Trust Center
Subprocessors.
A complete list of the third-party services that CartonFlow uses to operate the platform, organized by what they help us do. We're upfront about every vendor that may touch your data.
Last updated: May 2, 2026 · Reviewed quarterly
Notification of changes
We notify customers via email at least 30 days before adding a new subprocessor that processes customer data. To subscribe to subprocessor change alerts, email [email protected] from your account email.
Category 1
Infrastructure & hosting
Vendor
Purpose
Data processed
Region
Application server hosting for app.cartonflow.io and API endpoints
Application traffic, request logs (no payload bodies)
US (IAD, ORD)
Managed Postgres database with point-in-time recovery
All customer data at rest (encrypted AES-256)
US East
DNS, DDoS protection, CDN edge caching for marketing site
Request metadata only (IP, User-Agent, URL)
Global edge
Hosting for cartonflow.io marketing site (no customer data)
Marketing site visitor analytics only
US
Category 2
Payments & billing
Vendor
Purpose
Data processed
Region
Subscription billing, card processing, invoice management (PCI DSS Level 1)
Card numbers (Stripe-tokenized, never seen by us), billing email, subscription metadata
US
Category 3
Communications
Vendor
Purpose
Data processed
Region
Transactional email delivery (alerts, invoices, password resets, weekly digests)
Recipient email addresses, message content
US
Mobile push notification delivery
Device push tokens, notification payloads
US
Category 4
Observability & security
Vendor
Purpose
Data processed
Region
Application error monitoring and performance traces
Stack traces, request URLs (PII scrubbed at SDK layer)
US
Redis-based rate limiting and ephemeral caching
IP addresses, request counts (TTL: minutes)
US East
Category 5
AI inference
Vendor
Purpose
Data processed
Region
AI assistant (Cody) inference for fast queries
User questions and decrypted context. Per OpenAI's API data-usage policy, API inputs are not used to train OpenAI models.
US
AI assistant (Cody) inference for complex reasoning
User questions and decrypted context. Per Anthropic's commercial terms, API inputs are not used to train Anthropic models.
US
AI assistant (Cody) inference for high-volume tier-1 queries
User questions and decrypted context. Per Google's paid-tier Gemini API terms, prompts and responses are not used to improve their models.
US
Category 6
Customer-authorized integrations
Vendor
Purpose
Data processed
Region
Read-only access to seller orders, inventory, and shipments (only when you authorize via OAuth)
Order data, FBA inventory, shipment status — only data Amazon's API exposes for your seller account
Amazon-managed
Tracking data retrieval (only when you connect a FedEx account)
Tracking numbers, shipment status events
US
Tracking data retrieval (only when you connect a UPS account)
Tracking numbers, shipment status events
US
FAQ
Common questions
Do AI vendors train on my data?
No. Per the published API terms of OpenAI, Anthropic, and Google's paid-tier Gemini API, prompts and responses sent through their APIs are not used to train their models. We link to each vendor's terms in the table above so you can verify.
How does Privacy Mode change this list?
If Privacy Mode is on, supplier and product names reach Supabase already encrypted. Subprocessors that handle that data (Sentry, AI providers) only see ciphertext or redacted placeholders.
Can I request a sub-list of vendors that touch my data?
Yes. Email [email protected] and we'll generate a tenant-specific report based on which integrations you've enabled.
What happens if a subprocessor has a breach?
We treat third-party breaches as our own incidents. Affected customers are notified within 72 hours of confirmation, with a post-incident report within 7 days.
Need a Data Processing Agreement?
DPAs available for any customer who needs one for procurement, GDPR, or internal compliance.