Sub-processors.
Every third party that touches customer data, what they process, and what flows where. This list is updated on every change. Last updated May 2026.
Amazon Web Services (AU)
Primary application infrastructure
Hosts the Fydis application, database, storage, and backups in ap-southeast-2 (Sydney). All customer data, documents, evidence chains, audit packs, and sign-off logs reside here.
Vercel
Marketing site hosting
Serves the public marketing and documentation site only. No customer data, no application data, and no authentication tokens are processed by Vercel.
Vercel Analytics
Cookieless web analytics
Page-view and Web-Vitals analytics on the marketing site only. No cookies, no cross-site tracking, no personally identifying fingerprint. Same provider as the application hosting (Vercel), processed under the same DPA.
Beehiiv
Newsletter delivery
Delivers the Fydis newsletter to subscribers who opt in. Processes email address and name only. No customer or application data flows to Beehiiv.
Stripe (AU)
Subscription billing
Processes subscription payments for all paid tiers. Handles billing name, email, and payment method. No application or compliance data flows to Stripe.
OpenAI · Anthropic · Google · AWS Bedrock
LLM inference providers
Inference requests are routed per the customer's LLM policy. No provider trains on customer data under the applicable API terms. Data residency per provider: Bedrock ap-southeast-2 and Azure Australia East keep data in AU; OpenAI and Anthropic are US-based and require explicit opt-in.
Sentry (EU region)
Application error monitoring
Captures stack traces and application metadata for error diagnosis. Payloads are scrubbed of customer data before transmission. Sentry is configured to the EU region and operates under a standard DPA.
Postmark
Transactional email
Delivers platform notifications, sign-off alerts, audit pack ready, and account events. Processes recipient email address and notification content only. No compliance data or document content flows to Postmark.
Notification policy
All customers are notified in writing at least 30 days before adding a new sub-processor or replacing an existing one. The notice identifies the vendor, what data they will process, the legal basis, and the applicable data-processing agreement. Customers on Enterprise contracts with specific sub-processor restrictions may raise an objection during the notice period; we will work in good faith to resolve it before the change takes effect.
Emergency replacements required by a vendor ceasing operations or a security incident will follow the same process at the earliest practicable time, with the reason for urgency stated in the notice.
See how the data flow runs across these sub-processors.
30 minutes. We walk a real analysis through the chain, showing which sub-processor touches which data and where the AU boundary sits. Bring your procurement questionnaire.
Questions? Email hello@abrlabs.io. To request the full DPA for any sub-processor, include the vendor name in your message.