Subprocessor List
Provider: Standard Forensics, Inc.
Last updated: 2026-05-27
Version: 1.1
This list identifies the subprocessors Standard Forensics, Inc. ("Provider") engages to deliver the Cloud Service. The list is incorporated by reference into any executed Data Processing Agreement (DPA) and supplements the disclosures made in Annex III of the DPA.
Current subprocessors
| Subprocessor | Purpose | Data category | Location | Security attestations |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud compute, object storage, encryption key management, and AI model inference (EC2, S3, KMS, Bedrock). Bedrock is currently configured with Anthropic Claude US-only inference profiles for the analytical agent and sub-agents, Amazon Nova Micro for utility tasks such as automatic naming, and separately configured Bedrock model IDs for document classification and document field extraction. | All Customer Personal Data — at rest, in transit, and during AI inference | United States (us-east-1) | SOC 1, SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, FedRAMP Moderate, HIPAA-eligible |
| Supabase, Inc. | Managed PostgreSQL database and authentication services | Platform metadata, audit/session/tool records, authentication credentials, catalog records, findings, intelligence, observations, document citations, and Customer-derived snippets needed for workflow and auditability. Raw uploaded source files and DuckDB table files are not stored in Supabase. | United States | SOC 2 Type II |
| Vercel, Inc. | Frontend hosting, content delivery, and Vercel Web Analytics for the customer-facing web application and public Site | Web application assets; session tokens in transit; aggregated/no-cookie page and event analytics for Site and Service usage | United States | SOC 2 Type II, ISO 27001, PCI DSS, EU-US Data Privacy Framework, HIPAA-supporting, TISAX |
| Google LLC (Google Workspace) | Email, calendar, and document storage for Provider's internal operations | Customer communications routed to Provider email addresses (notices@, legal@, security@, support@) | United States | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018 |
| Linear Orbit, Inc. (Linear) | Internal product and issue tracking | Customer references in support tickets and bug reports | United States | SOC 2 Type II, HIPAA |
| Notion Labs, Inc. (Notion) | Internal documentation and operational notes | Incidental Customer references in operational notes | United States | SOC 2 Type II, ISO 27001, ISO 27017, ISO 27018, ISO 27701, HIPAA-ready |
| Mercury Technologies, Inc. | Business banking and invoicing for Provider | Customer billing-contact information (name, email, billing address); does not receive Customer-uploaded analytical materials | United States | SOC 2 Type II |
Planned changes
| Action | Subprocessor affected | Planned timing |
|---|---|---|
| Migration of authentication and database hosting from Supabase to AWS-native services (Amazon RDS PostgreSQL, Amazon Cognito) | Removes Supabase from this list | Prior to commencement of Provider's SOC 2 Type II observation period |
The Supabase row will be removed from this list when the migration is complete. The AWS row already encompasses the destination services.
Change notification process
Provider provides Customer with at least 10 business days' advance written notice of any addition or replacement of subprocessors, in accordance with Section 2.6 of the Common Paper Data Processing Agreement Standard Terms v1.1. Notice is delivered to the Customer notice email address designated in the applicable Order Form, and reflected on this list at standardforensics.com/subprocessors.
Customer may object to a proposed new subprocessor by providing written notice to legal@standardforensics.com within 30 days of Provider's notice. If Customer and Provider cannot resolve the objection through good-faith discussion, Customer may terminate the affected Order Form without penalty, with pro-rated refund of any prepaid fees for the unused portion of the current Subscription Period.
If a subprocessor change is required for reasons beyond Provider's reasonable control (e.g., the subprocessor exits the market, suffers a material security incident, or becomes legally prohibited from processing Customer Personal Data), Provider may make the change on shorter notice and will notify Customer as soon as reasonably practicable.
Contact
Questions about this list, including objections to a proposed new subprocessor:
legal@standardforensics.com
Version history
| Version | Date | Change |
|---|---|---|
| 1.1 | 2026-05-21 | Updated Bedrock model inventory, Supabase customer-derived data categories, Vercel Web Analytics scope, and Mercury inclusion. |
| 1.0 | 2026-05-12 | Initial publication |