Version 1.0 · June 2026
Spexsure — Version 1.0 · Effective June 2026
DRAFT — PENDING LEGAL REVIEW. This document has not been reviewed by qualified legal counsel and must not be treated as final. Do not publish or rely on it until reviewed by a licensed attorney.
This page lists the third-party subprocessors that Heuristicworks LLC ("Spexsure") engages to process personal data on your behalf in connection with the Spexsure platform ("Service"). A subprocessor is a third-party entity that Spexsure authorises to access or process personal data in the course of providing the Service.
This list is maintained in accordance with our obligations under GDPR Article 28(4) and equivalent data protection laws. If you have executed a Data Processing Agreement (DPA) with Spexsure, this list forms part of that DPA.
For questions about this list or to receive advance notice of subprocessor changes, email legal@heuristicworks.com.
| Subprocessor | Entity | Purpose | Data Processed | Location | Security Certification |
|---|---|---|---|---|---|
| Anthropic | Anthropic PBC | AI processing — gap detection, PRD enrichment, ticket generation | PRD content (text submitted by users); system prompts | United States | SOC 2 Type II (API customers) |
| Supabase | Supabase Inc. | Database hosting and management | All platform data: account data, PRD content, AI output, tickets, OAuth tokens (encrypted), subscription data, journey events, error reports | United States (AWS us-east-1) | SOC 2 Type II |
| Vercel | Vercel Inc. | Application hosting, serverless compute, edge network | All data processed by the application: request data, session data, IP addresses, user agent strings, response payloads | United States (global edge) | SOC 2 Type II |
| Stripe | Stripe Inc. | Payment processing and subscription billing | Email address, billing name, payment method metadata (card type, last four digits, expiry), invoice history | United States | PCI DSS Level 1; SOC 2 Type II |
| Resend | Resend Inc. | Transactional email delivery | Email address, first name, email content (welcome emails, credit warning emails, invitation emails, system notifications) | United States | SOC 2 Type II |
| Sentry | Functional Software Inc. (Sentry) | Application error monitoring and crash reporting | Error stack traces, request metadata, user ID (where associated with an error session), IP address | United States | SOC 2 Type II |
| PostHog | PostHog Inc. | Product analytics and session recording | Journey event identifiers, anonymised usage behaviour, session IDs (client-generated), feature interaction data | United States or EU (configurable) | SOC 2 Type II |
| Upstash | Upstash Inc. | Redis-backed rate limiting | IP addresses and anonymised request counts (within 60-second sliding window only; not persisted beyond the window) | United States | SOC 2 Type II |
| Google LLC | OAuth 2.0 identity provider (sign-in with Google) | Email address, name, profile picture URL, OAuth subject ID | United States | ISO 27001; SOC 2 Type II | |
| Microsoft | Microsoft Corporation | OAuth 2.0 identity provider (sign-in with Microsoft / Entra ID) | Email address, name, profile picture URL, Entra ID object ID | United States | ISO 27001; SOC 2 Type II |
| Atlassian | Atlassian Pty Ltd | Jira integration — OAuth 2.0 token exchange and ticket push | OAuth access and refresh tokens (encrypted at rest); Jira project metadata; generated ticket content pushed on user instruction | Australia (HQ); data processed globally | SOC 2 Type II; ISO 27001 |
Anthropic processes PRD content submitted by users as input to its large language model API. Anthropic's current API terms prohibit use of API customer data to train models without consent. Spexsure does not send personal data to Anthropic beyond what users include in their PRD content. Users on BYOK plans make API calls under their own Anthropic account, subject to their own agreement with Anthropic.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021) where applicable.
Supabase provides the managed PostgreSQL database in which all platform data is stored, including account records, PRD content, AI output, encrypted OAuth tokens, subscription and billing data, journey events, error reports, and audit logs. Data is stored in AWS us-east-1 by default. Spexsure encrypts sensitive fields (OAuth tokens, BYOK keys) before storage using AES-256-GCM.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).
Vercel hosts the Next.js application, serverless API routes, and edge middleware. All HTTP requests to spexsure.com pass through Vercel's infrastructure. Vercel processes IP addresses, user agent strings, and request/response payloads as part of application serving. Vercel's edge network operates globally; requests are served from the nearest edge location.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021); Vercel participates in the EU-US Data Privacy Framework.
Stripe processes all payment transactions. Spexsure does not receive or store raw payment card data. Stripe is a PCI DSS Level 1 certified payment processor. Spexsure receives from Stripe only billing metadata (card type, last four digits, expiry) and Stripe customer/subscription identifiers.
Transfer mechanism: Stripe participates in the EU-US Data Privacy Framework.
Resend delivers transactional emails on behalf of Spexsure. Email content is generated by Spexsure and transmitted to Resend for delivery. Resend retains email logs for deliverability troubleshooting in accordance with its own retention policy.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).
Sentry receives error reports generated by the Spexsure application, including stack traces and contextual request data. Spexsure configures Sentry to scrub known sensitive fields before transmission. Sentry may receive user IDs and IP addresses where an error is associated with an active session.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021); Sentry participates in the EU-US Data Privacy Framework.
PostHog receives journey event data for product analytics. Events contain journey IDs, outcome labels (succeeded/failed), and timestamps. PRD content is never sent to PostHog. PostHog is configurable to use EU-based infrastructure; Spexsure's PostHog region is noted in our internal configuration.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021) or EU hosting.
Upstash provides a managed Redis instance used exclusively for rate limiting in the application middleware. Only IP addresses and rolling request counts are stored. This data is not persisted beyond the rate limit window (60 seconds) and does not constitute personal data in any meaningful sense under GDPR; it is listed here for completeness and transparency.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).
Google acts as an identity provider via OAuth 2.0. When you sign in with Google, Google authenticates your identity and returns your email address, name, profile picture URL, and a unique subject identifier to Spexsure. Spexsure does not access any other Google account data. Your use of Google Sign-In is subject to Google's own terms and privacy policy.
Transfer mechanism: Google participates in the EU-US Data Privacy Framework.
Microsoft acts as an identity provider via OAuth 2.0 (Microsoft Entra ID). When you sign in with Microsoft, Microsoft authenticates your identity and returns your email address, name, profile picture URL, and a unique Entra ID object identifier to Spexsure. Spexsure does not access any other Microsoft account data. Your use of Microsoft Sign-In is subject to Microsoft's own terms and privacy policy.
Transfer mechanism: Microsoft participates in the EU-US Data Privacy Framework.
Atlassian provides the Jira integration via OAuth 2.0. When you connect a Jira workspace, Atlassian issues access and refresh tokens to Spexsure. Spexsure encrypts these tokens at rest (AES-256-GCM) and uses them solely to push generated tickets to your designated Jira project on your instruction. Spexsure does not read, store, or process Jira issue content beyond confirming successful ticket creation.
Transfer mechanism: Standard Contractual Clauses (EU SCCs 2021).
We review and update this list when we add, replace, or remove subprocessors. We will provide 30 days' advance notice of any new subprocessor or material change to an existing subprocessor by:
To register for advance notifications, email legal@heuristicworks.com with the subject line "Subprocessor Notifications".
If a proposed new subprocessor is objectionable for data protection reasons, customers with an executed DPA may raise a written objection within 14 days of notification. Spexsure will work in good faith to address the objection. If agreement cannot be reached, either party may terminate the DPA and associated subscription on 30 days' written notice.
| Subprocessor | Removed | Reason |
|---|---|---|
| Clerk (Clerk Inc.) | June 2026 | Replaced with NextAuth v5 (self-hosted, no third-party auth service) |
For questions about this subprocessor list, data processing agreements, or international data transfers:
Email: legal@heuristicworks.com Subject: "Subprocessors — [your question]"
Heuristicworks LLC · Spring City, PA, USA Last updated: June 2026
Questions? legal@heuristicworks.com