Subprocessors
Subprocessors
Effective Date: May 20, 2026 Last reviewed: May 20, 2026
This page lists every subprocessor that Stiward Holdings Inc. ("Stiward") engages to deliver the Services described in our Privacy Policy. Each subprocessor is contractually bound to:
- process personal data only for the purposes Stiward directs,
- maintain appropriate technical and organizational security measures, and
- comply with applicable data-protection laws (including, where relevant, the GDPR, UK GDPR, CCPA/CPRA, and the EU Standard Contractual Clauses).
For Stiward's direct individual users, this list is informative. For institutional customers under a Data Processing Agreement, this list is authoritative and material changes are notified with the lead time specified in that DPA.
Active subprocessors
| Subprocessor | Location | Data classes processed | Purpose | Transfer mechanism |
|---|---|---|---|---|
| --- | --- | --- | --- | --- |
| **Google Cloud Platform** (Cloud Run, Cloud SQL/Postgres, Cloud Tasks, Cloud Scheduler, Secret Manager, Cloud Logging, Cloud Storage) | United States | All Stiward data — at rest and in transit on Stiward infrastructure | Cloud infrastructure, encrypted-at-rest data store, queue processing, scheduled jobs, secret management, observability | SCCs + GCP Data Processing Addendum |
| **Firebase** (Google) — Authentication / Identity Platform | United States | Email, hashed credentials, MFA factors, sign-in events | Sign-in, identity verification, MFA (TOTP / SMS / recovery codes) | SCCs + Google Cloud DPA |
| **Anthropic** — Claude API | United States | Excerpts of Connector Data and Alfred prompts at inference time only; **zero-retention** of inputs and outputs | AI inference for Alfred chat and briefings | Anthropic Zero Data Retention enterprise agreement + DPA; no training on customer data |
| **OpenAI** — GPT API | United States | Excerpts of Connector Data and Alfred prompts at inference time only; **zero-retention** of inputs and outputs | AI inference for Alfred chat and briefings (when the user opts to use OpenAI as the model) | OpenAI Enterprise zero-retention agreement + DPA; no training on customer data |
| **Plaid** — Financial connectivity | United States | Item access tokens (held by Plaid, encrypted reference held by Stiward); account, transaction, balance, and liability data | Connecting bank and credit card accounts via Plaid Link; transaction and balance sync via `transactions/sync` | Plaid End User Privacy Policy + Plaid Data Processing Addendum |
| **Google APIs — Calendar** | United States | Calendar event metadata + bodies for calendars the user has granted | Calendar-event sync (read-only) and push notifications via `events.watch` | Google API Services User Data Policy, Limited Use; data is the user's own Google account data |
| **Google APIs — Gmail** | United States | Email threads, messages (headers + bodies), draft metadata for mailboxes the user has granted | Inbox sync via `users.history.list`; draft creation via `users.drafts.create`; push notifications via Pub/Sub. **Send is not used.** | Google API Services User Data Policy, Limited Use; restricted-scope verification required (`gmail.modify`) |
| **Stripe** | United States | Billing contact identity, payment-method tokens (full PAN never held by Stiward), subscription metadata | Subscription billing for paid Stiward tiers | Stripe Data Processing Addendum |
| **Resend** | United States | Email-address recipient, message content for transactional emails (briefings, alerts, service notices) | Transactional email delivery | Resend DPA + SCCs |
| **Vercel** | United States | IP addresses, request metadata; rendered HTML/JSON for the marketing site and admin web app — **no decrypted Connector Data and no Alfred conversation content traverse Vercel edge** | Hosting and edge serving of `stiward.com` (marketing, waitlist, blog, legal) and the Stiward admin web app | Vercel DPA + SCCs |
| **Sanity** | United States | Editor-authored content (blog posts, legal pages, marketing copy) and editor identities. **No end-user personal data, no Connector Data, no Alfred content is sent to Sanity.** | Headless CMS that serves blog and legal content rendered on `stiward.com` | Sanity DPA + SCCs |
| **Expo (Application Services)** | United States | Push tokens, push-message content | Push-notification delivery to the Stiward mobile app on iOS and Android | Expo Terms of Service + DPA |
| **Cloudflare** | United States | IP addresses, request metadata for `stiward.com` and `api.stiward.com` | DNS, CDN, DDoS protection, edge-level WAF | Cloudflare DPA + SCCs |
| **Sentry** | United States | Error events, stack traces, request URLs — **never** decrypted token material, decrypted Connector Data, or message bodies | Application error tracking | Sentry DPA + SCCs |
Connector flows are end-user-directed
Plaid and Google APIs are listed above as subprocessors because Stiward calls them on the user's behalf. The data they hand back, however, is the user's own data from the user's own accounts, accessed by the user's explicit consent through each provider's standard connect flow. Stiward stores that data on the user's behalf under the Privacy Policy; we do not purchase data from these providers.
Notification of changes
We may add, remove, or replace subprocessors as the Services evolve.
- For direct individual users: material changes are published here and at <https://stiward.com/legal/subprocessors> and, where required by applicable law, reflected in the next version of the Privacy Policy.
- For institutional customers under a DPA: Stiward gives at least thirty (30) days' written notice (or the period stated in the DPA, whichever is longer) before engaging a new subprocessor. Customers may object in writing within that notice period if they have a reasonable, lawful basis for doing so, in which case Section 6.3 of the DPA controls.
Subscribe to subprocessor updates
To be notified by email when this list changes, email legal@stiward.com with the subject line "Subprocessor notice subscription." Institutional customers under a DPA receive notifications automatically per their agreement.
Contact
For questions about a subprocessor or this list:
Stiward Holdings Inc. Legal: legal@stiward.com Privacy: privacy@stiward.com Website: stiward.com