Subprocessor List
Provider: Standard Forensics, Inc.
Last updated: 2026-05-30
Version: 1.2
This list identifies the subprocessors Standard Forensics, Inc. ("Provider") engages to deliver the Cloud Service. The list is incorporated by reference into any executed Data Processing Agreement (DPA) and supplements the disclosures made in Annex III of the DPA.
Current subprocessors
| Subprocessor | Purpose | Data category | Location | Security attestations |
|---|---|---|---|---|
| Amazon Web Services, Inc. | Cloud compute, object storage, key management, and AI model inference (EC2, S3, KMS, Bedrock; US-only Bedrock inference profiles) | All Customer Personal Data, at rest, in transit, and during AI inference | United States (us-east-1) | SOC 1, SOC 2 Type II, ISO 27001/27017/27018/27701, FedRAMP Moderate |
| Supabase, Inc. | Managed PostgreSQL database and authentication; platform metadata, audit/session records, authentication credentials, catalog, findings, and Customer-derived metadata. Raw uploaded source files and DuckDB files are not stored in Supabase. | Platform and Customer-derived metadata | United States | SOC 2 Type II |
| Vercel, Inc. | Frontend hosting, content delivery, and cookieless Web Analytics | Web application assets; session tokens in transit; aggregated, no-cookie usage analytics | United States | SOC 2 Type II, ISO 27001 |
Planned changes
| Action | Subprocessor affected | Planned timing |
|---|---|---|
| Migration of authentication and database hosting from Supabase to AWS-native services (Amazon RDS PostgreSQL, Amazon Cognito) | Removes Supabase from this list | Prior to commencement of Provider's SOC 2 Type II observation period |
The Supabase row will be removed from this list when the migration is complete. The AWS row already encompasses the destination services.
Change notification process
Provider provides Customer with at least 10 business days' advance written notice of any addition or replacement of subprocessors, in accordance with Section 2.6 of the Common Paper Data Processing Agreement Standard Terms v1.1. Notice is delivered to the Customer notice email address designated in the applicable Order Form, and reflected on this list at standardforensics.com/subprocessors.
Customer may object to a proposed new subprocessor by providing written notice to legal@standardforensics.com within 30 days of Provider's notice. If Customer and Provider cannot resolve the objection through good-faith discussion, Customer may terminate the affected Order Form without penalty, with pro-rated refund of any prepaid fees for the unused portion of the current Subscription Period.
If a subprocessor change is required for reasons beyond Provider's reasonable control (e.g., the subprocessor exits the market, suffers a material security incident, or becomes legally prohibited from processing Customer Personal Data), Provider may make the change on shorter notice and will notify Customer as soon as reasonably practicable.
Contact
Questions about this list, including objections to a proposed new subprocessor:
legal@standardforensics.com
Version history
| Version | Date | Change |
|---|---|---|
| 1.2 | 2026-05-30 | Scoped to vendors that process Customer Data in delivering the Service (AWS, Supabase, Vercel). Business-operations service providers that do not process customer engagement data are addressed in the Privacy Policy. |
| 1.1 | 2026-05-21 | Updated Bedrock model inventory, Supabase customer-derived data categories, Vercel Web Analytics scope, and Mercury inclusion. |
| 1.0 | 2026-05-12 | Initial publication |