Legal
Subprocessor matrix
Auditor-facing processor, retention, and deletion-path inventory for ClearPoint Logic customer data handling.
- Last reviewed
- 2026-05-16
- Records
- 16 processor records
- JSON endpoint
- /api/legal/subprocessors
Refresh policy
Quarterly security-led review, plus update within 24 hours of vendor adoption decision and subscriber notice at least 30 days before new subprocessors handle customer data.
| Processor | Purpose | Data accessed | Location | Security status | Deletion path | Retention exception | Owner |
|---|---|---|---|---|---|---|---|
| Supabase Postgres (tenant data store)Subprocessor | Primary tenant data store for Meridian, Studio, Nexus, audit-adjacent relational records, and platform records, hosted on Supabase-managed Postgres (RLS-isolated). Supabase is disclosed as the subprocessor that hosts and processes tenant data and backups; the deployment is not Cloud SQL. |
confidential, restricted, regulated | Supabase-managed Postgres (US region) | SOC 2: YesTier-1 database provider hosting CPL tenant data; SOC 2 Type 2, ISO 27001, and HIPAA add-on posture listed in vendor compliance summary. Protected by provider-managed AES-256 encryption at rest, TLS in transit, RLS, and application tenant guards. CPL does not hold per-tenant customer-managed keys (CMEK). Transfers governed by the Supabase DPA and Standard Contractual Clauses per CPL-CONTRACTS-CANONICAL §4. | Hard delete via tenant-scoped row deletion at Day 60 plus signed tombstone audit event; backup purge by Day 90. (Cryptographic erasure via per-tenant CMEK destruction is a deferred future capability requiring a Cloud SQL re-platform per §Y.7, not the current mechanism.) | None for customer-owned data. | Operations Agent |
| CPL audit_events chainCPL-controlled store | Immutable signed audit evidence for material customer and platform actions. |
confidential, restricted, regulated | GCP us-central1 | SOC 2: CPL control evidenceCPL-controlled; immutable audit chain with payload redaction where allowed. | Retain immutable event records; redact PII payload fields where data class permits. | Audit evidence retained 7 years per CPL audit evidence policy and legal hold. | Security Agent |
| Anthropic APISubprocessor | Claude API model inference for Sonnet escalation paths and customer-explicit premium Anthropic routing. |
confidential, restricted, regulated | Anthropic provider-hosted processing regions | SOC 2: YesTier-1 LLM provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary. | CPL deletes local prompt, context, and output records through the customer-data lifecycle pipeline; provider-side handling follows Anthropic commercial terms and DPA. | Provider contractual retention and abuse-monitoring windows may apply under the Anthropic DPA. | Operations Agent |
| Google Cloud Vertex AISubprocessor | Default Gemini model inference, Gemini Flash-Lite routing, and Vertex text-embedding provider for model and semantic-search workloads. |
confidential, restricted, regulated | Google Cloud / Vertex AI configured regions; CPL primary workload region us-central1 | SOC 2: Inherits GCPTier-1 LLM and embedding provider; inherits GCP SOC 2 Type 2, ISO 27001, and BAA posture in vendor compliance summary. | CPL deletes local prompt, context, output, and embedding records through the customer-data lifecycle pipeline; Google Cloud handling follows the Cloud DPA and configured service controls. | Provider contractual retention and service-control windows may apply under the Google Cloud DPA. | Operations Agent |
| OpenAI APISubprocessor | OpenAI model inference for customer-explicit GPT-5.5 routing and code-strength surfaces governed by ADR-0021. |
confidential, restricted, regulated | OpenAI provider-hosted processing regions | SOC 2: YesTier-1 LLM provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary. | CPL deletes local prompt, context, and output records through the customer-data lifecycle pipeline; provider-side handling follows OpenAI business terms and DPA. | Provider contractual retention and abuse-monitoring windows may apply under the OpenAI DPA. | Operations Agent |
| StripeSubprocessor | Payment processing, subscription billing, invoicing, and tax-required transaction records. |
confidential | United States / global Stripe processing regions | SOC 2: YesTier-1 billing provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary. | Customer detach through Stripe API, subscription cancellation, and payment method deletion. | Tax-required transaction records retained by Stripe and applicable jurisdictions, typically 7 years. | Operations Agent |
| Supabase AuthSubprocessor | Canonical identity provider for authentication, MFA, SAML SSO, and user identity lifecycle. |
confidential, restricted | Supabase hosted regions for CPL projects | SOC 2: YesTier-1 identity and database provider; SOC 2 Type 2, ISO 27001, and HIPAA add-on posture listed in vendor compliance summary. | User deletion through Supabase admin API; identity records anonymized. | Auth audit log retention follows Supabase Pro tier retention: 90 days hot and 1 year cold. | Operations Agent |
| SentrySubprocessor | Sanitized application error tracking and release health monitoring. |
internal, confidential | Sentry hosted regions | SOC 2: YesTier-1 error tracking provider; SOC 2 Type 2 and ISO 27001 listed in vendor compliance summary. | Issue and event purge by tenant tag; user-context deletion through Sentry data privacy API. | Aggregated or anonymized error metrics retained per Sentry default retention. | Operations Agent |
| DatadogSubprocessor | Security monitoring layer for SIEM, security logs, selected synthetic checks, and cross-correlation. |
internal, confidential, restricted | Datadog hosted regions | SOC 2: YesTier-1 security monitoring provider; SOC 2 Type 2, ISO 27001, and BAA posture listed in vendor compliance summary. | Log retention window expiry, with customer-tenant-tagged logs deleted through Datadog GDPR endpoint where applicable. | Aggregated metrics retained at lower fidelity for SOC 2 evidence. | Security Agent |
| AttioSubprocessor | CRM and deal-state tracking for sales, agreement status, and customer relationship operations. |
internal, confidential | Attio hosted regions | SOC 2: In progressTier-3 CRM provider; SOC 2 listed as in progress in vendor compliance summary. | Contact and deal records anonymized; names replaced with Deleted Customer label and email replaced with hash. | Sales-cycle records retained under CPL contract retention policy for 7 years. | Operations Agent |
| GitHub Issues / LinearSubprocessor | Engineering issue tracking, customer support ticket coordination, and operational work tracking. |
internal, confidential | GitHub and Linear hosted regions | SOC 2: YesGitHub is Tier-1 source-code provider; Linear is Tier-2 issue tracking provider. Both list SOC 2 Type 2 in vendor compliance summary. | Customer-identifiable text in support tickets redacted; ticket records retained. | Ticket structure retained for SOC 2 evidence; customer-identifying content redacted. | Operations Agent |
| SlackSubprocessor | Internal communications and Slack Connect customer support communications. |
internal, confidential | Slack hosted regions | SOC 2: YesTier-2 communications provider; SOC 2 Type 2, ISO 27001, and Enterprise BAA posture listed in vendor compliance summary. | Customer-identifiable mentions in CPL-internal Slack scrubbed through Slack admin API where supported. | Slack message retention follows CPL workspace policy. | Operations Agent |
| DocuSign envelopesSubprocessor | Customer contract execution, NDA workflow, DPA/BAA signing, and agreement evidence. |
confidential, restricted | DocuSign hosted regions | SOC 2: YesTier-2 e-signature provider; SOC 2 Type 2, ISO 27001, and BAA posture listed in vendor compliance summary. | Envelope metadata retained and envelope content access revoked. | Signed contracts retained for legal contract retention, minimum 7 years. | Operations Agent |
| Resend transactional emailSubprocessor | Transactional emails, CSAT delivery, export/deletion milestone notifications, and subprocessor change notifications. |
internal, confidential | Resend hosted regions | SOC 2: YesTier-2 transactional email provider; SOC 2 Type 2 listed in vendor compliance summary. | Email send-history records retained 90 days and then auto-purged. | None. | Operations Agent |
| Cloud Storage / GCS export bucketsCPL-controlled store | Time-limited customer export bundles and signed URL metadata for export delivery. |
confidential, restricted, regulated | GCP us-central1 | SOC 2: CPL control evidenceCPL-controlled GCP storage; lifecycle policy and access logging required. | Hard delete of export bundles for deleted tenant; lifecycle policy cleans up signed-URL metadata. | None. | Operations Agent |
| Backup snapshotsCPL-controlled store | Supabase-managed Postgres automated backup snapshots and PITR for disaster recovery (not Cloud SQL). |
confidential, restricted, regulated | Supabase-managed Postgres (US region) | SOC 2: CPL control evidenceCPL-controlled backup substrate (Supabase-managed Postgres); provider-managed AES-256 encryption at rest; lifecycle and purge timing governed by retention canonical. | Backup purge at Day 90; snapshots beyond Day 90 do not contain deleted tenant data. | None. | Operations Agent |
Canonical anchors
- CPL-DATA-CLASSIFICATION-RETENTION-CANONICAL.md §Y.8 and §Z
- CPL-TRUST-CENTER-CANONICAL.md §3.3, §9.6, §11.4, §11.7, §13.2
- CPL-VENDOR-SLA-MATRIX-CANONICAL.md §2.1, §9.2
- TOOLS.md §7 Vendor compliance summary