Subprocessors
Thabit engages a small set of carefully-vetted third-party service providers (“Subprocessors”) to help deliver the Services. This page lists the current Subprocessors, their purpose, the categories of data they process, and their location. We notify customers at least thirty (30) days before adding or replacing a Subprocessor.
Notification preferences. To receive email notifications when this list changes, email privacy@thabit.ai with the subject line “Subprocessor notifications” and the email address where you’d like to receive them.
Infrastructure scope. Not every Subprocessor processes every Customer’s data. For example, GovCloud customers route exclusively through AWS GovCloud and Amazon Bedrock (not Anthropic’s commercial API), and Enterprise customers may elect a self-hosted or regional deployment of certain Subprocessors. The DPA governs applicability for each customer.
Current Subprocessors
| Provider | Purpose | Data categories | Location | Since |
|---|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure for GovCloud tier (Phase 3+) | Customer Data, logs, backups | United States (us-east-1, us-gov-west-1, us-gov-east-1) | Planned Q3 2026 |
| Anthropic | AI inference (Claude model API) for AI-assisted features | Prompts (transient), no persistent storage | United States | April 2026 |
| Clerk | User authentication and session management | Email, name, session tokens | United States | Planned Q2 2026 |
| Cloudflare, Inc. | Object storage (R2), WAF, DDoS protection | Customer Data (package artifacts), request logs | United States | Planned Q2 2026 |
| PostHog | Product analytics (self-hosted option available for Enterprise) | Anonymized usage events, session metadata | United States / EU | Planned Q2 2026 |
| Sentry | Error tracking and performance monitoring | Error traces, redacted request context | United States | Planned Q2 2026 |
| Stripe | Payment processing and subscription management | Billing name, address, tax ID, payment card (stored by Stripe only) | United States | Planned Q2 2026 |
| Supabase | Managed PostgreSQL database, auth, and real-time subscriptions | Customer Data, account data, audit logs | United States (us-east-1) | Planned Q2 2026 |
| Vercel | Web application hosting and CDN | Request metadata, deployment logs | United States | April 2026 |
Excluded Subprocessors
Thabit does not use the following categories of third parties:
- Third-party advertising or retargeting networks;
- Third-party data brokers or enrichment services;
- AI model training providers (Customer Data is not used to train foundation models);
- Offshore support vendors.
Standard Contractual Protections
Each Subprocessor operates under a written agreement with Thabit requiring, at minimum:
- Processing only on documented instructions;
- Confidentiality commitments for personnel;
- Security measures consistent with the Thabit Security Overview;
- Breach notification within 72 hours of discovery;
- Cooperation with audit, data subject rights, and regulatory inquiries;
- Deletion or return of data on termination.
Changes to This List
Thabit will update this page prior to engaging a new Subprocessor or materially changing an existing engagement. For customers subscribed to change notifications, email notice will be sent at least thirty (30) days in advance. If you object to a proposed change, the termination rights in Section 5 of our DPA apply.