Trust & Compliance
Sub-processors
Last Updated: April 30, 2026
VAIF Studio engages the following sub-processors to provide, secure, and operate our service. Each sub-processor is bound by a written data-processing agreement (DPA) consistent with GDPR Article 28 and our customer DPA.
We notify customers of material changes to this list at least 30 days before adding a new sub-processor that processes personal data. To subscribe to change notifications, contact legal@vaif.studio.
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Google Cloud Platform Google LLC | Hosting, managed Postgres, object storage, container runtime | United States (us-central1) | View DPA |
| Stripe Stripe, Inc. | Payment processing and billing | United States | View DPA |
| Anthropic Anthropic PBC | AI model inference (primary Copilot provider) | United States | View DPA |
| OpenAI OpenAI, LLC | AI model inference (fallback provider) | United States | View DPA |
| Resend Resend, Inc. | Transactional email delivery | United States | View DPA |
| Cloudflare Cloudflare, Inc. | Edge networking, DNS, DDoS mitigation | Global edge network | View DPA |
Google Cloud Platform
Google LLC
- Purpose
- Hosting, managed Postgres, object storage, container runtime
- Region
- United States (us-central1)
- DPA
- View DPA →
Anthropic
Anthropic PBC
- Purpose
- AI model inference (primary Copilot provider)
- Region
- United States
- DPA
- View DPA →
OpenAI
OpenAI, LLC
- Purpose
- AI model inference (fallback provider)
- Region
- United States
- DPA
- View DPA →
Cloudflare
Cloudflare, Inc.
- Purpose
- Edge networking, DNS, DDoS mitigation
- Region
- Global edge network
- DPA
- View DPA →
Notes on processing
- Customer data is not used for AI training. Anthropic and OpenAI are configured with zero-retention / no-training enterprise terms for inference traffic.
- Primary data residency is United States (GCP us-central1). Regional residency for EU customers is on the roadmap and tracked under the Enterprise tier.
- All sub-processors are bound by written DPAs with appropriate technical and organizational measures, and where applicable, EU Standard Contractual Clauses (SCCs) for international transfers.