Compliance

Sub-processors

Last updated: 2026-05-09

VaultCommand uses the third-party services listed below to deliver the platform. Each sub-processor is bound by a Data Processing Addendum (DPA) requiring confidentiality, security obligations, and processing limited to VaultCommand's instructions.

Core infrastructure

Always in use when you have a VaultCommand campaign.

Vercel Inc.

DPA →

Purpose · Application hosting, edge serving, deployment infrastructure for vaultcommand.com

Data · Request metadata, cookies, IP at edge, server logs

Region: United States (primary), global edge POPs

Supabase Inc.

DPA →

Purpose · Primary system of record: campaign orders, tasks, drafts, audit log, encrypted channel tokens

Data · Campaign content, contact email, business name + offer + audience details, encrypted OAuth tokens

Region: United States

Anthropic, PBC

DPA →

Purpose · Large-language-model inference for draft generation and Law & Precision revision

Data · Customer intake fields (business name, offer, audience, brand voice, restricted claims) and task title; never contact emails or audience email lists

Region: United States

Supermemory, Inc.

DPA →

Purpose · Per-tenant content memory for retrieval-augmented draft generation (helps later drafts stay consistent with earlier approved drafts in the same campaign)

Data · Approved draft titles + bodies, tenant identifier, task metadata; never contact emails or audience email lists

Region: United States

Stripe, Inc.

DPA →

Purpose · Payment processing for package purchases via Stripe Payment Links + webhooks

Data · Billing email, payment-card details (tokenized — VaultCommand never sees card numbers), purchase metadata

Region: United States

Resend

DPA →

Purpose · Transactional email: magic-link claim, purchase receipt, approved-schedule confirmation, daily campaign recap, payment-failed notice, audience-list email blasts for email-channel tasks

Data · Recipient email, message subject + body (including approved campaign drafts)

Region: United States

Upstash, Inc.

DPA →

Purpose · Distributed Redis for rate limiting, idempotency keys, magic-link single-use enforcement, and per-tenant LLM budget tracking

Data · Short-lived tokens (≤24h), counter increments, ephemeral keys — no campaign content

Region: United States

Customer-controlled (opt-in)

Only active when you explicitly connect a publishing channel at /integrations. Disconnect at any time to revoke access immediately.

LinkedIn Corporation

DPA →

Purpose · Auto-publishing approved drafts to the customer's connected LinkedIn account via the UGC API

Data · OAuth access token (encrypted at rest), approved post text the customer authorized

Region: United States

Reddit, Inc.

DPA →

Purpose · Auto-publishing approved drafts to the customer's connected Reddit account via the Data API

Data · OAuth access token (encrypted at rest), approved post text + target subreddit the customer authorized

Region: United States

X Corp. (Twitter)

DPA →

Purpose · Auto-publishing approved drafts to the customer's connected X account (when enabled — currently deferred)

Data · OAuth access token (encrypted at rest), approved post text the customer authorized

Region: United States

Notice of changes

Before adding a new sub-processor that will process customer data, we will update this page at least 30 days in advance and send an email to the contact address on each active order. If you object to a new sub-processor, contact us at support@cleargarment.com within the notice window and we'll work with you on remediation or refund.

Data we never share

  • Customer payment-card numbers — Stripe holds these directly; we never see or store them.
  • Customer audience email lists are sent only to Resend for the specific email-channel send.
  • OAuth tokens are encrypted at rest with industry-standard authenticated encryption and never transmitted to any third party other than the channel they authorize.
  • We do not sell customer data. We do not use customer campaign content to train any AI model.

Related

Back to home