Legal document
Subprocessors
- Effective:
- July 5, 2026
- Last updated:
- July 6, 2026
- Issuer:
- MorPhoe Tech Inc
The third parties listed below may process Customer personal data on behalf of BizNerva. The full processing terms, including notification, objection, and termination rights, are set out in the Data Processing Agreement (DPA).
This page is the canonical, machine-readable list of BizNerva subprocessors. For full processing terms — including the 30-day change-notification period, Controller objection rights, security obligations imposed on each subprocessor, and audit rights — see the Sub-processors section of our Data Processing Agreement. This page is updated at least thirty (30) days before a new subprocessor begins processing Customer personal data, subject to the DPA notification and objection process.
Customer-selected integrations and public data sources are not subprocessors. Customer-controlled integrations, for example identity providers used for sign-in (such as Google or Microsoft), connected HRIS providers, Slack or Microsoft Teams webhook destinations, and a Customer's own DocuSign account, are used at the Customer's direction under the Customer's own terms with those providers. Separately, public and reference data sources that BizNerva queries to power customer-enabled features, such as Etherscan for on-chain data and CoinGecko for market pricing, receive only public identifiers (for example wallet addresses and token identifiers) that the Customer selects for monitoring. Neither category is a BizNerva subprocessor unless BizNerva separately engages the provider to process Customer personal data on BizNerva's behalf.
1Current Subprocessors
| Provider | Jurisdiction | Purpose | Certifications |
|---|---|---|---|
| Supabase Inc. | San Francisco, CA, USA | Database hosting (PostgreSQL), authentication, and file storage. | SOC 2 Type II |
| Vercel Inc. | San Francisco, CA, USA | Application hosting, content delivery, and first-party cookieless analytics/performance telemetry. | SOC 2 Type II |
| Stripe Inc. | San Francisco, CA, USA | Payment processing for Customer subscriptions and invoices. | PCI DSS Level 1, SOC 2 Type II |
| Anthropic PBC | San Francisco, CA, USA | AI processing for compliance analysis, Pay Transparency job-posting analysis, document review, content classification, and optional OCR of scanned uploads. Automated PII redaction and sensitivity screening are applied before transmission. Commercial API terms prohibit use of submitted data for model training. | SOC 2 Type II |
| OpenAI, L.L.C. | San Francisco, CA, USA | Vector embeddings for relevance search across regulatory and organization content. Automated PII redaction is applied before transmission. API terms prohibit use of submitted data for model training. | SOC 2 Type II |
| Google LLC | Mountain View, CA, USA | Two purposes: (1) Google Workspace as the transactional and notification email transport (SMTP relay): processes recipient email addresses and message content (which may include user names, organization names, and action links) in transit. (2) Google reCAPTCHA for anti-abuse bot detection on public and authentication forms. Email content is not used for advertising under Google Workspace terms. | SOC 2 Type II, ISO 27001 |
| Mercury Technologies, Inc. | San Francisco, CA, USA | Partner payment processing for ACH and wire transfers (revenue share disbursements). Processes partner financial data. | SOC 2 Type II |
| Cloudmersive, Inc. | Pleasanton, CA, USA | File security scanning for virus and malware detection. Per provider documentation, the scanning API is stateless and files are not stored or retained after the scanning transaction. | — |
| Inngest Inc. | San Francisco, CA, USA | Background job queue available for high-volume transactional and notification email delivery. Receives only an opaque job-reference id; recipient addresses and message bodies are stored first-party and are never transmitted to the queue. | SOC 2 Type II |
| Functional Software, Inc. (Sentry) | San Francisco, CA, USA | Application error monitoring. May capture limited diagnostic and error context; PII scrubbing applied before transmission. | SOC 2 Type II |
| Upstash, Inc. | San Francisco, CA, USA | Caching layer for derived, non-personal platform data. BizNerva uses this cache only for derived, non-personal data; TTL-based expiration applied. | SOC 2 Type II |
2Notification of changes
BizNerva will provide at least thirty (30) days' notice of any intended addition or replacement of a subprocessor by updating this page and emailing the Controller's registered email address. The Controller may object in writing within fourteen (14) days of receipt of such notice, as set out in Section 7 of the DPA.
3Questions or objections
For subprocessor-related questions or to exercise objection rights, contact privacy@biznerva.com.