chihlasm/resolutionflow
1
0
Fork 0
Code Issues 23 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
main
resolutionflow/legal/subprocessor-list.md
Michael Chihlas 41f5519916
All checks were successful
Mirror to GitHub / mirror (push) Successful in 6s
Details
docs(legal): add baseline legal documents (privacy, ToS, DPA, subprocessors, cookies) 
Generated by the resolutionflow-legal skill from a code scan of the FastAPI
backend + React frontend on commit 0564646. Each document is a starting
point for attorney review, not legal advice.

Includes:
- privacy-policy.md, terms-of-service.md, cookie-policy.md (public-facing)
- dpa.md (contractual; signed with MSP customers)
- subprocessor-list.md (Railway, Anthropic, Voyage, Stripe, Resend, Sentry,
  PostHog, Google Fonts — confirmed live as of scan)
- data-inventory.md + classification.md (Phase 1/2 working files)
- attorney-review-checklist.md (consolidated [LEGAL REVIEW] punch list)
- implementation-verification.md (claim-by-claim audit vs. actual code)

Three blocking issues filed before public publication:
- #175 deletion-on-offboarding (or rewrite retention claims)
- #176 narrow Sentry send_default_pii + Session Replay config
- #177 EU/UK consent for PostHog + Google Fonts

Public-facing documents intentionally route physical-mail requests through
support@ rather than publishing the LLC's registered address.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-14 12:51:19 -04:00

83 lines
5.9 KiB
Markdown
Raw Permalink Blame History

# ResolutionFlow Subprocessor List
**Effective Date:** 2026-05-14
**Last Updated:** 2026-05-14
**Version:** 1.0
> **DRAFT — not legal advice.** This list reflects subprocessors active in the codebase as of the scan date. It must be kept current; new subprocessors require advance customer notice as set out in the DPA.
This page lists the third-party subprocessors that ResolutionFlow LLC uses to process Customer Data in providing the Services. Each subprocessor is bound by a data processing agreement that imposes obligations materially equivalent to those in our [Data Processing Agreement](dpa.md).
Existing customers receive at least **30 days' notice** of new subprocessors and may object on reasonable data-protection grounds as set out in the DPA.
## Infrastructure subprocessors
| Subprocessor | Service | Data categories processed | Region |
|---|---|---|---|
| Railway Corp. | Application hosting, PostgreSQL database hosting, and S3-compatible object storage for uploaded files | All account data, all Customer Data stored or processed by the Services, file uploads in the `resolutionflow-uploads` bucket | United States |
DPA: https://railway.com/legal/dpa
## AI and machine-learning subprocessors
| Subprocessor | Service | Data categories processed | Region |
|---|---|---|---|
| Anthropic, PBC | Large-language-model API (FlowPilot, chat assistant, resolution-note generation, escalation-package generation, fact synthesis, script-builder, network-diagram generation, template extraction) | Prompts submitted to AI features, which may contain Customer Data including PSA ticket content, configuration details, file content extracted from uploads, resized images supplied to multimodal features, conversation history within an AI session | United States |
| Voyage AI, Inc. | Embedding model for similarity search and retrieval-augmented features | Text excerpts from your flows, sessions, and knowledge content used to compute vector embeddings (`voyage-3.5`) | United States |
DPAs:
- Anthropic: https://www.anthropic.com/legal/commercial-dpa
- Voyage AI: contact subprocessor for current DPA `[LEGAL REVIEW: confirm Voyage AI DPA URL]`
**Important — no model training on Customer Data.** We use Anthropic's API at a commercial tier that does not train Anthropic's models on Customer Data. Voyage AI processes embedding requests transactionally. We do not authorize either subprocessor to use Customer Data for any purpose other than producing the requested response. `[LEGAL REVIEW: re-verify the no-training stance against each subprocessor's current public terms each time this list is republished]`
## Payment and billing subprocessors
| Subprocessor | Service | Data categories processed | Region |
|---|---|---|---|
| Stripe, Inc. | Payment processing and subscription billing | Customer billing contact, Stripe customer ID, payment method details (collected directly by Stripe — ResolutionFlow does not store full card numbers), subscription transactions, webhook event payloads | United States |
DPA: https://stripe.com/legal/dpa
## Communication subprocessors
| Subprocessor | Service | Data categories processed | Region |
|---|---|---|---|
| Resend | Transactional and account email delivery (account invites, password resets, email verification, billing-related messages, internal sales-lead and feedback notifications) | Recipient email addresses, message subject and body | United States |
DPA: https://resend.com/legal/dpa
## Operational subprocessors
| Subprocessor | Service | Data categories processed | Region |
|---|---|---|---|
| Functional Software, Inc. (dba Sentry) | Error monitoring, performance traces, and Session Replay | Error reports, stack traces, request metadata, user identifiers, sampled browser session replays (1% of normal sessions, 100% of sessions in which an error occurred); see implementation-verification.md for the current configuration | United States |
| PostHog, Inc. | Product analytics, autocapture, page-view tracking, and Web Vitals reporting | User identifier, account identifier (as a group), behavioral events, page paths, autocaptured DOM interactions, performance metrics | United States (`us.i.posthog.com`) |
| Google LLC | Google Fonts CDN (font assets loaded by ResolutionFlow's public website) | Visitor IP address (exposed to Google as part of font requests) | Global Google CDN |
DPAs:
- Sentry: https://sentry.io/legal/dpa/
- PostHog: https://posthog.com/dpa
- Google: Google's standard terms
`[LEGAL REVIEW: Google Fonts loaded over fonts.googleapis.com is a recurring GDPR enforcement target; consider self-hosting fonts to remove this row]`
## What is NOT a subprocessor
The following are referenced for completeness but are **not** ResolutionFlow subprocessors:
- **ConnectWise PSA** — When you connect a ConnectWise instance, ResolutionFlow retrieves data from that instance under your authorization. ConnectWise is your PSA provider, not our subprocessor. Your relationship with ConnectWise is governed by your agreement with ConnectWise.
- **DNS and domain registrars** — These providers hold ResolutionFlow's domain records but do not process Customer Data.
- **Microsoft Learn (Model Context Protocol)** — When AI features benefit from Microsoft technical documentation, ResolutionFlow's backend retrieves public Microsoft Learn content. No Customer Data is sent to Microsoft as part of this lookup; only the search query string formed from the AI session is sent.
- **Customer-side integrations** that you connect to ResolutionFlow are governed by your agreements with those third parties.
## Changes to this list
We update this list when we add, remove, or materially change subprocessors. We notify existing customers of new subprocessors as set out in the DPA. The "Effective Date" above reflects the most recent change.
Historical versions are available on request from support@resolutionflow.com.
## Questions
Questions about subprocessors? Contact **support@resolutionflow.com**.
Reference in New Issue View Git Blame Copy Permalink