Subprocessors
Every third party that processes your data.
Version 1 · Last updated:
What this page is for
PDPL (UAE Federal Decree-Law No. 45 of 2021) requires that we tell you who processes your personal data on Prism’s behalf, what they do with it, and where it goes. This page is the authoritative, versioned list. If we add, change, or remove a subprocessor, we update this page and email active users before the change takes effect.
For the legal framing — consent to cross-border transfers, lawful bases, your rights — see the Privacy Policy.
Current subprocessors
| Subprocessor | Role | Data | Region | DPA |
|---|---|---|---|---|
| Anthropic (Claude API) | AI: classification, formatting, Mirror synthesis | Journal text, mood tags, prior AI-derived signals as model context | United States | View |
| OpenAI | Embeddings + voice transcription (Whisper) | Journal text (for embeddings); audio stream (for transcription, not stored) | United States | View |
| Supabase | Postgres database, authentication, file storage | All account data + entries + images + derived signals, encrypted at rest | AWS us-east-1 | View |
| Vercel | App hosting + cookieless analytics | Request metadata (URLs, response codes); no personal identifiers | Global edge | View |
| Resend | Transactional email | Recipient email + message body | United States | View |
| Stripe | Payment processing (paid subscriptions) | Name, email, billing address, card data (Prism never sees card numbers) | United States | View |
Cross-border transfer basis
All the subprocessors above process data outside the UAE (primarily in the United States). The UAE Data Office has not designated the US as providing adequate protection under PDPL Article 22. We rely on PDPL Article 23 for these transfers:
·Your explicit consent at signup, after disclosure of the subprocessors named above and the fact that data leaves the UAE.
·Contractual protections equivalent to PDPL imposed via the DPA or PDPL-addendum we have with each subprocessor.
See the Privacy Policy— section on cross-border transfers.
Sub-sub-processors
Each subprocessor above uses its own infrastructure providers (Amazon Web Services, Google Cloud, Cloudflare, and others). Those sub-sub-processors are listed in each subprocessor’s DPA linked above. We do not maintain a separate list for them; changes at that layer are covered by the subprocessor’s own change notification process.
What is not a subprocessor
For transparency, here is what is not a subprocessor of Prism:
·No advertising networks (Meta, Google Ads, TikTok, X, LinkedIn, etc.). Prism does not advertise, so it does not send data to advertising systems.
·No data brokers.
·No analytics beyond Vercel’s cookieless anonymous analytics (no PostHog, Mixpanel, Amplitude, Segment, Heap, FullStory, Hotjar).
·No CRM / marketing automation (no HubSpot, Mailchimp, Customer.io).
·No error monitoring with PII (no Sentry, Datadog, LogRocket). If we adopt one in future it will appear on this page before it becomes active.
Change policy
·Adding a subprocessor — we email active users at least 14 days before the new subprocessor starts processing any data. You can delete your account before the change takes effect if you object.
·Removing a subprocessor — announced on this page. No user notice required.
·Change in role (same subprocessor, different data category) — treated as an addition.
·Sub-sub-processor changes — governed by each subprocessor’s own DPA; not separately notified.
Version history
·Version 1 — 2026-04-20 — Initial published list.
Contact
·Questions about subprocessors: privacy@prismlens.net
·DPO: dpo@prismlens.net