VeveeLegal · Sub-processors
Legal · Sub-processors

Sub-processor list

Last updated: June 3, 2026

Vevee (the “Provider”) engages the following sub-processors to deliver the Service. Each one processes Customer Personal Data on the Provider's behalf under written terms equivalent to those imposed on the Provider by its Data Processing Agreement.

Current sub-processors

Sub-processorService providedPersonal data processedLocation of processingTransfer mechanism
Turso / ChiselStrike Inc.Managed libSQL/SQLite database - all primary tables.All Customer Personal Data except Media Uploads bytes (end-user identifiers, event metadata, analytics events and profiles, prompts/responses when Prompt Logging is on).EU — Ireland (production database).EEA residency for the database itself; SCCs (Commission Implementing Decision 2021/914) cover the US-incorporated provider.
Vercel Inc.Application hosting, edge CDN, request routing.All data in transit; runtime memory during request handling. No persistent copy is held outside the database.United States and EU regions.EU–US Data Privacy Framework where certified; SCCs (2021/914) otherwise.
Cloudflare, Inc.Object storage (Cloudflare R2) for the Media Uploads feature; edge networking.AI-output media bytes and HMAC-pseudonymised object keys.Global, with EU-resident buckets where supported.SCCs (2021/914) where outside EEA / adequacy.
Resend Inc.Transactional email (login OTP codes, usage-alert notifications).Email addresses of the Customer's developer/admin staff and the OTP codes sent to them. No end-user data.United States.EU–US Data Privacy Framework where certified; SCCs (2021/914) otherwise.
Stripe Payments Europe Ltd.Payment processing for paid Vevee subscriptions. Not yet active in v1 - payments are mocked.Customer billing identifiers; card data handled by Stripe as an independent controller.Ireland (EU).n/a - EEA processing.
Google Ireland Ltd. (Gemini API)AI text generation for the Compose / AI-personalization feature (opt-in per app).The end-user's profile attributes, behavioural events and usage data, and - when the Compose type is configured to use them - prompt/response content, sent to generate personalised content for that end-user.EU and United States / global Google infrastructure.EU–US Data Privacy Framework where certified; SCCs (2021/914) otherwise.

Anonymous analytics path

In the default hybrid analytics mode the SDK records pre-login events without any browser identifier. The client IP and full User-Agent reach the request handler in HTTP headers, are folded into a one-way salted hash, and are discarded before any row is written. Sub-processors above do not see the raw IP / UA persisted — only the country code, a coarse device class, and the salted dedup hash reach storage.

Notification of changes

We give Customers at least 30 days' advance notice before adding or replacing a sub-processor that processes Customer Personal Data. Notice is delivered by:

  • an update to this page, with the “Last updated” date bumped;
  • an in-dashboard banner for the affected workspaces;
  • an email to the workspace owner's primary address.

Right to object

Customers may object to a proposed sub-processor change within 30 days of notification by writing to s.castellitti.dev@gmail.com. If an objection cannot be resolved, the Customer may terminate the affected workspace and request a refund of any prepaid fees covering the period after termination, in accordance with the DPA.

Related documents