Subprocessors
Last updated: December 5, 2025
This page lists all third-party subprocessors that ActionMail LLC ("ActionMail", "we", "us", or "our") engages to process personal data on behalf of our customers. This list is maintained in accordance with GDPR Article 28 and other applicable data protection laws.
What is a Subprocessor?
A subprocessor is a third-party data processor engaged by ActionMail to process personal data on behalf of our customers. We carefully vet all subprocessors to ensure they maintain appropriate security measures and comply with applicable data protection laws.
Our Commitment
We are committed to:
- Transparency: Maintaining an up-to-date list of all subprocessors
- Security: Ensuring all subprocessors implement appropriate security measures
- Compliance: Requiring all subprocessors to comply with applicable data protection laws
- Data Processing Agreements: Having appropriate contractual arrangements with all subprocessors
- Notification: Providing at least 30 days' notice before adding new subprocessors
Current Subprocessors
Infrastructure & Hosting
| Subprocessor | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Supabase | Database hosting, authentication, and row-level security | User accounts, email metadata, action items, job applications | United States | Privacy Policy |
| Vercel | Application hosting, edge functions, and performance analytics | Application logs, performance metrics, IP addresses | United States | Privacy Policy |
AI Processing
| Subprocessor | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| OpenAI | Primary AI language model for email analysis, summarization, action item extraction, and job application detection | Email content (processed, not retained) | United States | Privacy Policy |
| Anthropic | Fallback AI language model for email analysis | Email content (processed, not retained) | United States | Privacy Policy |
Email Integration
| Subprocessor | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Google (Gmail API) | Email synchronization, OAuth authentication, push notifications | Email content, metadata, OAuth tokens | United States | Privacy Policy |
| Microsoft (Graph API) | Email synchronization, OAuth authentication, webhooks | Email content, metadata, OAuth tokens | United States | Privacy Statement |
Payment Processing
| Subprocessor | Purpose | Data Processed | Location | Privacy Policy |
|---|---|---|---|---|
| Stripe | Payment processing, subscription management, billing | Payment information, billing address, transaction history | United States | Privacy Policy |
Subprocessor Details
Supabase
- Company: Supabase, Inc.
- Purpose: Provides PostgreSQL database hosting, user authentication, and row-level security for data isolation
- Security Certifications: SOC 2 Type II
- Data Location: United States (AWS us-east-1)
- Data Processing Agreement: Available upon request
Vercel
- Company: Vercel Inc.
- Purpose: Hosts our application infrastructure, serverless functions, and provides performance analytics
- Security Certifications: SOC 2 Type II
- Data Location: Global edge network with primary processing in United States
- Data Processing Agreement: Standard DPA included in enterprise terms
OpenAI
- Company: OpenAI, L.L.C.
- Purpose: Provides AI language models for email processing features
- Security Certifications: SOC 2 Type II
- Data Processing: Data is processed in real-time and not retained for model training
- Data Processing Agreement: API terms include data processing provisions
Anthropic
- Company: Anthropic PBC
- Purpose: Provides fallback AI language models for email processing
- Security Certifications: SOC 2 Type II
- Data Processing: Data is processed in real-time and not retained for model training
- Data Processing Agreement: API terms include data processing provisions
- Company: Google LLC
- Purpose: Provides Gmail API access for email synchronization and OAuth authentication
- Security Certifications: SOC 2, ISO 27001, and others
- Data Location: Global infrastructure
- Note: Users authorize access directly through Google's OAuth consent flow
Microsoft
- Company: Microsoft Corporation
- Purpose: Provides Microsoft Graph API access for Outlook email synchronization and OAuth authentication
- Security Certifications: SOC 2, ISO 27001, and others
- Data Location: Global infrastructure
- Note: Users authorize access directly through Microsoft's OAuth consent flow
Stripe
- Company: Stripe, Inc.
- Purpose: Processes payments and manages subscriptions
- Security Certifications: PCI DSS Level 1, SOC 2 Type II
- Data Location: United States
- Note: ActionMail does not store full credit card numbers; Stripe handles all payment data
Data Transfer Safeguards
For transfers of personal data from the EU/EEA to the United States, we rely on:
- Standard Contractual Clauses (SCCs): Contractual safeguards approved by the European Commission
- Supplementary Measures: Additional technical and organizational measures as required
- Vendor Certifications: All subprocessors maintain appropriate security certifications
Changes to Subprocessors
We will notify customers of any intended changes to our subprocessors at least 30 days before the change takes effect. Notifications will be sent via:
- Email to the address associated with your account
- Updates to this page
If you object to a new subprocessor, you may contact us at legal@actionmail.app within 14 days of notification.
Historical Changes
| Date | Change | Details |
|---|---|---|
| December 2025 | Initial publication | Initial subprocessor list published |
Questions
If you have questions about our subprocessors or data processing practices, please contact us:
- Email: legal@actionmail.app
- Privacy Inquiries: privacy@actionmail.app
- Data Protection Officer: dpo@actionmail.app
Related Documents
- Privacy Policy - How we collect and use your data
- Data Processing Agreement - Terms for business customers
- Terms of Service - Our service agreement