Caelum — Sub-processor List
DRAFT — REVIEW BY COUNSEL BEFORE EXECUTION.
Document ID: CAELUM-LEGAL-SUBP-001 Version: 1.0-draft Last updated: 2026-04-30
This page lists the sub-processors Caelum engages to provide the Services. Each sub-processor is bound by a written agreement imposing data protection obligations substantially equivalent to those Caelum owes its Customers under the DPA, and where a sub-processor handles PHI, by a HIPAA Business Associate Agreement.
The list is updated whenever a sub-processor is added, replaced, or removed. Customers are notified per DPA section 5.3 at least 30 days before any addition or replacement takes effect.
Definitions
- "Role" describes what the sub-processor does.
- "Personal Data categories" lists what types of Personal Data
the sub-processor may Process. "All" means any Personal Data Customer chooses to upload.
- "Location" is the region where the sub-processor stores or
processes data.
- "Transfer mechanism" is the legal basis for any cross-border
transfer (Adequacy / SCCs / DPF / etc.).
- "PHI" indicates whether a HIPAA BAA is in place; "n/a" means
the sub-processor does not Process PHI.
- "Certifications" lists the sub-processor's relevant
certifications.
Active sub-processors
Infrastructure
| Sub-processor | Role | Personal Data categories | Location | Transfer mechanism | PHI | Certifications |
|---|---|---|---|---|---|---|
| Neon, Inc. | Managed Postgres database hosting; underlying compute/storage on AWS | All | EU (eu-central-1) by default; alternate regions on Customer election | SCCs Module 3 (Caelum → Neon, where Neon entity in US) + EU-US Data Privacy Framework | BAA in place | SOC 2 Type II; ISO 27001; HIPAA-eligible |
| Vercel, Inc. | Application runtime, edge network, build pipeline | Authentication tokens; request metadata; HTTP logs (15-day retention) | Multi-region (EU edges preferred for EU tenants) | SCCs Module 3 + DPF | BAA available on Enterprise (sub-)plan | SOC 2 Type II; ISO 27001; HIPAA-eligible |
| Cloudflare, Inc. | DDoS protection, WAF, CDN for static assets | Source IP, user agent, request URL | Global (anycast) | SCCs + DPF | n/a — Cloudflare does not Process PHI in the configured deployment | SOC 2 Type II; ISO 27001 |
AI
| Sub-processor | Role | Personal Data categories | Location | Transfer mechanism | PHI | Certifications |
|---|---|---|---|---|---|---|
| Anthropic, PBC (Claude) | LLM inference for Document drafting, Suggest hazards, Suggest root cause, AI Helpdesk | Prompt content (which may include any text Customer authored), retrieved chunk content | US (with EU regions on Anthropic roadmap) | SCCs Module 3 + DPF | BAA in place; PHI eligible | SOC 2 Type II; HIPAA-eligible |
| OpenAI, L.L.C. | Embedding generation for the RAG pipeline (text-embedding-3 family) | Document chunks for embedding (text content) | US (with EU regions available) | SCCs Module 3 + DPF | BAA in place via OpenAI Enterprise; PHI eligible | SOC 2 Type II; HIPAA-eligible |
Important AI data note. Caelum disables training-on-inputs for both Anthropic and OpenAI via the respective enterprise API agreements. Customer Personal Data is not used to train any model.
Communications
| Sub-processor | Role | Personal Data categories | Location | Transfer mechanism | PHI | Certifications |
|---|---|---|---|---|---|---|
| Resend, Inc. | Transactional email (verification codes, daily digests, helpdesk replies) | Email address, message content, message metadata | US (with EU regions available) | SCCs Module 3 + DPF | n/a — outbound email, Customer responsible for PHI in message content; if PHI may be in messages, Customer must request configuration to use a PHI-eligible provider | SOC 2 Type II |
| Twilio, Inc. | SMS verification (optional fallback for /signup) | Phone number, message content | US/EU | SCCs + DPF | n/a — Twilio is HIPAA-eligible but PHI in SMS is discouraged | SOC 2 Type II; HIPAA-eligible |
Payments
| Sub-processor | Role | Personal Data categories | Location | Transfer mechanism | PHI | Certifications |
|---|---|---|---|---|---|---|
| Stripe, Inc. | Payment processing, subscription management, customer portal, webhook delivery | Billing contact name, billing email, billing address, card token (Caelum never sees PAN) | US/EU/UK | SCCs + DPF; PCI DSS Level 1 | n/a | PCI DSS Level 1; SOC 1 + 2; ISO 27001 |
Observability and Support tooling
| Sub-processor | Role | Personal Data categories | Location | Transfer mechanism | PHI | Certifications |
|---|---|---|---|---|---|---|
| Sentry (Functional Software, Inc.) | Application error monitoring | User id (pseudonymous), tenant id, error stack traces (Caelum scrubs request bodies and PII fields before send via Sentry beforeSend hook) | US (EU region election available — sentry.io/eu) | SCCs + DPF | n/a — Caelum's Sentry config explicitly excludes paths that may contain PHI | SOC 2 Type II |
Affiliated entities
Caelum has no group company affiliates that Process Customer Personal Data. If that changes, the affected entities will be added to this list with the same notice procedure as third-party sub-processors.
Out of scope
The following providers are used by Caelum-the-company but do not Process Customer Personal Data and are therefore not Sub-processors under the DPA:
- Notion (internal documentation)
- Google Workspace (Caelum staff email — does not relay Customer email)
- GitHub (source code hosting)
- Linear (internal task tracker)
If any of these begin to Process Customer Personal Data, they will be added to the active list with notice.
Change history
| Date | Change | Sub-processor | Effect |
|---|---|---|---|
| 2026-04-30 | Initial publication | All listed | Establishes the list as of v1.0-draft |