Sub-processorsUpdated 2026 · 05 · 01

Sub-processors.

The companies we hand parts of the job to, and what each of them does. Plain version, then the legal-careful version, then the table.

The plain version.

We don’t run our own payments processor, our own email server, our own analytics pipeline, or our own datacenters. We use a small number of vetted companies for those jobs. Each one only sees the data it needs to do its part. None of them sell your data. None of them train models on it. If we add or change one, we tell customers thirty days in advance.

The legal-careful version.

The companies listed below are sub-processors of personal data within the meaning of GDPR Art. 28 and equivalent provisions under UK GDPR and the CCPA/CPRA. Each is bound by a written data-processing agreement that requires confidentiality, security measures appropriate to the data, restrictions on onward transfers, and assistance with data-subject requests. Cross-border transfers are made under Standard Contractual Clauses and, where the recipient is certified, the EU–US Data Privacy Framework and the UK Extension. Customers will receive 30 days’ email notice before any addition or replacement to this list, and may object in writing within that window.

Current list.

Name Purpose Location Transfer mechanism Link
Stripe Billing and payment processing United States SCCs and EU–US DPF (incl. UK Extension) stripe.com/privacy
Postmark Transactional email (account, billing, enquiry replies) United States SCCs and EU–US DPF (incl. UK Extension) postmarkapp.com/privacy-policy
Plausible Privacy-respecting website analytics (no cookies, aggregate) European Union No transfer mechanism required for EU/UK personal data plausible.io/privacy
Vercel Website and application hosting, edge delivery Global (regional edge) SCCs and EU–US DPF (incl. UK Extension) vercel.com/legal/privacy-policy
ConvertKit Email broadcasts — planned, not yet active United States SCCs and EU–US DPF (will apply when activated) convertkit.com/privacy
Model providers Inference for the agents inside the product — to be listed when wired

How we choose them.

Three criteria. They have to be appropriate for the job (a payments processor for payments, not a general-purpose database). They have to have a serious privacy posture (a published DPA, named DPO or equivalent contact, a track record we can read). And they have to allow us to leave on reasonable notice with our data intact. If a vendor stops meeting any of these, we replace them and notify customers.

Notice of change.

Customers receive 30 days’ email notice before any addition, removal, or replacement on this list. Material changes to a vendor’s role — for example, a category of data they newly receive — trigger the same notice. Objections in writing within the window are addressed individually; if we cannot resolve an objection, the customer may terminate without penalty for the affected portion of the service.

— Bristlecone. Last updated 2026 · 05 · 01.

Back

Back to Bristlecone.

Home