Subprocessor List

Provider: Standard Forensics, Inc.
Last updated: 2026-05-30
Version: 1.2

This list identifies the subprocessors Standard Forensics, Inc. ("Provider") engages to deliver the Cloud Service. The list is incorporated by reference into any executed Data Processing Agreement (DPA) and supplements the disclosures made in Annex III of the DPA.


Current subprocessors

SubprocessorPurposeData categoryLocationSecurity attestations
Amazon Web Services, Inc.Cloud compute, object storage, key management, and AI model inference (EC2, S3, KMS, Bedrock; US-only Bedrock inference profiles)All Customer Personal Data, at rest, in transit, and during AI inferenceUnited States (us-east-1)SOC 1, SOC 2 Type II, ISO 27001/27017/27018/27701, FedRAMP Moderate
Supabase, Inc.Managed PostgreSQL database and authentication; platform metadata, audit/session records, authentication credentials, catalog, findings, and Customer-derived metadata. Raw uploaded source files and DuckDB files are not stored in Supabase.Platform and Customer-derived metadataUnited StatesSOC 2 Type II
Vercel, Inc.Frontend hosting, content delivery, and cookieless Web AnalyticsWeb application assets; session tokens in transit; aggregated, no-cookie usage analyticsUnited StatesSOC 2 Type II, ISO 27001

Planned changes

ActionSubprocessor affectedPlanned timing
Migration of authentication and database hosting from Supabase to AWS-native services (Amazon RDS PostgreSQL, Amazon Cognito)Removes Supabase from this listPrior to commencement of Provider's SOC 2 Type II observation period

The Supabase row will be removed from this list when the migration is complete. The AWS row already encompasses the destination services.


Change notification process

Provider provides Customer with at least 10 business days' advance written notice of any addition or replacement of subprocessors, in accordance with Section 2.6 of the Common Paper Data Processing Agreement Standard Terms v1.1. Notice is delivered to the Customer notice email address designated in the applicable Order Form, and reflected on this list at standardforensics.com/subprocessors.

Customer may object to a proposed new subprocessor by providing written notice to legal@standardforensics.com within 30 days of Provider's notice. If Customer and Provider cannot resolve the objection through good-faith discussion, Customer may terminate the affected Order Form without penalty, with pro-rated refund of any prepaid fees for the unused portion of the current Subscription Period.

If a subprocessor change is required for reasons beyond Provider's reasonable control (e.g., the subprocessor exits the market, suffers a material security incident, or becomes legally prohibited from processing Customer Personal Data), Provider may make the change on shorter notice and will notify Customer as soon as reasonably practicable.


Contact

Questions about this list, including objections to a proposed new subprocessor:

legal@standardforensics.com


Version history

VersionDateChange
1.22026-05-30Scoped to vendors that process Customer Data in delivering the Service (AWS, Supabase, Vercel). Business-operations service providers that do not process customer engagement data are addressed in the Privacy Policy.
1.12026-05-21Updated Bedrock model inventory, Supabase customer-derived data categories, Vercel Web Analytics scope, and Mercury inclusion.
1.02026-05-12Initial publication