{"metadata":{"title":"ClearPoint Logic Subprocessor Matrix","version":"2026-05-16","lastReviewedAt":"2026-05-16","refreshCadence":"Quarterly security-led review, plus update within 24 hours of vendor adoption decision and subscriber notice at least 30 days before new subprocessors handle customer data.","canonicalSources":[{"label":"CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md","section":"§Y.8 and §Z","path":"docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md"},{"label":"CPL-TRUST-CENTER-CANONICAL.md","section":"§3.3, §9.6, §11.4, §11.7, §13.2","path":"docs/canonical/CPL-TRUST-CENTER-CANONICAL.md"},{"label":"CPL-VENDOR-SLA-MATRIX-CANONICAL.md","section":"§2.1, §9.2","path":"docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md"},{"label":"TOOLS.md","section":"§7 Vendor compliance summary","path":"TOOLS.md"}]},"rows":[{"id":"cpl-cloud-sql","name":"Supabase Postgres (tenant data store)","processorClass":"subprocessor","purpose":"Primary tenant data store for Meridian, Studio, Nexus, audit-adjacent relational records, and platform records, hosted on Supabase-managed Postgres (RLS-isolated). Supabase is disclosed as the subprocessor that hosts and processes tenant data and backups; the deployment is not Cloud SQL.","dataAccessed":["tenant application data","policy data","customer-owned workflow records"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"Supabase-managed Postgres (US region)","securityReviewStatus":"Tier-1 database provider hosting CPL tenant data; SOC 2 Type 2, ISO 27001, and HIPAA add-on posture listed in vendor compliance summary. Protected by provider-managed AES-256 encryption at rest, TLS in transit, RLS, and application tenant guards. CPL does not hold per-tenant customer-managed keys (CMEK). Transfers governed by the Supabase DPA and Standard Contractual Clauses per CPL-CONTRACTS-CANONICAL §4.","soc2Type2":"Yes","deletionMode":"Hard delete via tenant-scoped row deletion at Day 60 plus signed tombstone audit event; backup purge by Day 90. (Cryptographic erasure via per-tenant CMEK destruction is a deferred future capability requiring a Cloud SQL re-platform per §Y.7, not the current mechanism.)","retentionException":"None for customer-owned data.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.7","docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Z","TOOLS.md §2.4","docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §1"]},{"id":"cpl-audit-events","name":"CPL audit_events chain","processorClass":"cpl_controlled_store","purpose":"Immutable signed audit evidence for material customer and platform actions.","dataAccessed":["audit evidence","redacted payload summaries","correlation identifiers"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"GCP us-central1","securityReviewStatus":"CPL-controlled; immutable audit chain with payload redaction where allowed.","soc2Type2":"CPL control evidence","deletionMode":"Retain immutable event records; redact PII payload fields where data class permits.","retentionException":"Audit evidence retained 7 years per CPL audit evidence policy and legal hold.","owner":"Security Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","docs/canonical/CPL-AUDIT-EVIDENCE-CANONICAL.md §6"]},{"id":"anthropic-api","name":"Anthropic API","provider":"Anthropic","function":"Claude API model inference for approved escalation and customer-explicit Anthropic routing.","data_class":"confidential, restricted, regulated","region":"Provider-hosted processing regions","dpa_url":"https://privacy.claude.com/en/articles/7996862-how-do-i-view-and-sign-your-data-processing-addendum-dpa","sla_tier":"Tier-1 LLM provider; Standard tier; no published uptime or response SLA on Standard tier.","source_canonical":"docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1","processorClass":"subprocessor","purpose":"Claude API model inference for Sonnet escalation paths and customer-explicit premium Anthropic routing.","dataAccessed":["customer prompts","model context","generated outputs","model-call metadata"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"Anthropic provider-hosted processing regions","securityReviewStatus":"Tier-1 LLM provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"CPL deletes local prompt, context, and output records through the customer-data lifecycle pipeline; provider-side handling follows Anthropic commercial terms and DPA.","retentionException":"Provider contractual retention and abuse-monitoring windows may apply under the Anthropic DPA.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1","TOOLS.md §1.4","TOOLS.md §7","docs/adr/ADR-0021-llm-model-routing-policy.md §2"]},{"id":"google-cloud-vertex-ai","name":"Google Cloud Vertex AI","provider":"Google Cloud Vertex AI","function":"Default Gemini model inference and Vertex embedding provider per ADR-0021 and ADR-0012.","data_class":"confidential, restricted, regulated","region":"Google Cloud / Vertex AI configured regions; CPL primary workload region us-central1","dpa_url":"https://cloud.google.com/terms/data-processing-addendum","sla_tier":"Tier-1 LLM provider; Standard support; 99.5% general AI APIs uptime and 4-hour business-day P1 response.","source_canonical":"docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1","processorClass":"subprocessor","purpose":"Default Gemini model inference, Gemini Flash-Lite routing, and Vertex text-embedding provider for model and semantic-search workloads.","dataAccessed":["customer prompts","model context","generated outputs","embedding inputs","model-call metadata"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"Google Cloud / Vertex AI configured regions; CPL primary workload region us-central1","securityReviewStatus":"Tier-1 LLM and embedding provider; inherits GCP SOC 2 Type 2, ISO 27001, and BAA posture in vendor compliance summary.","soc2Type2":"Inherits GCP","deletionMode":"CPL deletes local prompt, context, output, and embedding records through the customer-data lifecycle pipeline; Google Cloud handling follows the Cloud DPA and configured service controls.","retentionException":"Provider contractual retention and service-control windows may apply under the Google Cloud DPA.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1","TOOLS.md §1.4","TOOLS.md §7","docs/adr/ADR-0021-llm-model-routing-policy.md §2","docs/adr/ADR-0012-embedding-and-vector-memory.md"]},{"id":"openai-api","name":"OpenAI API","provider":"OpenAI","function":"GPT-5.5 customer-explicit routing and approved code-strength model surfaces per ADR-0021.","data_class":"confidential, restricted, regulated","region":"Provider-hosted processing regions","dpa_url":"https://openai.com/policies/data-processing-addendum/","sla_tier":"Tier-1 LLM provider; Standard tier; no published uptime or response SLA on Standard tier.","source_canonical":"docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1","processorClass":"subprocessor","purpose":"OpenAI model inference for customer-explicit GPT-5.5 routing and code-strength surfaces governed by ADR-0021.","dataAccessed":["customer prompts","model context","generated outputs","model-call metadata","code-generation context when customer-approved"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"OpenAI provider-hosted processing regions","securityReviewStatus":"Tier-1 LLM provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"CPL deletes local prompt, context, and output records through the customer-data lifecycle pipeline; provider-side handling follows OpenAI business terms and DPA.","retentionException":"Provider contractual retention and abuse-monitoring windows may apply under the OpenAI DPA.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1","TOOLS.md §1.4","TOOLS.md §7","docs/adr/ADR-0021-llm-model-routing-policy.md §2"]},{"id":"stripe","name":"Stripe","processorClass":"subprocessor","purpose":"Payment processing, subscription billing, invoicing, and tax-required transaction records.","dataAccessed":["billing customer IDs","subscription metadata","payment method references","transaction records"],"dataClasses":["confidential"],"processingLocation":"United States / global Stripe processing regions","securityReviewStatus":"Tier-1 billing provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Customer detach through Stripe API, subscription cancellation, and payment method deletion.","retentionException":"Tax-required transaction records retained by Stripe and applicable jurisdictions, typically 7 years.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §2.2","TOOLS.md §7"]},{"id":"supabase-auth","name":"Supabase Auth","processorClass":"subprocessor","purpose":"Canonical identity provider for authentication, MFA, SAML SSO, and user identity lifecycle.","dataAccessed":["user identity records","authentication metadata","MFA state","SSO metadata"],"dataClasses":["confidential","restricted"],"processingLocation":"Supabase hosted regions for CPL projects","securityReviewStatus":"Tier-1 identity and database provider; SOC 2 Type 2, ISO 27001, and HIPAA add-on posture listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"User deletion through Supabase admin API; identity records anonymized.","retentionException":"Auth audit log retention follows Supabase Pro tier retention: 90 days hot and 1 year cold.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §2.1","TOOLS.md §7"]},{"id":"sentry","name":"Sentry","processorClass":"subprocessor","purpose":"Sanitized application error tracking and release health monitoring.","dataAccessed":["sanitized error context","tenant tags","release metadata","user context when needed for debugging"],"dataClasses":["internal","confidential"],"processingLocation":"Sentry hosted regions","securityReviewStatus":"Tier-1 error tracking provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Issue and event purge by tenant tag; user-context deletion through Sentry data privacy API.","retentionException":"Aggregated or anonymized error metrics retained per Sentry default retention.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.1","TOOLS.md §7"]},{"id":"datadog","name":"Datadog","processorClass":"subprocessor","purpose":"Security monitoring layer for SIEM, security logs, selected synthetic checks, and cross-correlation.","dataAccessed":["security logs","audit-forwarded event summaries","tenant-tagged operational logs","aggregated metrics"],"dataClasses":["internal","confidential","restricted"],"processingLocation":"Datadog hosted regions","securityReviewStatus":"Tier-1 security monitoring provider; SOC 2 Type 2, ISO 27001, and BAA posture listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Log retention window expiry, with customer-tenant-tagged logs deleted through Datadog GDPR endpoint where applicable.","retentionException":"Aggregated metrics retained at lower fidelity for SOC 2 evidence.","owner":"Security Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.4","TOOLS.md §7"]},{"id":"attio","name":"Attio","processorClass":"subprocessor","purpose":"CRM and deal-state tracking for sales, agreement status, and customer relationship operations.","dataAccessed":["company records","contact records","deal metadata","sales notes"],"dataClasses":["internal","confidential"],"processingLocation":"Attio hosted regions","securityReviewStatus":"Tier-3 CRM provider; SOC 2 listed as in progress in vendor compliance summary.","soc2Type2":"In progress","deletionMode":"Contact and deal records anonymized; names replaced with Deleted Customer label and email replaced with hash.","retentionException":"Sales-cycle records retained under CPL contract retention policy for 7 years.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.3","TOOLS.md §7"]},{"id":"github-linear","name":"GitHub Issues / Linear","processorClass":"subprocessor","purpose":"Engineering issue tracking, customer support ticket coordination, and operational work tracking.","dataAccessed":["support ticket content","engineering issue metadata","customer-identifiable support text when present"],"dataClasses":["internal","confidential"],"processingLocation":"GitHub and Linear hosted regions","securityReviewStatus":"GitHub is Tier-1 source-code provider; Linear is Tier-2 issue tracking provider. Both list SOC 2 Type 2 in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Customer-identifiable text in support tickets redacted; ticket records retained.","retentionException":"Ticket structure retained for SOC 2 evidence; customer-identifying content redacted.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.1","TOOLS.md §7"]},{"id":"slack","name":"Slack","processorClass":"subprocessor","purpose":"Internal communications and Slack Connect customer support communications.","dataAccessed":["customer support mentions","incident coordination messages","internal operational messages"],"dataClasses":["internal","confidential"],"processingLocation":"Slack hosted regions","securityReviewStatus":"Tier-2 communications provider; SOC 2 Type 2, ISO 27001, and Enterprise BAA posture listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Customer-identifiable mentions in CPL-internal Slack scrubbed through Slack admin API where supported.","retentionException":"Slack message retention follows CPL workspace policy.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.2","TOOLS.md §7"]},{"id":"docusign","name":"DocuSign envelopes","processorClass":"subprocessor","purpose":"Customer contract execution, NDA workflow, DPA/BAA signing, and agreement evidence.","dataAccessed":["contract metadata","signature records","agreement documents","requester identity"],"dataClasses":["confidential","restricted"],"processingLocation":"DocuSign hosted regions","securityReviewStatus":"Tier-2 e-signature provider; SOC 2 Type 2, ISO 27001, and BAA posture listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Envelope metadata retained and envelope content access revoked.","retentionException":"Signed contracts retained for legal contract retention, minimum 7 years.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.2","TOOLS.md §7"]},{"id":"resend","name":"Resend transactional email","processorClass":"subprocessor","purpose":"Transactional emails, CSAT delivery, export/deletion milestone notifications, and subprocessor change notifications.","dataAccessed":["email addresses","delivery metadata","transactional notification content"],"dataClasses":["internal","confidential"],"processingLocation":"Resend hosted regions","securityReviewStatus":"Tier-2 transactional email provider; SOC 2 Type 2 listed in vendor compliance summary.","soc2Type2":"Yes","deletionMode":"Email send-history records retained 90 days and then auto-purged.","retentionException":"None.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §1.3","TOOLS.md §7"]},{"id":"gcs-export-buckets","name":"Cloud Storage / GCS export buckets","processorClass":"cpl_controlled_store","purpose":"Time-limited customer export bundles and signed URL metadata for export delivery.","dataAccessed":["customer export bundles","signed URL metadata","export package checksums"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"GCP us-central1","securityReviewStatus":"CPL-controlled GCP storage; lifecycle policy and access logging required.","soc2Type2":"CPL control evidence","deletionMode":"Hard delete of export bundles for deleted tenant; lifecycle policy cleans up signed-URL metadata.","retentionException":"None.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8","TOOLS.md §2.4"]},{"id":"cloud-sql-backups","name":"Backup snapshots","processorClass":"cpl_controlled_store","purpose":"Supabase-managed Postgres automated backup snapshots and PITR for disaster recovery (not Cloud SQL).","dataAccessed":["tenant database backups","PITR metadata"],"dataClasses":["confidential","restricted","regulated"],"processingLocation":"Supabase-managed Postgres (US region)","securityReviewStatus":"CPL-controlled backup substrate (Supabase-managed Postgres); provider-managed AES-256 encryption at rest; lifecycle and purge timing governed by retention canonical.","soc2Type2":"CPL control evidence","deletionMode":"Backup purge at Day 90; snapshots beyond Day 90 do not contain deleted tenant data.","retentionException":"None.","owner":"Operations Agent","sourceCitations":["docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.3","docs/canonical/CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8"]}]}