Covinly relies on a small set of third-party providers to deliver its platform. Every subprocessor listed here has been reviewed for security posture and data handling, and is covered by a Data Processing Agreement where applicable.
| Subprocessor | Purpose | Location | Certifications |
|---|---|---|---|
Vercel Hosts the Covinly web application and serves static assets through a global CDN. | Application hosting & CDN Infrastructure | United States, European Union | SOC 2 Type IIISO 27001 |
Neon Hosts our primary PostgreSQL database with encryption at rest, automatic backups, and point-in-time recovery. | Managed PostgreSQL database Infrastructure | United States, European Union, Asia-Pacific | SOC 2 Type II |
Cloudflare Provides edge DDoS protection, WAF, DNS, and R2 object storage for uploaded documents. | DNS, DDoS protection, R2 object storage Infrastructure | Global edge network | SOC 2 Type IIISO 27001PCI DSS |
Cloudflare Turnstile Protects public forms (signup, contact, password reset) from automated abuse without tracking cookies. | CAPTCHA & bot protection Security | Global edge network | SOC 2 Type IIISO 27001 |
Anthropic Processes uploaded documents to extract structured data. Data is processed under a DPA and not used for model training. | AI processing (document extraction) AI | United States, European Union | SOC 2 Type II |
Resend Delivers transactional email — verification, password reset, approval notifications, payment alerts. | Transactional email delivery Communication | United States (with global delivery) | SOC 2 Type II |
Stripe Processes subscription payments. Covinly never stores full card numbers — they are tokenised by Stripe. | Subscription billing & payments Payments | Global (regional compliance zones) | PCI DSS Level 1SOC 2 Type II |
Plaid Provides bank account linking and transaction feeds used for reconciliation. Bank credentials are never stored on Covinly servers. | Bank account linking & transactions Payments | United States, United Kingdom, European Union | SOC 2 Type IIISO 27001 |
Hosts the Covinly web application and serves static assets through a global CDN.
Hosts our primary PostgreSQL database with encryption at rest, automatic backups, and point-in-time recovery.
Provides edge DDoS protection, WAF, DNS, and R2 object storage for uploaded documents.
Protects public forms (signup, contact, password reset) from automated abuse without tracking cookies.
Processes uploaded documents to extract structured data. Data is processed under a DPA and not used for model training.
Delivers transactional email — verification, password reset, approval notifications, payment alerts.
Processes subscription payments. Covinly never stores full card numbers — they are tokenised by Stripe.
Provides bank account linking and transaction feeds used for reconciliation. Bank credentials are never stored on Covinly servers.
Every subprocessor is reviewed for GDPR alignment, security posture, and availability before onboarding, and re-reviewed on contract renewal or when scope changes.
Enterprise customers with a signed DPA are notified by email before we add a new subprocessor. This page is the source of truth for the current list.
We'll send an email the next time a subprocessor is added, removed, or replaced. No marketing, no spam.
You can unsubscribe at any time.