Subprocessors

A subprocessor is a third party that wrxstack engages to process personal data on our behalf in order to provide Folio. We use subprocessors only as needed to host, store, secure, monitor, support, and deliver the service.

This draft list applies to the Folio platform by wrxstack and supplements the Privacy Policy and the Data Processing Addendum. It is inferred from the current infrastructure configuration and must be reviewed and approved before it is treated as the live list.

• We do not sell personal data and we limit provider use to the purposes listed here.
• Final regions, entities, and transfer mechanisms must be confirmed by counsel for each enterprise customer.

These providers run the application, the primary database, scheduled jobs, and the edge that routes traffic.

• Render: application hosting, managed PostgreSQL database, supporting services, and scheduled jobs. Purpose: run and persist the platform. Data: all platform data classes. Region: United States (Oregon).
• Render PostgreSQL: managed relational database for account, tenant, portfolio, and operational data. Purpose: primary data store. Data: account, portfolio, upload metadata, audit, and usage data. Region: United States (Oregon).
• Cloudflare: DNS, content delivery network, web application firewall, and custom-domain routing. Purpose: delivery, security, and routing. Data: request metadata and network signals. Region: global edge.

These providers send service, notification, and support email. The active provider is selected by configuration, and the list reflects the supported options.

• AWS SES: transactional and notification email delivery. Purpose: send service email. Data: recipient email address, message content, and delivery status. Region: United States (us-east-1).
• Brevo: optional email delivery provider in the fallback chain. Purpose: send service email. Data: recipient email address, message content, and delivery status. Region: European Union.
• MailerSend: optional email delivery provider in the fallback chain. Purpose: send service email. Data: recipient email address, message content, and delivery status. Region: United States or European Union per account.

AI generation is optional. When a user invokes it, the selected source material is sent to the configured AI provider only to return a structured portfolio draft. The available providers depend on configuration.

• Anthropic: AI generation from user-provided source material. Purpose: produce portfolio drafts. Data: pasted text, uploaded resume text, and prompts the user submits. Region: United States.
• OpenAI: optional AI generation provider. Purpose: produce portfolio drafts. Data: user-submitted source material and prompts. Region: United States.
• Google (Gemini): optional AI generation provider. Purpose: produce portfolio drafts. Data: user-submitted source material and prompts. Region: United States.

These providers store uploaded media, processed artifacts, and exports. The active provider is selected by configuration.

• Cloudflare R2: object storage for uploaded media, thumbnails, and generated artifacts. Purpose: store and serve user files. Data: uploaded images, audio, video, documents, and PDF exports. Region: configurable, defaults to automatic placement.
• Google Cloud Storage: optional object storage provider. Purpose: store and serve user files. Data: uploaded media and generated artifacts. Region: per configured bucket location.

These providers support aggregate analytics, error tracking, and uptime monitoring. Analytics tools load only after a visitor allows the analytics category.

• Google Analytics 4 and Google Tag Manager: aggregate product analytics, loaded only after consent. Purpose: understand usage. Data: pseudonymous usage events and device or browser metadata. Region: global, primarily United States.
• GlitchTip: error and exception tracking. Purpose: detect and triage faults. Data: source-safe error events with PII redaction. Region: United States (self-hosted on Render).
• Uptime Kuma: uptime and status monitoring. Purpose: detect outages. Data: health-check results and timing. Region: United States (self-hosted on Render).

Cloudflare also provides the content delivery network, DNS, and edge security that front the platform and connected custom domains.

• Cloudflare: CDN caching, DNS resolution, TLS, and web application firewall. Purpose: fast and secure delivery. Data: request metadata, IP-derived signals, and cache contents. Region: global edge.

Before we rely on a subprocessor we consider its security posture, data protection commitments, processing locations, and contractual terms. We aim to engage subprocessors under data protection terms consistent with our own obligations.

• We review provider security documentation and data processing terms.
• We limit each provider to the data and purposes needed for its function.
• We require appropriate transfer safeguards where a provider processes data outside the user region.

We may add or replace subprocessors as the service evolves. For enterprise customers under a Data Processing Addendum, we will provide notice of material additions or replacements and a chance to object before the change takes effect, on the timeline set in the final agreement.

• This page is updated when the subprocessor list changes, with a new review date.
• Enterprise notice periods and channels are defined in the Data Processing Addendum.

Enterprise customers may object to a new subprocessor on reasonable data protection grounds. The final Data Processing Addendum should define the objection window, the resolution process, and any termination right if a reasonable objection cannot be resolved.

Questions about subprocessors, objection notices, and legal-signoff comments should be sent to legal@wrxstack.com. Include the relevant account email, tenant slug, or customer name when available.