: May 27, 2026
Draft pending legal review
This document is a working draft. Final language is subject to attorney review prior to launch. Questions? Email legal@successionstack.com.
This document describes how SuccessionStack processes Customer Data and the third-party subprocessors we rely on to deliver the Service. It supplements our Privacy Policy and the Data Processing Addendum available on request.
Marketing-site subprocessors
The SuccessionStack marketing website (successionstack.com) uses a minimal set of providers:
| Subprocessor | Purpose | Data handled |
|---|---|---|
| Vercel | Hosting, CDN, analytics, performance monitoring | Page views, IP address (cookieless or hashed) |
| Resend | Transactional and nurture emails | Email address, name (if provided) |
| Cal.com | Demo booking | Email, name, company, booking time |
| CookieYes | Cookie consent management | Consent state (cookie only) |
Product-app subprocessors
The SuccessionStack product (app.successionstack.com) relies on a separate set of subprocessors:
| Subprocessor | Purpose | Region |
|---|---|---|
| Vercel | Application hosting | US East (configurable on request) |
| Supabase | Postgres database, authentication, file storage | US East default; EU available for enterprise |
| Anthropic | AI features (Copilot, What-If Narration, PDF Review) | US — input only, no training on Customer Data |
| Resend | Transactional emails (review reminders, alerts) | US |
How we handle Customer Data
- Encrypted in transit (TLS 1.2+) and at rest (AES-256).
- Isolated per tenant via row-level security in Postgres.
- AI inputs are not retained by Anthropic and are not used for model training.
- Backups are encrypted and retained for 90 days, then permanently deleted.
- Staff access requires explicit customer authorization for support tickets and is audit-logged.
Changes to subprocessors
We notify customers at least 30 days before adding or replacing a subprocessor that processes Customer Data. Customers may object on reasonable grounds.
Data Processing Addendum
Our standard DPA includes GDPR-compliant Standard Contractual Clauses. Request a copy at legal@successionstack.com. We also accept customer-supplied DPAs after legal review.